RISK MANAGEMENT AND BUSINESS CONTINUITY ANNUAL REPORT

Transcription

1 Agenda Item No. 7 EECUTIVE - 19 JUNE 2014 RISK MANAGEMENT AND BUSINESS CONTINUITY ANNUAL REPORT Executive Summary In 2004, the Council adopted a Risk Management Strategy and an action plan for implementation. Within the plan it was agreed that an annual report would be produced for the Executive, detailing progress on implementation. Progress on the action plan has been good with the majority of areas complete although risk management and the strategy itself are continuously reviewed as risks, responsibilities and external factors are constantly changing. Work continues to ensure risk management is embedded in the day to day operations of the Council, for example it is considered within committee reports, project management and the service planning process. Risks can never be eliminated and, by their very nature, cannot always be predicted or identified with certainty. The objective is to have strategies and processes in place to take reasonable measures to manage risks and mitigate or minimise their impact on services, should they occur. Reasons for Decision The continuous development of the Council s risk management strategy and business continuity planning is essential to ensure the security of services to citizens. Recommendations The Executive is requested to: RESOLVE That the report be noted and there are no issues of concern. The Executive has authority to determine the above recommendations. Background Papers: None. Sustainability Impact Assessment Equalities Impact Assessment Reporting Person: Mark Rolt, Strategic Director Ext. 3002, E Mail: Mark.Rolt@woking.gov.uk Contact Person: Pino Mastromarco, Senior Policy Officer Ext. 3464, E Mail: Pino.Mastromarco@woking.gov.uk 1 EE14-311

2 Portfolio Holder: Cllr John Kingsbury E Mail: cllrjohn.kingsbury@woking.gov.uk Date Published: 12 June

3 1.0 Introduction 1.1 The purpose of this report is to provide Members with an update on progress with the implementation of the strategy and to outline the work that has taken place to ensure that risk management and business continuity processes in the Council are fit for purpose. 1.2 The Risk Management and Business Continuity Strategies provide the framework by which the Council identifies, manages and mitigates its business and operational risks. The key elements of this framework are:- ensure that Risk Management and the adoption of Business Continuity practice becomes part of the culture of the whole organisation; manage risk in accordance with best practice; prevent injury and damage and reduce the cost of risk; consider legal compliance as a minimum standard; anticipate and respond to changing social, economic, environmental and legislative requirements; continue to develop robust systems to identify and evaluate risk; develop reliable performance indicators for target-setting and for making appropriate comparisons; and develop systems for performance monitoring to bring about continuous improvement. 1.3 Risk can be defined as the combination of the probability of an event and its consequences. In any organisation there is the potential for events and consequences that either provide opportunities for benefits or threats to success. 1.4 Risk Management is the process whereby the organisation methodically identifies and manages the threats and opportunities that might exist within a Council activity. Business Continuity deals with those situations where, for one reason or another, controls have been unable to contain a risk and a damaging event has occurred. Business Continuity is the process the organisation has set up in advance to control and mitigate the impact of this event. 1.5 Risk Management and Business Continuity Planning are not one off activities. They are part of a continuous process that runs throughout the Council s activities, not just projects but also in the day to day work that is undertaken. It must be integrated into the culture of the Council with an effective strategy and programme led from the top. 1.6 It should also be emphasised that Risk Management is more than just Health and Safety or insurable risks it includes, amongst other things, political and management risk, financial exposure and reputation. 2.0 Progress to date 2.1 The functional responsibility for corporate risk management and business continuity planning rests with the Corporate Management Group (CMG) and Corporate Strategy is the Business Area accountable for overall delivery and review. All Business Area managers are responsible, with guidance and support from Corporate Strategy, for ensuring appropriate risk management and business continuity arrangements are deployed in their functions, services and areas of responsibility. 3

4 2.2 Over the past year, the following actions have taken place to improve and embed processes: Risk Management Strategy reviewed and updated and process implemented for the Corporate Management Group (CMG) to review key corporate risks; Risk registers reviewed and updated; Business Continuity Plans reviewed; and Processes continued to better embed risk management, for example through inclusion in Committee Reports, project management processes and the service planning process. 2.3 The key significant corporate risks to Council services have been identified and take into account the wider structure that the Council works in, as a public body (and having specific responsibilities under the Civil Contingencies Act), and reflect both the National Risk Register and Surrey Community Risk Register. 2.4 As part of the business continuity planning process the Council s mission critical activities have been identified. These prioritise those key services, particularly to the more vulnerable sectors of the community, that would be maintained/recovered more quickly in the event of a risk event occurring. These have been reported to Executive previously and are set out below: Mission Critical Activity Contact Centre Careline / Home Support Emergency Housing Repairs Strategic Management resource Meals service Homelessness Rest centre provision Benefits Health & Safety Food Safety Refuse Collection Street Cleansing Payroll Supplier Payments Recovery Time Objective 1 <2 days 2 3 days <1 week 1-2 weeks 1-2 weeks <2 weeks <2 weeks 1 The time within which the activity has to be functioning at a reasonable level after interruption 2.5 The Business Continuity Plan was referenced and readied in response to the flooding that was experienced in areas across Woking throughout this winter. Council staff were deployed to areas of need and arrangements to support neighbouring boroughs with resources and equipment were implemented. There was limited impact on other Council services and all situations were dealt with in a timely manner. 4

