Business risk team update

Report: 14
Date: 15 December 2006
By: Treasurer and Commissioner

Summary

A report on progress made by the MPS in the areas of corporate governance, business risk management and insurance management.

A. Recommendation

That

members note progress to end October 2006 on corporate governance, business risk management, and insurance management (Appendix 1); and
progress as captured by the Audit Commission/ALARM [1] risk management Key Performance Indicator (Appendix 2).

B. Supporting information

1. This report includes a report on activity since the previous update report (Appendix 1) and an update on progress made in relation to compliance with the Audit Commission / ALARM KPI as at end October 2006 (Appendix 2).

Corporate governance

2. The Director of Risk Management has undertaken an initial review of MPS governance arrangements against the requirements of the draft CIPFA governance framework: ‘Good Governance in Local Government: A Framework’. As the relationship between the MPA and MPS requires a joint approach to governance, the review has been shared with the MPA Director of Internal Audit who has provided input to inform a second version of the review.

3. The Director of Internal Audit and Director of Risk Management are working together to provide MPA/MPS input to the developing CIPFA governance framework following CIPFA’s acknowledgement that the current draft does not fully reflect the governance requirements of a police authority.

4. Following a report to Management Board by the Director of Strategy, Modernisation and Performance, it has been decided to focus current MPS activity in the area of corporate governance on the following:

development of an approach to managing MPS corporate risks (see section ‘corporate risk registers (MPS & MPA) below;
deployment of the MPS Key Internal Control Framework;
deployment of control self-assurance in respect of MPS corporate policy implementation.
continuing development (with the MPA) of an MPA/MPS governance framework and work to prepare for the evolution of Statements on Internal Control into Statements on Governance as required by CIPFA;
input (with the MPA) to the draft CIPFA governance framework.

MPS business risk management maturity progress

5. Details were provided in the previous quarterly report of the MPS objective to attain maturity Level 5 (‘Baseline Standard’) business risk management by end March 2007. This followed the successful attainment of Level 4 (‘Moving Towards Integration’) by end March 2006.

6. The development of a good practice process for the management of MPS corporate risks is a critical, and challenging, element of the programme for achieving Level 5 (“Minimum Standard”) business risk management by the self-imposed target deadline of end March 2007. In the light of recent progress in relation to the enhancement of the existing corporate risk management process (see ‘corporate risk registers (MPS & MPA) below) we remain on schedule.

Business continuity management

7. It was previously reported that BRMT are working together with the CO3 Business Continuity Team to assist CO3 to achieve Level 4 maturity business continuity management by end March 2007 and that we remained on target. CO3 have subsequently reviewed the present position of their programme to mainstream BC planning with the following developments:

The current level of compliance by (B)OCUs with business continuity planning standard operating procedures (as verified by the Business Continuity Team’s own analysis) is very sporadic with many plans being outdated and not tested, suggesting a significant lack of compliance in this area. (Members will be aware of the concern expressed by the Audit Commission in their end of year report);
Until recently insufficient attention has been paid to longer-term recovery planning in the event of the loss of multi-occupied buildings, the external supply chain, internal support chain and denial of access.

8. The conclusion from the business continuity review was that the Business Continuity Team should proceed as follows:

concentrate their attention during the remainder of the current financial year on reviewing and enhancing existing BC planning SOPs including further consideration being given to a broader scope of Business Contingency planning (embracing people and supply chain issues) and longer term recovery planning;
commence an engagement programme of visits to all (B)OCUs in early 2007 designed to refresh awareness and understanding of BC planning in the broader concept and ensure future robust BC plans. The engagement programme approach mirrors the approach adopted by the Business Risk Management Team in relation to risk registers.

9. The achievement of the next level of business continuity management maturity will thus take longer than originally envisaged. We now aim to achieve Level 4 business continuity management by end March 2008.

