Appendix 1
London Fire and Emergency Planning Authority | London Fire Brigade
Risk Management Strategy 2014-2017
Our Risk Management Strategy, together with our underpinning risk
management framework and performance management arrangements,
support the Authority’s aim to make London a safer city, as set out in our
combined integrated risk management plan (IRMP) and corporate plan,
the London Safety Plan. Our vision is supported by six aims which in turn
are underpinned by strategic objectives, commitments and targets that
cover the Authority’s main activities.
Executive summary
This risk management strategy is part of a suite of performance
management documents which show how we intend to shape the work
we do and join our activities together to achieve our aims and objectives
within the London Safety Plan.
This document sets out the way we will continue to manage risk. Its
purpose is to show clearly how we will deal with uncertainty to ensure
continuity of service, support effective decision making, improve
resource efficiency and deliver value for money.
The risk management strategy directly supports all our strategic aims by
making sure that our strategic objectives are met by addressing any risks
that may prevent the successful delivery of those objectives.
This strategy is split into two parts: (1) the foundations and structures
upon which the risk management framework is based; and (2) the areas
of development to continually improve the framework.
What is risk and risk management?
Risk can be defined as the ‘combination of the probability of an event
and its consequences’. Put simply, this is the likelihood and impact of an
Risk Management Strategy 2014/2017
event or incident. Typically, this will be the likelihood and impact of a
negative event, however a risk can also be about the likelihood and
impact of a positive (opportunity) event.
Risk management is a process which seeks to identify, evaluate and
manage these risks in a structured way.
Strategic risk management enables the Authority to plan for, anticipate,
manage, and mitigate risks which have the potential to seriously impact
upon the services provided by the organisation. As a fire and rescue
service, many of our activities are naturally underpinned by a range of
hazards, but it is only through the evaluation of the chance or probability
of harm associated with those hazards (i.e. by undertaking a risk
assessment) that we are able to accurately understand the risk they pose.
A robust strategic risk management framework enables the Authority to
take sufficient action, which could involve prevention of significant risks
and/or reduction of the impact of those that do occur, by putting
adequate risk mitigation controls in place.
Risk management context
This is the third Risk Management Strategy produced by the Authority
and provides further development actions in order to secure continual
improvement and delivery of our corporate objectives.
This third strategy has the following top 3 priority outcomes:
1. More intelligent use of existing risk information
2. Accurate, proportionate risk data to inform decision making
3. Challenge the existing risk management structure (and mechanisms)
to ensure it adds value to the Brigade
The action plan to this Strategy details how these priorities will be
delivered.
1 of 16
Section 1 - Risk management framework and structures
Overview
The work of the fire and rescue service is centred on risk based activities.
We remain a unique service dedicated to training our staff to deal with
risk, enabling them to make sound risk based decisions on the incident
ground. However, to assume that all risk is the same; that risk only
threatens the organisation; and that risk is to be eliminated at all costs,
will result in less innovation to develop the performance of LFB both
internally and externally. It is clear that management decisions need to
be made on the basis of good consistent risk information – risk
management is a part of good management overall – and that a sound
understanding of the possible consequences (both positive and
negative) combined with a forecast of the likely outcomes of taking
action should be undertaken.
A wide range of risks occur by accident, mishap or mistake rather than by
design. Many mistakes are not caused by individual error but as a result
of an underlying system failure. This can be an external or internal
system failure leading to undesirable impacts (e.g. breaches of safety,
fraud, and non-delivery of services, etc.). Most worrying would be those
unexpected events that result from a lack of clear policy, deficient
working practices (including those with key suppliers), poorly defined
responsibilities, inadequate communications, or staff working beyond
their competence. The challenge is to reduce, as far as is practicable, the
potential for such events, by being proactive in the management of risk.
The Brigade’s risk management framework is based on the ISO 31 000
Risk Management Framework. This sets out the 5 elements required as
follows: (1) mandate and commitment, (2) design of the framework for
managing risk, (3) implementing risk management, (4) monitoring and
review of the framework; and (5) continual improvement of the
framework.
Risk Management Strategy 2014/2017
This strategy deals with the mandate and commitment to the risk
management framework (element 1) and the continual improvement of
the framework (element 5).
Elements 2-4 are addressed through the Risk Management Manual
(available for staff on Hotwire) and describes the day to day risk
assessment procedures for managing and monitoring risk.
Mandate and commitment
Our risk management framework is mandated by the Authority and is
designed to support the achievement of the corporate aims. It is based
on the following key commitments:










There is Corporate Management Board and management
commitment to, and leadership of, the risk management framework
Risk management will support the organisation in achieving its
corporate, departmental and operational aims and objectives.
The Brigade will continue to develop its risk management framework
to include the formal application of the risk management process to
all areas of its business.
There is widespread employee participation and consultation in the
risk management process to ensure that risks are proactively
identified and managed at every level.
To create and protect value.
To address uncertainty and inform decision making
To provide for a systematic and structured framework for managing
risks of all types.
There are appropriate resources available, including people,
knowledge and budget.
Progress against this strategy is monitored, reviewed and reported.
The strategy is reviewed periodically to ensure it is aligned with the
objectives and challenges facing the organisation and reflects
relevant changes in the internal and external contexts (i.e. the
London Safety Plan).
2 of 16

To facilitate continual improvement.
The context for the risk management framework
The context for the Brigade’s risk management framework is defined by
external and internal influences. These parameters include everything
from the legal and regulatory requirements that are externally imposed
on the Brigade, through to other less tangible internal factors, such as the
organisation’s culture.
Any changes to the parameters that have been used to define the
Brigade’s risk context must be carefully considered in view of the risk
management framework and, where necessary, prompt a review of this
document.
Roles and responsibilities
Our strategy is to continue to help the organisation broaden its
understanding of risk, from one that has naturally needed to focus on
incident based operational risk, to one that considers all risks to the
brigade as a whole, both corporate and operational, especially those that
may affect the achievement of its strategic objectives.
to the Authority and London. They give a view on the medium to long
term risks facing the Authority and London that might impact on the
service provided, including assumptions in respect of government policy,
financing, business change and partnership working.
The Head of Strategy and Performance to provide a strategic lead on
corporate risk matters for the Authority, and provide support to the
Corporate Management Board. Works closely with internal audit to
ensure our risk framework and risk management are appropriately
audited. Also responsible, where appropriate, for feeding key local risks
into the corporate risk register. Issues guidance and information about
the risk management process.
Heads of Service are essential to the risk management process, to
champion risk management within their departments, and identify local
risks and maintain local risk registers.
The Director of Finance and Contractual Services (via the Internal
audit function) may review and report on department and corporate risk
management processes as part of the corporate governance agenda.
The roles and responsibilities of individuals and groups to implement the
strategy are as follows:
Borough commanders manage risk in their areas, and particularly in
relation to partnership working locally.
The Authority – The London Fire and Emergency Planning Authority to
hold the Corporate Management Board accountable for the
effectiveness of risk management by officers.
Project leads/sponsors identify project specific risks likely to impact on
the successful delivery of project deliverables.
The Governance Performance and Audit Committee to monitor the
Risk Management Strategy action plan and receive regular updates on
the risk management framework including the risk audit programme and
supporting assurance work.
All staff have a responsibility to identify opportunities as well has
hazards/risks in performing their day to day duties and taking
appropriate action to take advantage of opportunities or limit the
likelihood and impact of risks. This includes making their manager aware
of opportunities or hazards/risks identified.
The Corporate Management Board (Commissioner, Deputy
Commissioner and Directors) own corporate risks and scan for new risks
Risk Management Strategy 2014/2017
3 of 16
Identifying and managing risks
The Authority will manage risks at four levels – corporate, department,
borough and project as follows:
Corporate
Risks at the corporate level are those which would have a serious and
potentially devastating impact on how we operate. Corporate risks tend
to be those that would be noticeable by the public and would generate
significant media coverage in the event of the risk occurring. Corporate
risks normally impact across the range of our risk impact criteria
(especially reputation) and can include strategy level risks in terms of
decisions made about which direction the organisation should be
following. Controls for corporate risks will normally be cross-cutting and
will be split across a number of departments or business areas. Risk
ownership is required at the highest level (Commissioner, Deputy
Commissioner or Director level) in order provide the appropriate
leadership, scrutiny and management of the risk.
Department
Risks at the departmental level are those which would have a potentially
serious impact for the department concerned, however the end result of
these risks would not necessarily impact the organisation overall. They
may still be noticeable by other departments and could affect other areas
of work, especially where departments are jointly delivering an initiative,
however the biggest impact of the risk would be felt within the relevant
department. Controls for departmental risks will, in the majority, sit
within the department affected, however a few significant controls may
still be situated in other business areas. Risk ownership at this level is
normally assigned to the Head of Service, however some specific risks
may be assigned to other senior officers especially in specialist subject
areas.
overall unless several Boroughs were to suffer from the same risk
occurrence (at this point, management of the aftermath of the risk would
fall to the departmental and possibly the corporate level). Controls for
the borough risks will normally sit with either the Borough Commander,
Station Manager or Watch Manager depending on the type of activity
concerned, however some controls may also be delivered centrally such