5 2.6 Work continues to ensure robust and appropriate risk management arrangements are in place where Council services are delivered through external bodies or partnerships, for example, the Thameswey Group and the contract arrangements with leisure and housing management. Each of these areas now have risk registers in place which will be reviewed and updated every 6 months in line with the Council s Risk Management Strategy. 2.7 A test of reasonableness has to be applied to the contingencies that the Council can or should put in place. Cost will be an important consideration, related to likelihood and impact. For example, reciprocal arrangements are in place with neighbouring councils and the County Council to use office space and whilst this would provide basic functionality, it is obviously limited. To have a contingency that could replicate a significant proportion of the facilities in the Civic Offices, for example, through an external disaster recovery provider/site, would cost in excess of 70,000 per year, just to have it available. 3.0 Conclusions 3.1 The Council s risk management and business continuity plans and arrangements have been reviewed, are fit for purpose and comply with best practice however, work is ongoing to ensure they are updated to reflect changes in threats and structure and continues to identify more robust and cost effective contingency arrangements. 3.2 The risk of data loss or breach continues to be a high profile risk which is mitigated through the use of appropriate software and the application of security policies. The network is also scanned for external vulnerabilities on a quarterly basis and internal vulnerabilities annually. The annual validation for compliance against the Public Services Network code of connection (successor to GCS) also provides an additional external assessment of risk and mitigation. 3.3 Further testing of potential scenarios and arrangements will be on-going, as resources allow. 4.0 Implications Financial 4.1 None arising specifically from the report but any proposals to further improve or enhance resilience is likely to have cost implications and these would be identified in any such proposal. Human Resource/Training and Development 4.2 Work continues to make staff aware of the arrangements and train those with specific responsibilities. This will be an on-going requirement to reflect staff turnover and changes. Community Safety 4.3 There are no specific environmental or sustainability issues arising as a consequence of this report. Business continuity is a key contributor to community safety in ensuring critical services are maintained but there are no issues arising specifically from this report. Risk Management 4.4 As outlined in the report. 5

6 Sustainability 4.5 None arising from the report. Equalities 4.6 None arising from the report. 5.0 Consultations 5.1 None. REPORT ENDS EE

7 APPENDICES 7

8 Eliminate discriminatio n Advance equality Good relations Equality Impact Assessment The purpose of this assessment is to improve the work of the Council by making sure that it does not discriminate against any individual or group and that, where possible, it promotes equality. The Council has a legal duty to comply with equalities legislation and this template enables you to consider the impact (positive or negative) a strategy, policy, project or service may have upon the protected groups. Positive impact? Negative impact? No specific impact What will the impact be? If the impact is negative how can it be mitigated? (action) THIS SECTION NEEDS TO BE COMPLETED AS EVIDENCE OF WHAT THE POSITIVE IMPACT IS OR WHAT ACTIONS ARE BEING TAKEN TO MITIGATE ANY NEGATIVE IMPACTS Gender Men This report relates to a review of the last year and covers Women generic activities of the Council, therefore there are no specific impacts. Gender Reassignment Race White Mixed/Multiple ethnic groups Asian/Asian British Black/African/Caribbean/ Black British Gypsies / travellers Other ethnic group This report relates to a review of the last year and covers generic activities of the Council, therefore there are no specific impacts. 8

9 Eliminate discriminatio n Advance equality Good relations Positive impact? Negative impact? No specific impact What will the impact be? If the impact is negative how can it be mitigated? (action) THIS SECTION NEEDS TO BE COMPLETED AS EVIDENCE OF WHAT THE POSITIVE IMPACT IS OR WHAT ACTIONS ARE BEING TAKEN TO MITIGATE ANY NEGATIVE IMPACTS Disability Sexual Orientation Age Religion or Belief Physical This report relates to a review of the last year and covers Sensory generic activities of the Council, therefore there are no specific impacts. Learning Difficulties Mental Health Lesbian, gay men, bisexual Older people (50+) Younger people (16-25) Faith Groups Pregnancy & maternity Marriage & Civil Partnership Socio-economic Background This report relates to a review of the last year and covers generic activities of the Council, therefore there are no specific impacts. The purpose of the Equality Impact Assessment is to improve the work of the Council by making sure it does not discriminate against any individual or group and that, where possible, it promotes equality. The assessment is quick and straightforward to undertake but it is an important step to make sure that individuals and teams think carefully about the likely impact of their work on people in Woking and take action to improve strategies, policies, services and projects, where appropriate. Further details and guidance on completing the form are available. 9

10 Sustainability Impact Assessment Officers preparing a committee report are required to complete a Sustainability Impact Assessment. Sustainability is one of the Council s cross-cutting themes and the Council has made a corporate commitment to address the social, economic and environmental effects of activities across Business Units. The purpose of this Impact Assessment is to record any positive or negative impacts this decision, project or programme is likely to have on each of the Council s Sustainability Themes. For assistance with completing the Impact Assessment, please refer to the instructions below. Further details and guidance on completing the form are available. Theme (Potential impacts of the project) Use of energy, water, minerals and materials Positive Impact Negative Impact No specific impact What will the impact be? If the impact is negative, how can it be mitigated? (action) Waste generation / sustainable waste management Pollution to air, land and water Factors that contribute to Climate Change Protection of and access to the natural environment Travel choices that do not rely on the car A strong, diverse and sustainable local economy Meet local needs locally Opportunities for education and information Provision of appropriate and sustainable housing Personal safety and reduced fear of crime Equality in health and good health Access to cultural and leisure facilities Social inclusion / engage and consult communities Equal opportunities for the whole community Contribute to Woking s pride of place This report relates to a review of the last year and covers generic activities of the Council, therefore there are no specific impacts. 10