Highways Agency

Safe roads, Reliable journeys, Informed travellers

Highways Agency Framework for Business Risk Management

Contents

• 1. INTRODUCTION
• 2. DEVELOPING THE AGENCY RISK MANAGEMENT FRAMEWORK
• 3. REVIEW AND ASSURANCE
• Annex A: HA Ethos
• Annex B: Risk Reporting - Flowchart

1 INTRODUCTION

January 2001

DOCUMENT OBJECTIVE

1.1 This document sets out the Highways Agency's framework for Risk Management. It outlines both the Agency's approach to Risk Management and the associated roles and responsibilities of Agency colleagues.

1.2 The framework for Risk Management:

• is part of the business improvement programme and contributes towards the Agency's key objective number 8, 'to be a good employer, managing the Agency's business effectively and efficiently, seeking continuous improvement';
• relates directly to the Agency's Personal Development Plan competencies (number 8, problem solving and decision making);
• is a key element of the Highways Agency's ethos for project delivery (see Annex A); and
• builds on existing arrangements for Risk Management within the Agency.

1.3 Ownership and responsibility for maintaining this document rests with the Corporate Risk Management Advisor.

POLICY STATEMENT

We shouldn't be afraid to take risks, even if that means risking failure...
[Prime Minister Tony Blair].

1.4 In line with the Modernising Government white paper it is the policy of the Highways Agency to promote the creation of a more innovative and less risk-averse culture, involving a move from risk avoidance to "well thought through risk taking"

WHAT IS RISK?

1.5 For this document, the following definitions apply:

• Risk is anything that could hinder the achievement of business goals or the delivery of stakeholder expectations. Risk can arise from failure to exploit opportunities as well as from threats materialising.
• Risk Management is the culture, processes and structure aimed at managing potential opportunities and threats to an organisation.

THE BUSINESS CASE FOR MANAGING RISK

1.6 To be confident of meeting the challenges stemming from the 'Modernising Government' white paper and the requirements of 'Corporate Governance', it is necessary to ask whether the Agency has:

• Adequate and dynamic processes in place to identify existing and new risks faced;
• The right balance of arrangements in place to deal with these risks; and
• An adequate framework for risk analysis and evaluation to support our decision-making processes.

1.7 The Modernising Government White Paper encourages Departments and Agencies to adopt 'more well thought out risk taking', in an attempt to secure better value for money (VFM). In encouraging Agency colleagues to do this, however, they need to be provided with the tools to manage risks effectively. To facilitate this the Agency needs to have an effective and transparent approach to Risk Management in place (including the availability of practical guidance and training).

1.8 In order to generate improved VFM through sound Risk Management a balance has to be struck between risk taking and being risk averse, as illustrated below:

1.9 If Agency colleagues take decisions in ignorance of the associated risks, or regardless of their possible impact on the business, they are likely to reduce VFM rather than enhance it. This is exacerbated if the Agency is actively encouraging a more well thought out approach towards risk taking, without defining the framework or criteria within which colleagues are expected to do so.

1.10 At the other end of the scale, if colleagues are bound by detailed controls and procedures which seek to eliminate risk, VFM is also likely to be limited by the inefficiency of systems/processes and by colleagues being denied the opportunity to innovate. One basic example might be where the proper consideration of risk enables multiple invoice payments made to the same supplier to be consolidated into one, with considerable resource savings being made as a result.

1.11 To successfully implement Risk Management throughout the Agency, colleagues at all levels need to be encouraged to take a well thought through approach. However, in doing so they need to be provided with tools which enable them to identify, assess and fully take account of the risks in their decision making. To facilitate this, training and guidance will be made available on how to manage the risks effectively to deliver increased VFM.

2 DEVELOPING THE AGENCY RISK MANAGEMENT FRAMEWORK

2.1 The Agency Risk Management framework will pull together the existing Risk Management arrangements and turn them into a comprehensive framework, which combines strategic arrangements at the top of the organisation and embeds Risk Management behaviour into the day to day decision making of all colleagues at every level. The strategic and operational elements of the framework are outlined in the paragraphs below.

