RISK MANAGEMENT AND BUSINESS CONTINUITY ANNUAL REPORT

Transcription

1 Agenda Item No. 8 EECUTIVE - 30 JUNE 2016 RISK MANAGEMENT AND BUSINESS CONTINUITY ANNUAL REPORT Executive Summary Risk Management and Business Continuity Management are the two main disciplines through which the Council identifies, manages and mitigates its business and operational risks. An annual report is submitted to the Executive to outline any activities or issues that have occurred. Risk Management is the process whereby the organisation methodically identifies and manages the threats and opportunities that might exist within a Council activity. Business Continuity sets out to enhance the strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level. Since the last annual report all business area risk registers have been reviewed and updated. Corporate strategic risks have also been reviewed and updated by CMG. The risks that have been identified have been logged, owners have been allocated and progress to mitigate each risk has been recorded. The Council adopted a Business Continuity Management Strategy and Policy in 2006 and it has been in place ever since. The 2015 Risk Management and Business Continuity Report to the Executive outlined the need for a full review of our existing strategy to ensure that it remains as fit for purpose as possible. Work is currently underway to review Business Continuity with a planned completion date of September Work to date includes the completion of a Business Continuity Gap Analysis, the review and update of the Council s Business Continuity Strategy and the undertaking of a Council wide Business Impact Analysis to identify the Council s critical activities. Once the critical activities have been identified the next step will be to plan in detail how each scenario could be managed. Reasons for Decision The continuous development of the Council s Risk Management Strategy and Business Continuity Management Plan is essential to ensure the security of services to citizens. Recommendations The Executive is requested to: RESOLVE That the report be noted and that Risk Management processes remain sound and that work is ongoing to update Business Continuity arrangements within the Council. The Executive has authority to determine the above recommendations. 1 EE16-058

2 Background Papers: None. Sustainability Impact Assessment Equalities Impact Assessment Reporting Person: Mark Rolt, Strategic Director Ext. 3002, E Mail: Mark.Rolt@woking.gov.uk Contact Persons: Pino Mastromarco, Senior Policy Officer Ext. 3464, E Mail: Pino.Mastromarco@woking.gov.uk Portfolio Holder: Cllr John Kingsbury E Mail: cllrjohn.kingsbury@woking.gov.uk Shadow Portfolio Holder: Cllr Will Forster E Mail:cllrwill.forster@woking.gov.uk Date Published: 24 June

3 1.0 Introduction 1.1 The purpose of this report is to provide Members with an update on Risk Management and Business Continuity Management arrangements that are in place within the Council. The status of both of these functions are reported on an annual basis. 1.2 The Risk Management and Business Continuity Strategies provide the framework through which the Council identifies, manages and mitigates its business and operational risks. The key elements of this framework are designed to: ensure that Risk Management and the adoption of Business Continuity becomes part of the culture of the whole organisation; manage risk in accordance with best practice; prevent injury and damage and reduce the cost of risk; consider legal compliance as a minimum standard; and anticipate and respond to changing social, economic, environmental and legislative requirements. 1.3 Risk Management is the process whereby the organisation methodically identifies and manages the threats and opportunities that might exist within a Council activity. Business Continuity sets out to enhance the strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level. 1.4 Risk Management and Business Continuity Planning are not one off activities. They are part of a continuous process that runs throughout the Council s activities, taking into account all aspects such as projects as well as day to day work that is undertaken. It must be integrated into the culture of the Council with an effective strategy and led from the top. 1.5 The functional responsibility for corporate Risk Management and Business Continuity planning rests with the Corporate Management Group (CMG) and the Business Improvement Team is accountable for overall delivery and review. All Senor Managers are responsible, with guidance and support from Business Improvement, for ensuring appropriate risk management and business continuity arrangements are deployed in their functions, services and areas of responsibility. 2.0 Risk Management 2.1 Risk can be defined as the combination of the probability of an event and its consequences. In any organisation there is the potential for events and consequences that either provides opportunities for benefits or threats to success. Risk Management is more than just Health and Safety or insurable risks it includes, amongst other things, political and management risk, financial exposure and reputation. 2.2 Over the past year all business area risk registers have been reviewed and updated in conjunction with Business Improvement and Senior Managers. Corporate Strategic Risks have also been reviewed and updated by CMG. 2.3 Both Business Area and Corporate Strategic Risks are reviewed and updated on a 6 monthly basis by Senior Managers and CMG respectively. 3

