51. Risk Management Business Risk Assessment July 2023

Policies Uploaded on July 19, 2023

Penkridge Parish Council
Risk Management Document and
Business Risk Assessment
Penkridge Parish Council (The Parish Council) is committed to identifying and managing risks,
using the following Policy and Control Procedures to ensure that risks are maintained at an
acceptable level. Any action that is felt necessary will be taken by the Parish Council or
reported to the relevant authority.
The aim of this Policy and Control Procedure is to protect Penkridge Parish Council’s ability to
deliver its vision and to serve and respond to the needs of the Community through meeting
its corporate objectives.
The Parish Council recognises its responsibility to manage risk effectively in order to protect
employees, Councillors, assets, liabilities and the Community against potential losses and
minimise uncertainty in achieving its vision and objectives.
This Policy and Control Procedure is an integral part of the Parish Council’s governance and
management processes and sets a proactive framework to identify, prioritise and manage
risks that could negatively impact upon delivery of the Council’s vision and objectives.
The Council will manage risk in accordance with best practice and legislative requirements
to minimise loss, disruption, injury and damage and inform policy and operational decisions
by identifying risks and their likely impact.
What is Risk Management
Risk is an uncertain event or condition that, if it occurs, will have an effect on the
achievements of an authority’s objectives. Risk management is the process whereby the
Parish Council methodically addresses the risks associated with what they do and the
services which they provide. The focus of risk management is to identify what can go wrong
and take proportionate steps to avoid this or successfully manage the consequences. Good
risk management allows stakeholders to have increased confidence in the Parish Council’s
corporate governance arrangements and its ability to deliver its priorities. Risk Management
is not just about financial management; it is about protecting the achievements of
objectives set by the Parish Council to deliver high quality public services. The failure to
manage risks effectively can be expensive in terms of litigation and reputation and can
impact on the ability to achieve desired outcomes. The Parish Council generally and
members individually are responsible for risk management.
The Parish Council faces the following risks:
• Strategic risks because of poor decision making or poor implementation which could
result in long term adverse impact (reputational damage, loss of public confidence,
Government intervention).
• Compliance risk as a result of failing to comply with legislation (eg health and safety
or employment law), procedures (eg Governance and Accountability for Smaller
Authorities in England 2020, Government’s Investment Guidance 2018) or lack of
documentation to prove compliance (eg legionella testing, fire risk assessments etc)
which could result in prosecution, judicial reviews, employment tribunals or an inability
to enforce contracts.
• Financial risk because of fraud and corruption, waste and bad debt which could
result in additional audit investigation, public objections to accounts, reduced service
delivery, depletion of Council reserves and increased precept requirements.
• Operational risk resulting in the failure to deliver services due to malfunctioning of
damaged equipment or property, hazards to staff/public which could result in
insurance claims, higher insurance premiums and lengthy recovery processes.
Not all these risks are insurable and for some the premiums may not be cost effective. Even
where insurance is available, a monetary consideration might not be an adequate
recompense. The emphasis should always be on eliminating or reducing risk before costly
steps to transfer risk to another party are considered.
Regulation 4 of the Accounts and Audit Regulations 2015 require the Parish Council to
establish and maintain a systematic strategy, framework and process for managing risk.
This process is an integral part of the best value process, demonstrating continuous service
improvement by managing operational and strategic risks. New projects or changes to
services will include risks identification and the measures to eliminate or control risks will be
documented in reports to the Parish Council and its Committees where appropriate.
1. Risk Identification
Identifying and understanding the hazards and risks facing the Parish Council is crucial
if informed decisions are to be made about policy or service delivery methods. The risks
associated with these decisions can then be effectively managed.
To manage risk, Penkridge Parish Council needs to know what risks it faces. Identifying
risks is therefore the first step in the risk management process. Below is a list of typical risk
categories and what we currently have in place.
a. Financial – Loss of money through theft or dishonesty. The Parish Council does not
currently receive any income from for example, sports pitches or buildings.
b. Security – Protection of physical assets eg, buildings, furniture and equipment. All
current physical assets owned by the Parish Council are insured with Zurich Municipal
and a log of all assets are kept on a comprehensive Asset Register.
c. Property – Risk of damage to the Haling Dene Centre – The Parish Council holds
Buildings Insurance against the Centre’s building. The Parish Council holds other
comprehensive insurance for assets such as play equipment, street furniture, office
equipment etc.
d. Legal – Breaking the law or being sued – The Parish Council holds cover for Public
Liability and Employers Liability of £10,000,000.