STRATEGIC RISK MANAGEMENT

2.2 The following diagram shows the strategic element of the Risk Management framework and is the part, which will require input from the Accounting Officer (Chief Executive), Audit Committee and Board Directors. The strategic risk analysis and the three components of the high level control framework (see diagram below), sets the "tone from the top". It allows for senior management to be fully involved in:

• the identification of strategic objectives and the threats to their achievement; and
• setting the high level 'culture' which exists in the Agency to encourage responsible risk taking at all levels to achieve VFM.

2.3 Taking each aspect of the diagram in turn:

Strategic Risk Analysis:

2.4 The Highways Agency Management Board has identified eight key Agency business and administrative objectives and these are reflected in the Agency's Business Plan. In respect of each objective, key threats to their achievement need to be formally identified and prioritised. Board Members will consider the high-level risk mitigation activities available and decide upon the approach required for each key Agency objective.

2.5 The options for dealing with risk are: terminate the activity; put controls in place to manage the risks; pass on to a partner or provider; or accept the risk and make an informed decision to do nothing. Thereafter, the strategic planning process must ensure that threats and countermeasures are captured and considered when new objectives are set or existing objectives are materially altered.

Philosophy:

2.6 The Accounting Officer (advised by the Audit Committee) needs to clearly define the approach to managing risk, its overall 'appetite' for risk and expectations as far as risk taking/management and delegation of authority is concerned. Agency colleagues should be clear about what is expected of them and what is not.

Behaviour:

2.7 A culture should be created within the Agency that supports the considered and effective management of risk. Agency colleagues must understand what is required of them in managing risk and have the appropriate skills and knowledge to carry out that role.

Roles and responsibilities:

2.8 Paragraph 1.6 briefly mentions the important role played by 'effective' Risk Management arrangements in the achievement of 'sound' Corporate Governance. Effective Risk Management arrangements cannot be achieved unless there is a clear understanding of roles and responsibilities down through the organisation and clear lines of accountability back up the organisation.

2.9 The Accounting Officer is ultimately responsible for demonstrating that adequate sources of assurance are available to confirm that the various control systems have been effective in managing risks.

2.10 Highways Agency Board Directors are responsible for:

• Defining and communicating the Agency's risk tolerance i.e. the level of exposure and nature of risks which are acceptable;
• Developing and communicating Agency strategy, aims and objectives to all colleagues to set the context for Risk Management and control activities;
• Setting policies on internal control based on the Agency's risk profile, its ability to manage the risks identified and the cost/benefit of related controls; and
• Seeking regular assurance that the system of internal control is effective in managing risks in accordance with Agency policies.

2.11 Assurance will be provided by Agency Board Directors via the production of quarterly reports (to co-incide with Audit Committee meetings), highlighting changes to risk registers (e.g. new risks identified, changes to risk rankings etc) and the effectiveness of measures introduced to control and manage the risks. Such reports will be subject to review by the Audit Committee. Section 3 of this document provides more detail on the Agency's procedures for review and assurance.

2.12 In developing and assigning Risk Management roles and responsibilities throughout the Agency, we need to understand that the Agency has three 'lines of defence' against the risks faced i.e.

2.13 In order to achieve objectives, all Agency colleagues have some responsibility for Risk Management - "the first line of defence". They should collectively have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This requires an understanding of the Agency, its objectives, its stakeholders and the risks it faces.

2.14 All line managers are responsible for ensuring that policy on Risk Management is implemented and for ensuring that all colleagues understand the policy and comply with it. Divisional Directors and Heads of Division are responsible for providing input to the respective Board Directors quarterly Risk Management report. They are accountable for the quality of information included within their reports.

2.15 Within the 'project' environment it is worth noting the Risk Management responsibilities of certain key individuals:

• Project Owner (PO)
  The PO owns the business case, which identifies project risks. They are responsible for reporting risks to the relevant Programme Owner (via the Programme Co-ordinator);
• Investment Decision Maker (IDM)
  The IDMs role is to ensure that the business case has reported on the risks and provided detail on how they are to be managed;
• Project Sponsor (PS)
  The PS is responsible for the day-to-day management of the risks;
• Programme Co-ordinator (PC)
  The PC is responsible for the effective management of programme risks; and
• Programme Owner (PO)
  Finally, the PO is responsible for ensuring that all programme risks have been identified.