Corporate risk registers (MPS & MPA)

10. Following consideration by Management Board of further proposals for managing MPS corporate risks, the Director of Strategy, Modernisation & Performance and Director of Risk Management were tasked to:

undertake further work on the register to identify the key risks to the Service;
initiate a debate with individual MB members on the process to be adopted for managing corporate risks, and
undertake research and benchmarking into the corporate risk management processes adopted by other major organisations.

11. The response to tasks 1 (a) and (b) has been to convene a Corporate Risk Review Group comprising of the Deputy Assistant Commissioner or equivalent police staff post for each Business Group. The group is chaired by the Director of Strategy, Modernisation & Performance and the Director of Risk Management is in support. This review group will meet on a monthly basis in advance of each monthly Management Board meeting. In the short-term it will assist in taking forward tasks 1 (a) and (b). In the longer term it will provide a conduit into MB, filtering the risks reported upwards.

12. As regards task 1 (c) members may recall being advised in September 2006 that the research would consist of benchmarking against two of our Most Similar Forces and against various other major public sector entities.

13. In view of the importance of managing corporate risks (and the fact that achieving Level 5 risk management depends on progress in this area) the Director of Risk Management subsequently decided to substantially extend the scope of the research as set out in item 2 of Appendix 1. In summary, the scope of the research now includes:

Benchmarking against all of our Most Similar Forces
Benchmarking against a wider range of major public sector entities (Civil Nuclear Police, DTI, Home Office, MoD, MoD Police, MoD Procurement Agency, Prison Service, Royal Navy)
Benchmarking questionnaire to all forces in England and Wales via the ALARM Police Service Risk Management Forum
Analysis of main corporate governance and risk management standards
Input from MPA Corporate Governance Committee co-opted members.

14. The key conclusions of the research analysed to date is set out at Appendix 2.

15. The Director of Risk Management has been tasked by the Corporate Risk Review Group (CRRG) to review each of the risks on the MPS Corporate Risk Register with the Business Group Business Managers and risk owners. He has also been tasked to facilitate review by the members of the CRRG of the ‘top ten’ risks reported to Management Board. This will enable the MPS Corporate Risk Register to be refreshed, and the identification of those risks to be escalated to Management Board. The updated MPS Corporate Risk Register will be reported to the next meeting of this Committee together with details of the evolving approach to managing MPS corporate risks. The process will, of course, be informed by the research / benchmarking.

16. The current MPA Corporate Risk Register is attached at Appendix 3.

Audit Commission/Alarm Key Performance Indicator

17. An update to the Audit Commission / ALARM risk management Key Performance Indicator (KPI) at end October 2006 is at Appendix 4. Piloting of an approach to quality assuring the business risk management process – which will lead to the development of quality measures to enhance the existing process measures reported on - has commenced in conjunction with Territorial Policing. The latest Audit Commission/ALARM benchmarking survey is in hand and it is expected that its output will further inform work in this area.

Insurance management

18. The MPA/MPS insurance programme was successfully renewed in October 2006. The renewal negotiations enabled various significant enhancements to coverage to be achieved from savings elsewhere in the programme.

19. To ensure that the MPA’s interest is best served, the Assistant Director of Risk Management is now liaising with the Treasurer and Deputy Treasurer to agree an approach to co-ordinating the following activities for next year:

the process for renewing the insurance programme in October 2007 when current liability insurance long term agreements expire;
the process for tendering the insurance broking contract (currently held by Willis) which also expires in October 2007.

C. Race and equality impact

The MPS business risk management process requires diversity risks and impacts to be identified and managed, enhancing the ability of the MPS to respond to the diversity imperative.

D. Financial implications

All work undertaken by BRMT is funded from existing budgets. Interventions to reduce risk exposures identified as a result of the deployment of the business risk management process may have financial implications.

E. Background papers

None

F. Contact details

Report author: Nick Chown, Director of Risk Management, MPS.

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1

Progress report – December 2006

This report covers the three areas where the Business Risk Management Team (BRMT) provides the MPS with a professional lead i.e. corporate governance, business risk management and insurance management. It also includes sections on the Outsourcing Programme, where support is provided in relation to risk management and insurance, and the development of national risk management standards for the police service.