as policies or management of funds. Risk management tends to be
overseen by the relevant Borough Commander and as such it would be
expected that the Borough Commander would be the risk owner for the
majority of risks. However, in some cases this may be escalated to the
Area Deputy Assistant Commissioner or devolved to a Station Manager.
Project
Project risk management follows the same principles as those defined in
this document and uses the same risk assessment matrix to evaluate
project risks. In most cases project risks remain within the project and are
assigned to a designated member of the project team, but can also be
escalated to either the departmental or the corporate level via the project
sponsor who is responsible for the aggregated project risk.
Borough
Risks at the borough level are those which would have a potentially
serious impact on the delivery of the service in that borough, however
the impact of these risks would not necessarily impact the organisation
Risk Management Strategy 2014/2017
4 of 16
Section 2 – Areas for development (continual
improvement)
Where we are now
The organisation has made significant strides in its understanding and
application of strategic risk management. There is a supporting risk
management framework and a wide range of risk information available,
helping to inform decisions about where the organisation needs to place
resources and manage expectations and pointing to likely sources of
uncertainty in the future. Risk information has been integrated into
performance reporting so that it is considered in the round against aims,
corporate commitments, indicators, targets, projects and budgets.
Culture
The organisation is no newcomer to dealing with risk. Long before the
risk management framework existed, the organisation was well versed in
risk assessment, particularly in the area of dynamic risk decision making
on the incident ground. Having a risk management strategy has helped
deliver continual improvement and commitment to risk management. A
vocabulary of “risk” has been established within the Authority. Very few
discussions now take place without consideration of risk and what
measures there are/need to be in order to manage the area of
uncertainty in the best possible way.
Going forward
The major challenge for strategic risk management for the future is to
make sure that it remains relevant and continues to add value to the
organisation. In acknowledging how far we have come, we must be
careful not to stagnate so that risk management does not merely become
a process for recording our concerns. Risk management is in place to
support the achievement of our objectives. As such, it needs to be
proportionate to the requirements of the organisation and reflect the
resources available.
Risk Management Strategy 2014/2017
In gathering our risk information, we must be sure that we concentrate
on the clear priorities for the organisation. Risk management needs to
focus on active risks and threats to the Brigade and not become confused
by the inclusion of peripheral matters. As some of the information has
existed for a long time, we will continue to challenge and revisit these
risks to ensure that the most important priorities are reflected.
Leadership, roles and responsibilities
Risk management is as much about empowerment, supporting
innovation and seizing opportunities through informed decision making
as it is about defending against negative threats and preventing adverse
things from happening.
In order for this empowerment to happen, the risk management
framework requires clear leadership commitment and defined roles and
responsibilities. These responsibilities have been clearly defined in
Section 1 of this strategy.
Making smarter use of available risk information
One of the key developments arising from LSP5 is the commitment to
producing an annual assessment of risk with regards to the incident
profile of London. We will consider whether the annual assessment
could be used to shape our approach to strategic risk management, in
particular, whether operational risk information can be used to inform
decisions about organisational priorities and resource allocation. We will
also consider using the annual assessment of risk to develop our
approach to borough risk registers, and the risk management priorities at
a borough level.
Our business continuity framework is another source of risk information
for the Brigade, and during the lifetime of this strategy, we will
investigate how information and risk assessments made about our key
products and services can be used to inform our corporate risks.
5 of 16
Risk and performance
Risk appetite
Risk information has been integrated into the performance management
reporting suite so that risk information can be considered in the round
against other performance indicators. We will continue the integration of
risk management into normal business operations so that there is a
greater understanding of how risk management supports the
achievement of corporate objectives in the round.
The organisation adopted an approach to risk appetite in 2010, setting
out a statement of its risk appetite. Although risk management remains a
largely subjective judgement (tempered by experience, expert opinion
and wider consensus), risk appetite provides the means to assess
whether the organisation (and component parts) are operating within
acceptable limits. In line with other public sector organisations, the risk
appetite of the Brigade can be summarised as being low to low-medium.
The Authority’s risk appetite statement is set out as an annex to this
strategy.
A standard risk tolerance threshold has been set for corporate risks and
the departments, with some selecting a higher or lower risk tolerance
limit depending upon their specific risk exposure.
We will also investigate how to strengthen the link between risk
management activity, risk information and decision making to ensure the
effective delivery of services which are efficient.
We will look to improve the quality of the collation and recording of risk
information and include the development of risk information as part of
the wider Information Strategy. We will continue to raise awareness of
the risk information that is available to support performance
management.
Risk Management Strategy 2014/2017
This enables the Authority to produce corporate and department risk
profiles to assess the risk management priorities for the Brigade. Where
performance is said to be within the threshold, a business case for taking