2. Risk Analysis
Once the key risks have been identified, the next step is to assess the potential
consequences of the risk occurring (impact) systematically and accurately. Analysis
should make full use of any available data on the potential frequency of events and
their consequences: how likely this is (likelihood). If a risk is seen to be unacceptable,
then steps should be taken to control or respond to the risk.
The assessment of potential impact and likelihood need not be any more complex
than assigning each risk as either high, medium or low priority. The Parish Council’s
current Business Continuity Plan enables the Parish Council to decide which risks it
should pay most attention to when considering what measures to take to manage
3. Risk Prioritisation
An assessment should be undertaken on the impact and likelihood of risks occurring,
with impact and likelihood being graded high, medium and low on our Business
Continuity Plan. This should be reviewed regularly but at least yearly.
4. Risk Control
Risk control is the process of taking action to minimise the likelihood of the risk event
occurring and/or reducing the severity of the consequences should it occur. Typically,
risk control requires the identification and implementation of revised operating
procedures, but in exceptional cases more drastic action will be required to reduce the
risk to an acceptable level.
Risk is unavoidable, and the Parish Council where possible should take action to
manage risk in a way which it can justify to a level which is tolerable. The response to risk,
which is initiated within the organisation, is called ‘internal control’ and may involve one
or more of the following standard responses:
• Tolerate the risk – for risks where the downside is containable with appropriate
contingency plans; for some where the possible controls cannot be justified (eg
because they would be disproportionate); and for unavoidable risks, eg terrorism.
• Treat the risk – a common response which can mean imposing controls so that the
organisation can continue to operate; or setting up prevention techniques.
• Transfer the risk – buying in a service from a specialist external body or taking out
insurance. Some risks cannot be transferred, especially reputational risk.
• Terminate the activity giving rise to the risk – it may be best to stop (or not to start)
activities which involve intolerable risks or those where no response can bring the risk
to a tolerable level.
Areas where there may be scope to use insurance to help manage risk include the
• The protection of physical assets owned by the Parish Council– buildings, furniture,
equipment, etc. (loss or damage).
• The risk of damage to third party property or individuals because of the authority
providing services or amenities to the public (public liability).
• The risk of consequential loss of income or the need to provide essential services
following critical damage, loss or non-performance by a third party (consequential
• Loss of cash through theft or dishonesty.
• Legal liability because of asset ownership (public liability).
The limited nature of internal resources in the Parish Council sometimes means that we
may buy services in from specialist external bodies. Areas where there may be scope to
work with others to help manage risk include the following:
• Security for vulnerable buildings, amenities or equipment.
• Maintenance for vulnerable buildings, amenities or equipment.
• The provision of services being carried out under agency/partnership agreements
with principal authorities.
• Ad hoc provision of amenities/ facilities for events to local community groups.
• Market management.
• Vehicle or equipment lease or hire.
• Professional services (planning, architects, accountancy, payroll design, etc).
5. Risk Monitoring
The risk management process does not finish with putting any risk control procedures in
place. The effectiveness in controlling risk must be monitored and reviewed. It is also
important to assess whether the nature of any risk has changed over time.
The information generated from applying the Business Risk Management Process will
help to ensure that risks can be avoided or minimised in the future. It will also inform
judgements on the nature and extent of insurance cover and the balance to be
reached between self-insurance and external protection.
6. Roles and Responsibilities
Councillors play a key role in leading and monitoring this strategy, including:
• Approval of the Risk Management Policy and Business Continuity Plan.
• Analysis of key risks in current and future projects and services consideration and if
appropriate, endorsement of the annual Statement of Internal Control.
• Assessment of risks whilst setting the budget, including any bids for resources to
tackle specific issues.
The Clerk/Responsible Financial Officer supports, advises, and implements policies
approved by Council. In relation to risk management the Clerk/RFO should:
• Provide advice as to the legality of policy and service delivery choices (including
new/revised legislation).
• Provide advice on the implications for service areas of the Parish Council’s
corporate aims and objectives.
• Implements policies and procedures on risk management and internal control.
• Provide advice on any human resource issues relating to strategic policy options or
the risks associated with operational decisions and assist in handling cases of work
related to illness or injury.
• Advise on any health and safety implications of the chosen or proposed
arrangements for service delivery.
• Assess and implement the Parish Council’s insurance requirements and assist in
processing any litigation claims.
• Assess the financial implications of strategic policy options.
• Provide assistance and advice on budgetary planning and control.