Business risk management

1. Statement on Internal Control (SIC) - The 2005/6 MPS SIC having been approved by the Commissioner and submitted to the MPA to inform the published MPA SIC, we are now Undertaking the first six monthly review of progress in relation to the action plan.

2. Corporate, Business Group and (B)OCU risk registers – Phase 1 of the engagement programme of business risk management presentations to OCUs has been completed. The second phase of the engagement programme – quality assuring the risk registers and the process and buy-in that supports the registers – is currently being piloted with TP.

Following consideration of proposals for managing MPS corporate risks by Management Board the Director of Strategy, Modernisation & Performance and Director of Risk Management were tasked to:

undertake further work on the register to identify the key risks to the Service;
initiate a debate with individual MB members on the process to be adopted for managing corporate risks, and
undertake research into the corporate risk management processes adopted by other major organisations.

The approach adopted as a response to tasks (a) and (b) has been to convene a Corporate Risk Review Group comprising of the Deputy Assistant Commissioner or equivalent police staff post for each Business Group with the Director of Strategy, Modernisation & Performance in the Chair and the Director of Risk Management in support. This review group will meet on a monthly basis in advance of each monthly Management Board meeting. In the short term it will assist in taking forward tasks (a) and (b). In the longer term it will provide a conduit into MB and will filter the risks reported into MB.

As regards task (c) members may recall being advised in September 2006 that the research/benchmarking would consist of the following:

Benchmarking against two of our Most Similar Forces (Greater Manchester Police and West Midlands)
Benchmarking against various other major public sector entities (Department of Trade & Industry, Home Office, Ministry of Defence, Prison Service, and Royal Navy)

In view of the importance of managing corporate risks (and the fact that achieving Level 5 risk management depends on progress in this area) the Director of Risk Management subsequently decided to extend the scope of the research/benchmarking as follows:

Benchmarking against all of our Most Similar Forces
Benchmarking against a wider range of major public sector entities (Civil Nuclear Police, DTI, Home Office, MoD, MoD Police, MoD Procurement Agency, Prison Service, Royal Navy)
Benchmarking questionnaire to all forces in England and Wales via the ALARM Police Service Risk Management Forum
Analysis of main corporate governance and risk management standards
Input from MPA Corporate Governance Committee co-opted members.

As at the date of this report (12 November 2006) the following activity had been undertaken:

Benchmarking meetings held with Greater Manchester Police, Home Office, MoD and MoD Police
All other proposed benchmarking meetings either diarised or being arranged
Benchmarking questionnaire forwarded to all Home Office forces and analysis of the initial responses received carried out
Analysis of corporate governance/risk management standards and frameworks completed (available if required)
Meetings held with both co-opted members of MPA Corporate Government Committee (Linda Duncan of Nexia Strategy and Richard Stephenson of Transport for London).

The Director of Risk Management is currently reviewing each of the risks on the Corporate Risk Register with the Business Group Business Managers and risk owners. He is also facilitating review by the Corporate Risk Review Group of the ‘top ten’ risks reported to Management Board.

3. Business risk management awareness/training rollout – The ‘business as usual’ roll-out of risk management training continues. A major development is the agreement to train a cadre of senior police officers (superintendents and chief inspectors) across all business groups to assist the mainstreaming of risk management across the Service. The first phase involving identification of suitable officers in the operational Business Groups in conjunction with the Business Managers has been completed. Training sessions will take place for these officers in January 2007. We have invited each officer concerned to join the cadre and are currently allocating them to training sessions. The second phase of the cadre rollout will cover the non-operational Business Groups. We will shortly begin working with their Business Managers to identify suitable personnel to receive the training.