on more risk (through assessment of desirable outcomes) can be made.
Where performance is said to be outside the threshold, risk management
prioritisation measures can be taken (e.g. relocation of staff, funding or
expertise) to manage the risk back to within acceptable limits or options
can be considered as to whether the risk can be transferred, terminated
or tolerated at its current rating. Where organisational performance as a
whole exceeds the risk tolerance limit, consideration will be given to
providing a full stop on further change activity which may introduce
more risk into the organisation.
Both the risk appetite and risk profile of the organisation will be regularly
monitored by the Corporate Management Board through performance
reports and formally reviewed on an exceptions basis to check that the
risk appetite remains appropriate to deliver the organisation’s objectives
in light of internal and external drivers, events and constraints.
6 of 16
Risk awareness
Areas for improvement
In order to continue the development and application of risk
management, staff need to be exposed to good practice. We will
continue to achieve this through a variety of communication methods
including corporate publications, the intranet site (Hotwire), the use of
information management (borough) days, and other existing forums
such as regular departmental and borough meetings to improve risk
management.
Since the last strategy, the risk management framework has undergone
an internal audit. The results of the audit were positive with substantial
assurance given to the framework. The audit also put forward
recommendations to further strengthen the framework. These
recommendations related to:
Governance and reporting
Governance and risk management are strongly linked. The risk
management framework identifies the key controls that are integral to
our governance processes.
The Governance, Performance and Audit Committee and Corporate
Management Board (CMB) will receive timely and regular reports, as
appropriate, to monitor the effectiveness of the system of risk
management so that assurance is given regarding the identification of the
most prominent risks and associated status (and progress) of control
measures. Where necessary, departmental risk information will be
escalated to CMB for decision as to whether the status of a risk needs to
be elevated to a strategic one. The strategic risk team will also continue
to review risk information to ensure it is relevant and is useful to meet the
needs of the organisation.
Projects and positive risk
Project management provides the structure and process for positive risk
management to take place and the strategic risk team has worked closely
with the Project Management Office (PMO) to ensure that risk
assessments for projects are in line with the corporate standard. The
PMO provides the best practical application of a positive risk tool and we
will continue to work closely with the PMO on risk matters through the
lifetime of this strategy.
Risk Management Strategy 2014/2017
 Providing quality assurance and health checks
 Updating the risk management strategy and issuing a policy
 Outlining risk management responsibilities
 Linking risk information
These areas for improvement will be pursued as part of this strategy.
We will also implement the recommendations of a recent internal review
of business management processes which focussed on proportionality
and on reducing production and monitoring burdens. This will include
exploring the current structure for the risk management framework, and
investigating whether moving to a structure of risks to reflect the
‘governance’ required for each (e.g. whether managed corporately),
departmentally, or at borough, station or team level), would better aid
our understanding and management of risk.
External links
We will continue to work with others to develop our own thinking and
application behind risk management. This will include working with our
appointed risk contractors.
Where it is deemed beneficial for the profile of the London Fire Brigade
then we will seek to network and obtain membership of relevant
professional bodies to further understanding of risk management in the
fire service and across the public sector.
7 of 16
We will continue to work with specialist groups to help raise the standard
of risk management in our own sector. We will also contribute to the
ALARM and the Fire Special Interest Group as appropriate.
Risk Management Strategy 2014/2017
8 of 16
Annex to the Risk Management Strategy 2014/2017
Risk Appetite Statement 2014-2017
Risk appetite
Risk appetite is the amount of risk that we are prepared to tolerate in
order to meet our objectives and reflects our attitude towards risk taking
as an organisation.
The summary corporate risk profile
The summary corporate risk profile is plotted on the standard risk
threshold. The standard risk threshold is shown below and the threshold
represented by a thick black line, allows all green risks, and amber level
risks that are unlikely (2x3) and/or significant (3x2), to be within
acceptable limits.
Very
Likely
LFB’s risk appetite can be described as low to low-medium. Informed risk
taking is permitted provided that the overall risk ratio does not exceed
nine per cent of the threshold set for the specific business area (e.g.
corporate or departmental).
Purpose of the statement
This statement sets out the thinking and guidelines behind our risk
appetite and the boundaries on the amount of risk that can be accepted
within the organisation. It should be read alongside the Risk
Management Strategy.
Risk appetite is formally applied at two levels within the organisation: the
corporate level and the departmental level.
The corporate level
Likely
3
Unlikely
Likelihood
Risks that are rated as very likely and catastrophic (4x4), very likely and
major (4x3), likely and catastrophic (3x4) or unlikely and catastrophic
(2x4) will still be deemed to be outside acceptable limits, even it they are
within the nine per cent ratio. These risks will be subject to extra scrutiny
to check that the rating is correct, whether the activity can be pursued
and what immediate management action can be taken to bring the risk to
within more acceptable limits.
4
2
Very
Unlikely
1
Minor
Significant
Major
1
2
3
Catastrophic
4
Impact
At a corporate level, the summary corporate risk profile defines the risk
appetite threshold for the organisation as a whole.
Risk Management Strategy 2014/2017
9 of 16
The departmental level