• Ensure that Parish Council’s Financial Regulations and finance administration allows
effective budgetary control; and
• Effectively manage the Parish Council’s investment and loan portfolio where
7. Internal Auditor
The Internal Auditor provides an important scrutiny role by carrying out audits to
provide independent assurance to the Parish Council, that clarify the necessary risk
management systems are in place and all significant business risks are being managed
effectively. The internal audit process assists the Parish Council in identifying both its
financial and operational risks and assists in developing and implementing proper
arrangements to manage them, including adequate and effective systems of internal
control to reduce or eliminate the likelihood of errors or fraud. Internal audit reports,
and any recommendations contained within, help to shape the Parish Council’s
internal controls.
In addition, the Parish Council should consider the following list of the key systems and
processes they can ask the Internal Auditor to review from time to time as part of its
• proper book-keeping including the cash book
• standing orders and financial regulations
• payment controls
• income controls
• budgetary controls
• payroll controls
• asset control
• bank reconciliations
• year-end procedure
• risk management arrangements
This is not an exhaustive list, so the Parish Council if required should agree a specific
programme of work with its Internal Auditor.
The Parish Council notes that it is not part of the Internal Auditor’s responsibility to
review or ‘sign off’ the completed Annual Governance and Accountability Return.
Internal audit report(s) should inform the Parish Council’s responses to Assertions 2 and 6
in the annual governance statement. Internal audit reports should therefore be made
available to support and inform members considering the Parish Council’s approval of
the Annual Governance Statement.
Penkridge Parish Council
Business Risk Assessment
This document has been produced to enable Penkridge Parish Council to assess the risks that it faces and satisfy itself that it has taken adequate steps to
minimise them.
Subject Risk Identified Risk
Management/Control of Risk Review/Assess/Revise
Assets Loss/Damage
Public Liability
L All Asset owned by the Parish Council are regularly reviewed.
All items of property are covered by insurance.
Budget provision for replacements and repairs as necessary.
Regular inspections, maintenance and repairs carried out by the
Handyman and reported to the Clerk.
All repairs/replacements and relevant expenditure are authorised in
accordance with Parish Council procedures.
Incidents including acts of vandalism reported to the police when
Monthly, Annually &
Land and
Play Areas
Inadequate Insurance
Public Liability
Personal Injury
Security of Deeds of
L Property damage and Public and Products Liability cover included in
the Parish Council insurance policy which is reviewed annually.
Risks to the public are minimised wherever possible.
Annual contract in place for maintenance including grass cutting,
reviewed annually.
Monthly, Annually &
Subject Risk Identified Risk
Management/Control of Risk Review/Assess/Revise
Weekly inspections of play areas carried out by the Handyman and
reported to the Clerk in a weekly report or sooner if necessary.
Repairs and maintenance work undertaken by the Handyman as
required. Annual inspections of the play areas undertaken by
approved inspectors, who produce a risk assessment report. The
work required is carried out on any areas of risk which have been
Deeds and relevant documents kept in locked cabinet.
Record of injuries/reported accidents maintained by Clerk.
and Meetings
Agendas and
Breach of confidentiality
Loss of data by theft/
unauthorised use or
system crash.
Accuracy and legality
Non-compliance with
Statutory requirements or
new legislation
Failure to meet statutory
duty for council meetings
Adequacy of meeting
locations, Health & Safety
L Sensitive data is kept under password on computer and in a locked
filing cabinet.
Passwords changed periodically and back-ups made at regular
Payroll records also kept as hard copies.
The Council is registered with the Information Commissioner’s Office
under the Data Protection Act.
Membership of local and national associations maintained.
All members notified of meeting by summons. Agendas sent to
Councillors and displayed on notice boards with 3 clear days’ notice.
Quorum checked and attendance records kept.
Minutes of proceedings promptly prepared, approved and signed by
the Chair at the next meeting.
ICO registration renewed
annually. Monthly, Annually
Chairman to undertake
training if needed.
Ensure Councillors always
adhere to the Code of
Subject Risk Identified Risk
Management/Control of Risk Review/Assess/Revise
Failure to comply with
planning consultation
Meeting rooms allow access for all, with appropriate facilities
including seating for the Clerk, Members and general public.
Clerk reports all planning consultations to Council meeting and
follows up to meet deadline. Extensions requested if necessary.
Register of
Conflict of interests
Failure to maintain
registers of interests
L All Councillors are aware of statutory responsibilities.
Declaration of interest is a separate item on each agenda.
Declaration of Members Interests forms are reviewed annually and
sent to the Monitoring Officer.
All Cllrs accept the Council’s Code of Conduct on election/co-option.
Each Cllr receives a copy of Council and Financial Standing orders.
New Cllrs receive a copy of The Good Councillors guide.
New Cllrs are encouraged to undertake the New Councillors or Roles
and Responsibilities course run by SPCA.