4. Business Risk Management Standard Operating Procedure (BRM SOP) – A first draft of a revised BRM SOP is under review. This will reflect work in connection with the management of corporate risks and will incorporate guidance on the risk management ‘bow-tie’ technique. The bow-tie is a tool for identifying the causes and consequences of a risk and the controls in relation to the causes (preventative controls) and consequences (mitigating controls). It is a powerful means by which to record all this important data on one page for decision support purposes. The tool has been well received in both operational and non-operational areas since first introduced earlier this year. In order to ensure prioritisation of risks we are piloting an approach whereby it is strongly recommended that SMTs focus their attention on no more than 10 risks (other risks being managed below SMT level) with the top three risks being ‘bow-tied’. The aim is to roll out this approach Met-wide if the pilot is successful.

Insurance management

5. Personal insurance invalidation indemnity policy (PIIP) – Work continues to improve on the wording of the Policy and SOP. A new draft is nearing completion and we have met with Bircham Dyson and Bell and representatives of the MPA and MPS Policy Unit to agree the way forward on the proposed changes. The meeting successfully agreed a way forward and BDB are now working on making some minor changes to the draft. The revised PIIP will be completed by January 2007, in line with the annual MPA renewal timetable.

The Treasurers organisation (PATS) has not approved the PIIP approach, which may make it even more difficult to obtain a Central Government indemnity for the ‘unaffordable events’ exclusion (events that involve mass claims that exceed the Authority’s self-insurance limits). Some Forces see the benefits of the MPA/MPS approach and are continuing to develop their own PIIP. Other forces are in the process of making insurance arrangements instead. The MPA Treasurer will be writing to the APA to enlist their support for an approach to Central Government regarding an ‘unaffordable events’ indemnity.

BRMT and Accident Claims Branch continue to promote and make presentations on the PIIP (the most recent one being to CO19).

An SO15 officer has advised a problem with obtaining life cover in respect of their disclosure of foreign travel. A new life insurer has increased the premiums in relation to these trips and we will keep a watching brief on developments in this case as to the appropriateness of these increases.

6. Insurance programme renewal – The main insurance programme was successfully renewed in October 2006 with various enhancements to the cover negotiated and paid for from savings elsewhere in the programme.

7. Insurance Broker Tender – Initial discussions are taking place between MPA, Accident Claims, Business Risk Management and Procurement as to the best way to manage the broker tender process, which falls at around the same time as the main insurance programme next year.

8. Business interruption (BI) and IT reviews – Both of these projects are complete with the results of the BI review feeding in to this years insurance renewal and the IT review being fed in to the quarterly meetings between the MPS and its property insurers.

9. Self-insurance fund development – The version 3 report has been finalised and agreement reached on the methodologies used by the external financier. As previously stated, this report confirmed that existing provisions for self-insured losses and claims are essentially adequate. Additional reports will be requested as a check on MPS/MPA’s internal recommendations.

10. MPS insurance and compensation claim budgets – The Professional Standards Support Programme (PSSP) Roadshow is about to commence (at the end of Nov 2006) and will include a section for Civil Actions / Accident Claims / Legal and will highlight to those key individuals the cost/scale of accident claims, ownership and risk mitigation strategies. It was rightly decided to include this work in the Prevention Roadshow rather than duplicate a similar process in the previously planned five test areas in this respect.

11. Other insurance matters – It was good to see more interest from new insurance companies at this year’s renewal that wished to underwrite the MPA’s risks. This reflects the increasing comfort that the insurance market has that the underlying risks are being well managed and the availability of improved statistics. Police authority owned and managed mutual insurance companies [2] are the subject of activity in the insurance market place. We will continue to monitor and report on these developments.

Outsourcing Programme Support (Risk Management and Insurance)

12. Outsourcing programme – BRMT continue to support the Outsourcing Programme with advice and guidance on risk and insurance matters, subcontracting specialist insurance work to Willis. This ensures that contracts and specifications include robust insurance provisions.

BRMT provided evaluation input to the Facilities Management Services tender process.