At a departmental level, the risk threshold has been determined through
consultation with the Head of Service and compared to the standard risk
threshold.

All departments have agreed that the standard risk threshold provides an
appropriate risk appetite for the departmental risk exposure, with the
following exceptions:



Information and Communications Technology (ICT) – ICT has
selected a higher risk threshold than the standard risk threshold in
that risks rated as very unlikely and catastrophic (1x4) will deemed to
be within acceptable limits. This is based on the knowledge that any
ICT outage can impact the Brigade to a considerable extent –
however provided the likelihood assessment is correct (i.e. Very
Unlikely), then the risk can be tolerated.
Procurement – Procurement has selected a lower risk threshold than
the standard risk threshold in that risks that are deemed to be
unlikely and major (2x3) will be deemed to be outside acceptable
limits. This is based on the regulation of procurement and contract
management work in particular, and the fact that major impacts could
breach statutory requirements and would be beyond the acceptable
risk appetite level for the department.
Operations and Mobilising – Mobilising Section – Mobilising has
selected a lower risk threshold than the standard risk threshold in
that risks that are deemed to be likely and significant (3x2) will be
deemed to be outside acceptable limits. Owing to the critical nature
of the service to the Brigade, a lower likelihood acceptance level has
been set for this section.
Tolerance levels
The following tolerance levels have been set to determine whether the
risk profile of the corporate risks or a department is performing within
acceptable threshold limits:
Risk Management Strategy 2014/2017