2.16 The formal groups established to oversee management arrangements provide the "second line of defence". These include; Performance Monitoring Action Group, Capital Investment Committee, Confirming Committees and the Audit Committee. Such groups have a key role in supporting the business and assessing the effectiveness of the management and ongoing monitoring of risk.

2.17 The "third line of defence" is provided by groups such as Internal Audit, who will review the robustness of arrangements in place for managing risks. Also sitting within Internal Audit is the Corporate Risk Management Advisor whose main purpose is to develop and maintain the Agency's arrangements for Risk Management. Other 'external assurance' providers include the National Audit Office (NAO).

OPERATIONAL RISK MANAGEMENT

2.18 The operational element of the Risk Management framework allows for the key threats to delivery of business objectives to be managed in a structured way. Again, it relies upon clear lines of responsibility/accountability and the development of robust systems for Risk Management, including reporting on how well risks have actually been managed. The diagram below incorporates the 'operational element' of the Risk Management framework (strategic element shaded grey):

Operational risk analysis:

2.19 For effective Risk Management, clear lines of accountability for business objectives are essential. For individual objectives, the Board Member accountable needs to define the high-level control environment required and, in doing so, indicate the level of risk the Agency is willing to accept.

2.20 Following on from HA Board identification of the key Agency business and administrative objectives, an operational risk assessment is required to determine whether arrangements for the management of risks are sound. An operational risk assessment will:

• Identify all risks - via the systematic identification and recording of the risks faced by the Agency in delivering its business and administrative objectives.
• Evaluate identified risks - via the assessment of the relative likelihood of risks occurring, and the impact/materiality of potential consequences. To ensure consistency, it is essential that risk evaluations be carried out to the same standard using a uniform methodology, throughout the Agency.
• Evaluate current mitigation arrangements - via the consideration of the current methods used to mitigate each identified risk and whether they are appropriate.

2.21 Regular monitoring of, and reporting on, Risk Management arrangements is also required to enable the Accounting Officer to be assured that arrangements are operating as intended.

DEVELOPING THE STRUCTURES AND INFRASTRUCTURES

2.22 The overall aim is to show that the Agency complies with Treasury requirements for there to be an appropriate 'Risk Management framework' within Government departments, Agencies etc. This involves:

• the development of the Corporate Risk Register, with significant input from the Agency Board; and
• the introduction of robust systems to ensure that the Agency is able to give adequate and reliable disclosures with regard to the management of key risks (including the effectiveness of internal control systems).

INTEGRATING RISK MANAGEMENT INTO THE AGENCY

2.23 Integrating Risk Management into the day-to-day business processes provides an opportunity to add value to the business as a whole. Integration will be achieved through:

• raising colleagues awareness of Agency Risk Management procedures through existing communication channels;
• providing training in Risk Management where appropriate (e.g. to colleagues with related responsibilities);
• arranging and assisting in the performance of facilitated risk review workshops; and
• promoting the management of risk as a process improvement tool using the Control & Risk Self Assessment (CRSA) problem solving techniques.

2.24 The diagram below provides an overview of the levels at which risk reviews are performed and the types of risk identified:

2.25 The diagram reflects that, should a risk be assessed as 'critical' to the achievement of longer-term 'strategic' objectives, it may move 'up' from being managed at project level to Agency Board level. This 'movement' of risk may also go in the opposite direction, again, depending upon the ongoing assessment of likelihood and consequence.

LIVING RISK MANAGEMENT AT ALL LEVELS OF THE AGENCY

2.26 The experience of both private and public sector organisations shows that embedding of Risk Management at all levels is a long-term ambition, but this is no reason not to aim for that as a goal. To help realise the full benefits of Risk Management, the management of risk already forms part of the core competence areas for colleagues (competency number 8 - problem solving and decision making). Training and coaching for colleagues in the identification of risk and the design and evaluation of mitigation arrangements is to be made available.