4 3.0 Business Continuity 3.1 The Council adopted a Business Continuity Management Strategy and Policy in 2006 and it has been in place ever since. The 2015 Risk Management and Business Continuity Report to the Executive outlined the need for a full review of our existing strategy to ensure that it remains as fit for purpose as possible. 3.2 Work is currently underway to review Business Continuity. Work to date includes: 1. Business Continuity Gap Analysis: In preparation for the full Business Continuity Review, a Gap Analysis was undertaken to establish the existing state of Business Continuity arrangements within the Council. The Analysis highlighted the need to strengthen a number of different areas in the Council which impact on Business Continuity, including internal/external communication procedures as well as some areas of ICT resilience. 2. The review and update of the Council s Business Continuity Strategy: The purpose of this document is to set the scene for Business Continuity and to provide the overall framework for its application. The Business Continuity Strategy will assist the organisation to be able to define an incident response structure that will enable an effective response and recovery from disruptions. A draft strategy has been developed and will be submitted for adoption in due course. 3. Business Impact Analysis (BIA): The purpose of BIA is to make informed decisions around which of the Council s critical activities need to be recovered and in what order. Business Improvement has met with a number of officers from across the Council to undertake a BIA of all Council functions. The process has involved the mapping and scoring of each function to determine the critical areas, and the identification of the personnel, equipment and systems that are required to run each activity. This process will be completed by the end of June at which point the analysis will be submitted to CMG for comment and validation. 4. Development of the Critical Activity Action Cards: Once the Critical Activities have been identified through the BIA, we then need to plan in more detail how each scenario could be managed. Every Critical Activity will have an associated Action Card that will list what steps need to be taken to get a service up and running again and who should be involved in tackling the issue. 3.3 Any incident, large or small, whether it is natural, accidental or deliberate, can cause major disruption to our organisation. But if we plan now, rather than waiting for it to happen, we will be able to get back to business in the quickest possible time. 3.4 It is anticipated that the review of Business Continuity and the completion of steps 1 to 4 listed above will be finished by September Once done, the revised approach will be presented to a future meeting of the Executive for review and formal adoption. 4.0 Conclusions 4.1 The application of risk management and business continuity management remains a priority for the Council. Risk management, having been reviewed and updated recently is considered to be sound and will continue to be implemented as per the Risk Management Strategy throughout the coming year. Business Continuity Management is in need of an update and work on this has begun. This review will also provide the opportunity to further align risk and business continuity principles with emergency planning, to ensure that the Council can achieve a robust and joined up approach in all of these areas for the future. 4

5 5.0 Implications Financial 5.1 None arising specifically from the report but any proposals to further improve or enhance resilience may have cost implications and these would be identified in any such proposal. Human Resource/Training and Development 5.2 Work continues to make staff aware of the arrangements and train those with specific responsibilities. This will be an on-going requirement to reflect staff turnover and changes. Community Safety 5.3 There are no specific environmental or sustainability issues arising as a consequence of this report. Business continuity is a key contributor to community safety in ensuring critical services are maintained but there are no issues arising specifically from this report. Risk Management 5.4 As outlined in the report. Sustainability 5.5 None arising from the report. Equalities 5.6 None arising from the report. 6.0 Consultations 6.1 None. REPORT ENDS EE

6 6

7 Eliminate discriminatio n Advance equality Good relations Equality Impact Assessment The purpose of this assessment is to improve the work of the Council by making sure that it does not discriminate against any individual or group and that, where possible, it promotes equality. The Council has a legal duty to comply with equalities legislation and this template enables you to consider the impact (positive or negative) a strategy, policy, project or service may have upon the protected groups. Positive impact? Negative impact? No specific impact What will the impact be? If the impact is negative how can it be mitigated? (action) THIS SECTION NEEDS TO BE COMPLETED AS EVIDENCE OF WHAT THE POSITIVE IMPACT IS OR WHAT ACTIONS ARE BEING TAKEN TO MITIGATE ANY NEGATIVE IMPACTS Gender Men This report relates to a review of the last year and covers generic activities of the Council, therefore there are no specific Women impacts. Gender Reassignment Race White Mixed/Multiple ethnic groups Asian/Asian British Black/African/Caribbean/ Black British Gypsies / travellers Other ethnic group This report relates to a review of the last year and covers generic activities of the Council, therefore there are no specific impacts. 7

8 Eliminate discriminatio n Advance equality Good relations Positive impact? Negative impact? No specific impact What will the impact be? If the impact is negative how can it be mitigated? (action) THIS SECTION NEEDS TO BE COMPLETED AS EVIDENCE OF WHAT THE POSITIVE IMPACT IS OR WHAT ACTIONS ARE BEING TAKEN TO MITIGATE ANY NEGATIVE IMPACTS Disability Physical This report relates to a review of the last year and covers generic activities of the Council, therefore there are no specific Sensory impacts. Learning Difficulties Sexual Orientation Age Religion or Belief Mental Health Lesbian, gay men, bisexual Older people (50+) Younger people (16-25) Faith Groups Pregnancy & maternity This report relates to a review of the last year and covers Marriage & Civil Partnership generic activities of the Council, therefore there are no specific impacts. Socio-economic Background The purpose of the Equality Impact Assessment is to improve the work of the Council by making sure it does not discriminate against any individual or group and that, where possible, it promotes equality. The assessment is quick and straightforward to undertake but it is an important step to make sure that individuals and teams think carefully about the likely impact of their work on people in Woking and take action to improve strategies, policies, services and projects, where appropriate. Further details and guidance on completing the form are available. 8

9 Sustainability Impact Assessment Officers preparing a committee report are required to complete a Sustainability Impact Assessment. Sustainability is one of the Council s cross-cutting themes and the Council has made a corporate commitment to address the social, economic and environmental effects of activities across Business Units. The purpose of this Impact Assessment is to record any positive or negative impacts this decision, project or programme is likely to have on each of the Council s Sustainability Themes. For assistance with completing the Impact Assessment, please refer to the instructions below. Further details and guidance on completing the form are available. Theme (Potential impacts of the project) Use of energy, water, minerals and materials Waste generation / sustainable waste management Pollution to air, land and water Factors that contribute to Climate Change Protection of and access to the natural environment Travel choices that do not rely on the car A strong, diverse and sustainable local economy Meet local needs locally Opportunities for education and information Provision of appropriate and sustainable housing Personal safety and reduced fear of crime Equality in health and good health Access to cultural and leisure facilities Social inclusion / engage and consult communities Equal opportunities for the whole community Contribute to Woking s pride of place Positive Impact Negative Impact No specific impact What will the impact be? If the impact is negative, how can it be mitigated? (action) This report relates to a review of the last year and covers generic activities of the Council, therefore there are no specific impacts. 9