Corporate Governance

13. MPS Key Internal Control Framework – The Key Internal Control Framework was launched in September 2006 as planned.

The Director of Internal Audit and Director of Risk Management are working together to provide joint MPA/MPS input to the development by CIPFA of their governance framework ‘Good Governance in Local Government: A Framework’. This follows an acknowledgement that the current draft framework does not fully reflect the position of a police authority.

Following a report to Management Board by the Director of Strategy, Modernisation and Performance, it has been decided to focus current MPS activity in the area of corporate governance on the following:

development of an approach to managing MPS corporate risks;
deployment of the MPS Key Internal Control Framework;
deployment of control self-assurance in respect of MPS corporate policy implementation.
continuing development (with the MPA) of an MPA/MPS governance framework and work to prepare for the evolution of Statements on Internal Control into Statements on Governance as required by CIPFA;
input (with the MPA) to the draft CIPFA governance framework.

Development of National Risk Management Standards for the Police Service

14. Work with National Centre for Policing Excellence (NCPE) – Work continues on the various national risk management tasks including the development of the national framework for risk management in the police service (see item 14 below). The Director of Risk Management and Assistant Director of Risk Management met with DCC Alan Goodwin – who heads up the ACPO Emergency Planning Business Area – to discuss ACPO ownership of business risk management. DCC Goodwin has kindly agreed to assist in the development of proposals for ACPO sponsorship of risk management to be put to the President.

15. National business risk management framework for the police service – A first draft framework was presented to the November 2006 meeting of the ALARM Police Service Risk Management Forum. The draft will now be quality assured by the members of the forum and by Pricewaterhouse Coopers. The objective remains to have a finalised framework ready by end March 2007. NCPE have offered to work up the framework as standard police doctrine and a meeting has been arranged to discuss this and the involvement of other key external stakeholders (e.g. APA, Audit Commission, HMIC, Home Office and PATS) in the process.

Appendix 2

Management of corporate business risks

ALARM benchmarking questionnaire responses (29 forces)

Headlines

Only one of the 29 forces that responded to the survey does not have a corporate risk register
Whilst 21 forces appear to have included all or the majority of the corporate risks they have identified in their corporate risk register, 7 forces have top sliced a manageable number of risks within good practice guidelines (maximum 15 risks)
17 force top teams own all the risks on their register and only 5 force top teams appear not to own any corporate risks
Excluding two ‘outliers’ there is an average of 34 risks on each corporate register with an average of 26 risks owned by chief officers
Top slicing is generally dependent on tolerance line or level of authority required to implement an action plan
Although the frequency of review varies from weekly to annually the majority of forces review corporate risks quarterly
24 forces have a top/down and bottom/up risk management process or plan to have one
26 forces have a risk management review group or plan to have one and whilst it can be argued that such a group is inimical to embedding risk management it appears generally accepted that these groups add value to their forces
14 out of 23 force risk management review groups include police authority personnel
20 out of 28 forces with a corporate risk register compiled the register with top team input
Exception reporting is common as is RAG reporting with an accompanying report to put risks into context and identify exceptions