Training also offered to all Cllrs when there is a major legislative
Monthly, Annually and
Ensure Councillors always
adhere to the Code of
Cash, PAYE,
Return, VAT
Poor financial
Inadequate records
Failure to comply with
HMRC regulations
Failure to ensure proper
use of funds under S137
L Responsible Financial Officer responsible for management of
financial affairs and is fully aware of requirements. Advice sought
when required. Financial Regulations and Standing Orders based on
NALC guidelines, set out the requirements and are reviewed
annually. Financial statements subject to internal audit half year and
year end.
Salary paid in accordance with Council regulations. Payroll admin
and reporting to HMRC outsourced. PAYE/NI and pension payments
handled appropriately.
Monthly, Bi-Annually,
Annually and Ongoing
Subject Risk Identified Risk
Management/Control of Risk Review/Assess/Revise
Incurring expenditure
without proper legal
Loss through theft or
Annual return
submitted within time
limits Adequacy of
Inadequate checks
Accurate and regular VAT reclaims made.
Balances in hand reviewed and invested in savings accounts as
appropriate. No equity investments.
Annual budget prepared for Precept based on anticipated income
and expenditure and includes projects to be undertaken. Budget
approved at Council meeting, compared to actual in monthly
financial statement and variances explained.
Monthly financial statement, including bank reconciliation and
expenditure reviewed and approved at each Council meeting and
recorded in minutes.
All payments supported by invoice or voucher which has been
checked by the Clerk. All cheques signed by two Cllrs and
counterfoils and invoices initialled. Expenditure separately identified.
Powers identified before expenditure requested. Statutory limit
calculated and not exceeded.
No petty cash or cash-based transactions. Majority of income by
direct credit to the bank. Cheques banked promptly on receipt.
Fidelity Guarantee insurance and Legal Expenses covered by Parish
Council insurance policy.
Annual Return completed and submitted to the Internal Auditor for
checking and signing. Added to the agenda for approved and signed
by the Council and recorded in minutes. Annual Return rechecked and
sent to External Auditor within time frame and published as legally
Subject Risk Identified Risk
Management/Control of Risk Review/Assess/Revise
Controls and
Inadequate checks L Monthly reconciliations.
2 signatures on each cheque, initials on cheque stub and invoice or
supporting paperwork to validate the amount being spent.
All financial commitments must be agreed by the Parish Council at a
If the Clerk has made a payment under delegated powers, this is to
be reported and approved at the next available Parish Council
Monthly, Bi-Annually,
Annually and Ongoing
Insurance Adequacy
Current policy fixed for 5-year contract review to take place prior to
Employer and Employee Liability cover is essential.
Public Liability cover is essential.
Ensure compliance processes are in place
Review both cover and
compliance prior to
Election costs Risk of an election M Risk is higher in an election year.
Reserves to cover any additional costs
Reserves to be held up to a
maximum of
£6,000.00, in case of an
Safety and security for
lone workers/attacks on
Poor office conditions
and equipment
L Effective security system in operation:
External door to Reception is always locked.
Visits to the Clerk are by appointment and in the presence of Assistant
Clerk or a Councillor when necessary.
Subject Risk Identified Risk
Management/Control of Risk Review/Assess/Revise
Telephone access available always.
Appropriate insurance cover held. Personal Accident to
Councillors, Clerk and Employees covered by Parish Council
insurance policy.
Office accommodation inspected regularly, and
repair/replacement arranged as appropriate.
of Staff –
Failure to comply with
Employment Law
L All employees have contracts of employment.
Membership of local and national associations maintained.
Job description clearly defined.
Regular staff appraisals undertaken, and training encouraged.
Legal Liability Legality of activities
Proper and timely
reporting via minutes
Proper document control
The Clerk clarifies legal position and takes advice when needed.
The Council received and agreed the minutes at monthly
Document retention/destruction Policy in place
and Website
Failure to meet statutory
requirement re nonpolitical content.
L Ensure all contributors are aware of requirement.
Editors check content for compliance.
Clerk reviews regularly and is aware of what is appropriate
Insurance cover in place.
Subject Risk Identified Risk
Management/Control of Risk Review/Assess/Revise
Non-compliance with
Freedom of Information
Act Defamation, libel and
Inadequate control of
Failure to deliver.
Failure to collect income
Website updated as required. Annual maintenance contract with
Editor monitors distributors and verifies invoices.
Advertisers’ details passed promptly to Clerk.
Invoices raised and payment chased.
Records &
Loss through theft,
damage, fire or
corruption of computers
Personal Data Breach
The Parish Council holds records on computer and paper.
Back up files are kept on USB sticks.
A retention/destruction policy is in place.
Council staff redact personal and data protected information prior
to circulation where appropriate