2.27 Some of the key milestones for the development of Risk Management arrangements in the Agency are:

Implementing Risk Management in Agency - Outline Timetable:

3 REVIEW AND ASSURANCE

THE REPORTING FRAMEWORK

3.1 Few risks remain static and new risks emerge as external and internal circumstance change. Ongoing review is essential to ensure that factors, which may give rise to a new risk or affect the likelihood and consequence of an existing risk outcome, are identified and an appropriate response made.

3.2 The principle of 'Corporate Governance' requirements is to ensure that the Risk Management arrangements embedded into the organisation are subjected to review by senior management.

3.3 The objectives of Risk Management reporting are:

• To provide the Chief Executive, as Accounting Officer, with information on the effectiveness with which risks are identified, managed and monitored throughout the Agency; and
• To support the Chief Executive's Annual Statement on Internal Control.

3.4 To achieve this, a structure of reporting the results of risk review and management activities will be established in the Agency. Annex B flowcharts the reporting process.

SCOPE AND CONTENT OF RISK MANAGEMENT REPORTS

3.5 Quarterly Risk Management reports, prepared by Board Directors, cover:

What are the major categories of risk?

3.6 The Audit Committee will be provided with periodic reports on those risks assessed as critical in the initial risk assessments undertaken by Directorates. These reports include updates on progress against action plans, re-assessment of the current risk level and forecasting of the post action plan risk level.

Which business areas have the most critical risks?

3.7 Periodic reports are appropriate on specific business areas where the risks are regarded as critical.

Are there any single risks that could have a critical impact?

3.8 If there are, the Audit Committee needs to know how action plans are progressing and how the level of risk is being reduced.

Are inter-dependencies being monitored?

3.9 Inter-dependencies will change continuously as the Agency changes. These are to be reported on periodically and will help to ensure that risks are also looked at from an Agency wide viewpoint (reducing the 'silo' mentality).

RISK REPORTING - ROLES AND RESPONSIBILITIES

3.10 Additional to the roles and responsibilities outlined in paras. 2.8 to 2.17, there are a number of key players in the Agency's risk reporting arrangements i.e.

Corporate Risk Management Advisor (CRMA)

3.11 The CRMA will:

• Provide guidance and advice on the operation of the reporting procedures;
• Bring together the periodic reports from Board Directors, consolidating them in reports to the Chief Executive and Audit Committee;
• Arrange for reports to be analysed and provide a synopsis of key issues; and
• Feedback any issues raised by the Audit Committee for inclusion in Directorate/Divisional risk registers.

Audit Committee

3.12 The Audit Committee considers "issues which affect the adequacy and effectiveness of the Agency's arrangements for identifying and managing risk at all levels in the Agency".

3.13 The Audit Committee will review:

• Quarterly reports produced by the Agency Board Directors and the CRMA;
• An annual report that brings together the issues reviewed throughout the year identifies the significant risks and describes the actions being taken to manage those risks. This report is produced by the CRMA; and
• The annual statement on the adequacy of Risk Management arrangements adopted by the Agency (the Statement on Internal Control).

Performance Monitoring Action Group (PMAG)

3.14 PMAG provide a means of ensuring compliance with the currently accepted principles of Corporate Governance, paying particular attention to identification, management and reporting of all risks associated with the business issues placed before them.

3.15 They are also responsible for the identification of risks and Risk Management strategies of sufficient impact to be reported in the Corporate Governance section of the Agency's Annual Report.

Internal Audit (part of Audit, Inspection and Consultancy Division)

3.16 Internal Audit work provides an important assurance about the adequacy of management's embedded risk and control mechanism. As part of this role, Internal Audit will periodically review the reporting process, focussing in particular on the accuracy and robustness of reporting information.

3.17 The Internal Audit unit is also being used to assist in the development of arrangements for Risk Management within the Agency. They are well placed to do this as they possess a wide ranging view of the activities undertaking within the Agency and has already undertaken some form of assessment to inform it's planning of systems and processes to be audited.

3.18 However, it is important to note that their function is to provide an independent assurance about the way in which risks are managed. Internal Audit is neither a substitute for Agency management ownership of risk, nor is the presence or activity of Internal Audit a substitute for an embedded review system carried out by colleagues with executive responsibility for the achievement of Agency objectives.

Annex A: HA Ethos

View larger image      

Annex B: Risk Reporting - Flowchart

View larger image