0 per cent of risks above the threshold – Amber status – the risk
profile is low. Risk ratings should be scrutinised and departmental
practices reviewed to ensure that risks are not being over controlled.
Between 1-9 per cent of risks above the threshold – Green status –
the risk profile is within acceptable limits.
Between 10% - 24 per cent of risks above the threshold – Amber
status – the risk profile is exceeding acceptable limits.
Over 25 per cent of risks above the threshold – Red status – the risk
profile is too high. Risk ratings should be scrutinised to ensure that
risks are not inflated in terms of likelihood and/or impact.
Monitoring
Risk thresholds will be monitored by Strategy and Performance and
reported to Performance CMB. Scrutiny will focus on areas where risks
have exceeded thresholds in excess of a tolerance of 25 per cent or
where risk profiles have remained static for an extended period of time
(generally longer than six months), and the reasons why. In the event
that a risk (corporate level) or department has exceeded the risk appetite
level agreed, it is expected that the principles of “Exceptions to Risk
Appetite Levels” will have been followed as set out below.
Additionally, as described above, risks that are rated as very likely and
catastrophic (4x4), very likely and major (4x3) or likely and catastrophic
(3x4) will still be deemed to be outside acceptable limits, even it they are
within the nine per cent. These risks will be subject to extra scrutiny to
check that the rating is correct, whether the activity can be pursued and
what immediate management action can be taken to bring the risk to
within more acceptable limits.
Risk examples – beyond tolerance
Risk appetite can be a difficult concept to apply and is sometimes seen to
have theoretical rather than practical application. In order to help with
understanding as to what risk appetite looks like in practice, the following
provides examples of risks which the Brigade would not tolerate.
10 of 16
Risk impact
category/type
Political
Risk would not be tolerated where:
Economic


Safety and
Wellbeing



Environmental


Systems





Opportunity

Reputation

Legal
Operations
the brigade is directly associated with extremist,
hate speech or discriminatory beliefs
the brigade’s financial stability is compromised
investment or capital outlay exceeds delegated
authority limits
there is a significant increase in the potential for
injury or death
the wellbeing of any staff group is seriously
compromised
the Brigade’s activities cause irreparable harm to
the environment
the long term sustainable development of the
Brigade is compromised
the Brigade breaches its statutory responsibilities
Brigade activities are deemed to be unlawful
Operational practices threaten community safety
Resilience assets are compromised
Core ICT systems/equipment are compromised,
targeted or unavailable
The pursuit of the opportunity leads to
unsustainable or unacceptable long term impacts
The Brigade’s standing in the community or with
partners is significantly compromised in the long
term
The above table is not exhaustive and has been based on the impact
categories used by the Brigade. It is provided for reference and as a
guide to indicate where further risk management action (which includes
the termination of the activity) may need to take place to prevent impacts
which are beyond the Brigade’s tolerance levels.
Risk Management Strategy 2014/2017
Exceptions to the risk appetite levels
This statement outlines the approach taken to define risk appetite and
the current accepted levels of risk that will be tolerated at the corporate
and departmental level. Variations from the risk thresholds are not to be
actively encouraged as the risk appetite statement provides the grounds
for consistency and assurance.
However, there are times when the risk thresholds may need to be
exceeded by more than the agreed tolerance figure on an extraordinary
basis in order to achieve a desired outcome. This may be particularly
relevant in the event of a business continuity incident. In the event of
such an event, the Continuity Management Team will set out the
extraordinary risk tolerance parameters required in order to resolve the
incident. There will be a post-incident debrief of the decisions made and
this will be reported to Corporate Management Board to determine if the
response and risk levels tolerated were correct in order to provide
lessons learnt for future events.
In all other circumstances (i.e. non-emergency), the following criteria will
apply for applications to exceed the tolerances for risk thresholds:

Where proposed changes to a corporate risk mean that the corporate
risk threshold tolerance level is exceeded (i.e. above 25 per cent),
the Head of Strategy and Performance will alert both the risk owner
and the Board. In considering whether to accept the higher risk
status, the Board must consider compliance with risk thresholds
across the organisation as a whole and acceptance of the exceeded
risk level should only be accepted if the risk assessment indicates that
the majority of impact categories for the corporate risk are within
their acceptable limits (i.e. minor or significant only).

Where a change to a departmental risk profile exceeds the risk
threshold for that department, the Head of Service should escalate
the matter to both their Director and the Head of Strategy and
Performance. Where it is agreed that the evaluation of the risk profile
is correct, the change should be presented to the next Performance
11 of 16
CMB (or CMB meeting, whichever is sooner) so that a decision upon
whether to tolerate the exception can be made. In considering
whether to accept the higher risk status, the Board must consider the
potential impacts of the risk and the risk profile of the organisation as
a whole.

Any changes (temporary or permanent) to the risk thresholds must
be agreed with the Board and reported back to the Head of Strategy
and Performance so that the appropriate controls and changes to
reporting levels can be made.
Risk appetite review/refresh
Risk appetite will be reviewed on an exceptions basis to check that the
risk thresholds in place are appropriate. In reviewing the risk thresholds,
consideration will be given to a number of factors, including, but not
limited to:






Availability of capacity to manage new risks, and the cost
effectiveness of the risk management;
Occurrences of high level (red) risks within the past 12 months;
Breaches of current risk thresholds in the past 12 months and the
reasons why;
Review of the control environment including results from external
and internal audits and inspections and the levels of assurance
obtained from these;
Changes to the way the service operates; and
Changes due to political policy and initiatives.
Any changes arising from the review of thresholds will be submitted to
the Corporate Management Board for approval.
Risk Management Strategy 2014/2017
12 of 16
Action Plan to support the Risk Management Strategy 2014/2017
Strategy Commitment
Action/Task
1. Making smarter use of available risk information
(1a) – We will consider whether the new
Review output of annual assessment of risk
‘annual assessment of risk’ (which will be
when available (expected by March 2015)
reported to the Strategy Committee) can
Assess extent of relationships between
inform our approach to strategic risk
annual assessment of risk and strategic risk
management and risk management priorities management framework and agree benefits
at a borough and/or corporate level, and to
and possible extent of forging stronger links
potentially explore a stronger link between
between the two areas.
strategic risk management and integrated risk
management planning.
(1b) – We will strive to make better links
Review the eight key products and services
between the business continuity framework
in the corporate business continuity plan to
and strategic risk framework, including
test their criticality and the extent to which
investigating how information about key
they relate to the corporate risks.
products and services can be used to inform
Assess the critical activities that support the
our corporate risks.
(revised) key products and services.
Introduce/amend risks to ensure that any
gaps in the Brigade’s continuity
arrangements are managed (to include
further actions in departmental plans)
Risk Management Strategy 2014/2017
Expected outcome and action deadline
Up to date information relating to risk in London
By end of March 2015.
Report back to GPAC through the regular risk
monitoring report with recommended actions.
By end of June 2015.
Confirmation/revision of key products and
services.
By end of June 2015.
Updated critical activities that support key products
and services.
By end of October 2015.
Supporting risks (and control measures) / activities
to support achievement of critical activities.
By end of March 2016
13 of 16
Strategy Commitment
2. Risk and Performance
(2a) – We will continue the integration of risk
management into normal business operations
so that there is a greater understanding of
how risk management supports achievement
of corporate aims and objectives.
(2b) – We will investigate how to strengthen
the link between risk management activity,
risk information and decision making to
ensure the effective delivery of services
which are efficient
(2c) - We will look to ensure our processes
encourage the capture of current material
risks to the Brigade.
Risk Management Strategy 2014/2017
Action/Task
Expected outcome and action deadline
Analyse impacts of risks
(corporate/departmental) against each
corporate aim to ensure all controls are
appropriately identified.
Assess the alignment of corporate,
department, borough and project risks so
that there is consistency of assessment.
Assessment of how far the strategic risk
management framework supports the corporate
aims/objectives.
By end of March 2016
Consistency of assessment between the different
risk levels and agreed management action plan to
address risks.
By end of August 2016
Streamlined performance management practices.
By end of March 2017
Ensure relationships between risks, plans
and performance indicators are understood
and applied at the departmental level
through workshops, awareness sessions and
supporting advice.
Re-assess the Brigade’s risk management
maturity against the ALARM model and
agree the required maturity level to ensure
effective decision making processes taking
account of risk.
Review how we collate evidence of risk
management activity (and report on it) to
further improve risk management processes
and effective delivery of services.
Conduct face to face workshops with
leading risk officers to challenge and
improve their understanding of risk.
Defined actions to meet required maturity level.
By end of March 2016.
Strengthened audit trail between risk management
activity and effective service delivery.
By end of August 2016.
Annual workshop programme – focussed on the
right risks.
Core business to run through to March 2017.
14 of 16
Strategy Commitment
(2d) We will include the development of risk
information as part of the wider Information
Strategy.
3. Projects and positive risk
(3a) – We will ensure that risk matters arising
from projects are managed in line with the
risk management framework and that positive
risk opportunities continued to be pursued
through the agreed project management
framework.
4. Areas for improvement
(4a) – We will deliver the agreed
recommendations from the internal audit
review of the risk management framework
conducted in 2014.
Action/Task
Ensure that strategic risk information is
given the same status and data quality focus
as other Brigade performance information
and include this in the revised Information
Strategy.
Expected outcome and action deadline
Confidence in risk assessments – reduced
subjectivity in strategic risk information.
Core business to run through to March 2017.
Develop regular review meeting with the
project management office to ensure
consistency of risk assessment across
projects and departments.
Obtain overview of project risks and assess
whether they are adequately reflected in the
corporate risk register.
Improved links between PMO and risk
management framework and the escalation/deescalation of risks.
By December 2014.
Consistency of assessment between project and
corporate risks.
By end of March 2015.
Undertake quality assurance checks with
clear guidance on identifying, assessing and
monitoring risks appropriately at a
departmental level.
Publish and implement a Risk Management
Policy.
See action 2(c) – Review already undertaken for
2014/15 – to form part of core business.
Core business to run through to March 2017.
Monitor target implementation dates to
determine, assess and track whether
progress against the strategy is achieved
Risk Management Strategy 2014/2017
Manual already issued - Supporting policy to
provide procedural detail behind risk management
strategy.
By December 2014
Report to Governance, Performance and Audit
Committee.
By December 2014 (and thereafter for lifetime of
strategy).
15 of 16
Strategy Commitment
(4b) – We will explore the current structure
for our risks and investigate whether to adopt
a governance level approach similar to that
for projects.
Risk Management Strategy 2014/2017
Action/Task
Consider the skills required by staff and
further development of risk management
awareness in the context of a published Risk
Management Policy so that all staff are made
aware of their risk management
responsibilities
Consider the best method for linking risks
and associated controls with department
planning
Expected outcome and action deadline
Risk management training needs analysis.
By December 2014.
Use the outputs from the risk maturity reassessment (see 2b above) to determine
whether the current risk governance model
is the most appropriate.
Report on effectiveness of current arrangements to
GPAC through the regular risk monitoring update.
By March 2016.
Explore the potential for moving to an A, B,
C governance risk model (like the project
management office) and the advantages and
disadvantages of this, compared to the
existing corporate, department, borough
and project model.
Implementation of new risk model or affirmation of
current model as most appropriate for the
Authority.
By March 2017
Risk control measures in departmental action plans.
By March 2015.
16 of 16