Questions	Responses
1. Does your force have a Strategic/Corporate Risk Register (referred to from now on as the Corporate Risk Register)?	Of the 29 forces who responded to the survey 28 have a corporate risk register and one does not
2. How many risks are included in your Corporate Risk Register?	The 28 forces that have a corporate risk register have 1253 risks between them in total on their registers There is an average 45 risks per register but excluding two outliers (with 371 risks between them) a more representative average is 32 The number of risks on each register varies from 7 to 203 19 forces have a maximum of 40 risks each on their register
3. How many of the risks in your Corporate Risk Register are owned by individual members of your Management Board/Force Command Team/Force Executive (the ‘top team’)?	Excluding the two outliers: 662 risks across 25 forces are owned by chief officers (an average of 26 risks per force) The number of risks owned by chief officers varies from 7 to 86 risks per register Of the 19 forces with a maximum of 40 risks on their register the average number of risks owned by chief officers is 18 17 force top team own all the risks on their register 8 forces apply the generally accepted good practice approach that “no more than 15 risks should be owned by any SMT” to their top team One force states that their risks are owned by chief officers but that all are delegated for management purposes
4. If the top team owns a top sliced portion of the risks in your Corporate Risk Register, how do you identify the top sliced risks?	Top slicing is generally dependent on tolerance line or level of authority required to implement action plan
5. How often does the top team review strategic/corporate risks?	25 responses broken down as follows: Annually – 1 Six monthly – 1 Quarterly – 15 Bi-monthly – 4 Monthly - 3 Weekly – 1 One force’s risk management group meets six monthly but corporate risks are reviewed weekly by its chief officer group
6. Do you have a process of top/down direction on risk mitigation requirements from the top team and bottom/up escalation of risks?	Of the 27 responses that could be analysed 24 forces either have a process or are developing one/plan to have one and 3 do not
7. Do you have a Strategic/Corporate Risk Review Group / Risk Management Board to help identify, evaluate, prioritise and monitor the biggest force risks?	Of the 29 forces who responded to the survey 26 have such a group (or groups) or are planning to implement one and 3 do not One force states that a group of this nature is counter-productive to embedding
8. When your force compiled its original Corporate Risk Register was this done with input from members of the top team and, if so, please comment on the nature and extent of that input (e.g. one force compiled its register from input at a half day workshop with its top team members)	Of the 29 forces who responded to the survey 27 responses to this question could be analysed and of these 20 forces compiled their corporate risk register with top team input and 7 did not
9. How would you describe the process of reporting risks to your top team (e.g. exception reporting, red/amber/green prioritisation, one risk per meeting)?	Exception reporting is common as is RAG reporting with an accompanying report to put risks into context and identify exceptions. Reporting via monthly budget meetings is used by some forces. One particularly interesting response is as follows: Direct interface between chief officer and his senior management team at their routine meetings. If it is significant and unacceptable, they themselves put it on their risk register and the updated version of the risk register is forwarded to the risk manager for information. That way they report on their risks and their action plans to their own Chief Officer
10. To what extent is your police authority involved in the force strategic/corporate risk management process? For example: Involvement with force Risk Review Group/Risk Management Board How often are strategic/corporate risks reported to the police authority? To which authority committee are strategic/corporate risks reported?	Forces report risks to their police authority on a regular basis as would be expected. A less expected feature is the extent of the police authority’s involvement in the force risk management process with a significant number of forces. With 14 out of 22 forces police authority personnel are standing members of the corporate risk management forum and in one case, the Treasurer chairs the forum. One force states that the content of the force risk registers is a core plank in the priority setting process of the authority's internal auditors. The force risk register is also a key document in setting the review priorities of the force's own Inspectorate team.
11. Are there any features of your approach to managing strategic/corporate risks that you regard as especially good practice/innovative?	Innovations to highlight are: Joint strategic risk register with police authority Police Authority engagement at all levels Having a specific group who are "perceived" as to be managing the risks is counter productive to embedding it in everyone's day job Risk is given priority through being linked to the Performance review process of staff and board members Stewardship statements from chief officers and BCU Commanders.
12. Does your force integrate its risk reporting and the output of any environmental scanning it undertakes (i.e. scanning of the external environment in which the force operates for legislative and other key developments that could affect operational policing)?	Although there are a variety of responses, there is considerable support for integrating risk, planning and scanning

Appendix 3

MPA Corporate risk register

Ability to maintain good productive working relationships with the MPS
Ability to maintain good productive working relationships with the GLA and Mayor
Inadequate resources to deliver the corporate strategy
Potentially severe effects on service delivery resulting from closure of offices in an emergency situation
Maintaining the proper profile of the Authority
Possibility of lack of member ownership of the corporate strategy
Inability to develop officer and member skills and competence to match changing requirements
Failure to achieve the Improvement Programme
Failure to achieve defined corporate objectives
Potential for serious legal action and associated resource implications
Inability to respond professionally and effectively to major national issues
Inadequate environmental scanning