Risk Management

Comptroller and Auditor General Risk Management

07 September 2017

R.107/2017

Introduction

1. All organisations face risks to delivery of their objectives. Processes to identify, assess, prioritise and manage risk are fundamentally important in achieving organisational goals. But those processes will not and cannot be expected to eliminate risk. Corporate risk management processes focus on reducing, mitigating or otherwise managing the uncertainties faced in delivering strategic and key operational objectives, taking into account the extent to which an organisation tolerates risk.
2. Effective risk management includes processes at both corporate and departmental levels and is of increased importance in a period of change. The States are reforming the way in which services are delivered, for example through the adoption of eGovernment (eGov). Individual departments are planning significant change in the way they provide services. For example, the Health and Social Services Department is implementing the White Paper Caring for each other, caring for ourselves' and the Department of Infrastructure is changing its service delivery model.
3. The States used the services of Marsh Risk Consulting (Marsh), a global insurance broker and risk management firm, to provide initial support in developing its Enterprise Risk Management (ERM)[1] framework. Subsequently the Chief Executive asked the Chief of Police to assume leadership of risk management for the Corporate Management Board (CMB).

Objectives and scope

4. The review considers:

• the effectiveness of corporate arrangements for managing risk. This includes arrangements for escalation of risks from departments and other bodies where their accounts are consolidated in the financial statements of the States;
• the effectiveness and embeddedness of arrangements for risk management within departments; and
• areas where improvements can be made including the scope for achieving efficiencies.  

5. The review does not include risk management relating to:

• Strategic investments, the results of which are excluded from the States' accounts (Jersey Telecom, Jersey Post, Jersey Water and Jersey Electricity). However, corporate entities whose financial performance is included within the financial statements of the States (Andium Homes, Ports of Jersey and the States of Jersey Development Company) fall within the scope of this review; and

• the States' pension funds (Public Employees' Pension Fund (PEPF) and Jersey Teachers' Superannuation Fund (JTSF)).

6. The review does not extend to evaluating:

• the work undertaken by Marsh;
• the management and mitigation of investment risk (for example those relating to the Strategic Reserve and the Social Security (Reserve) Fund); and
• the detailed arrangements for the use of insurance, including self- insurance, to mitigate risk.

Background

7. In 2014, the States commissioned Marsh Risk Consulting (Marsh) to carry out an independent review of risk management. The objectives of this review included:

• providing CMB with a formal and demonstrable approach to managing risk;
• identifying and analysing the States' top risks; and
• supporting knowledge transfer.

8. The output from the review provided the following five key observations on risk management in the States at the time:

1. Some evidence of best practice in departments. However, limited alignment of risk management activities was evident and processes were inconsistent within departments.
2. Existing processes did not fit within a formalised risk management framework.
3. The corporate risk appetite had not been defined.
4. As no formal corporate risk management roles had been established, stakeholder responsibilities for risk management had been informally established within most departments.
5. Corporate ownership for risk management was uncertain.

9. The Marsh report applied a maturity model to the States' risk management arrangements and identified substantial scope for improvement (see Exhibit 1). Management responded by instituting a programme of work designed to improve risk management across the States.

Exhibit 1: Risk management maturity status - October 2014

Source: Report by Marsh to States of Jersey, 2014

10. Over the last two years I have also reported weaknesses in risk management across the States (see Exhibit 2).

Exhibit 2: Examples where concerns about risk management arrangements have been noted in previous reports

Review  Concern

Arm's Length  The States had not established overarching principles to drive Organisations  governance arrangements for ALOs.

(ALOs)  The mechanisms by which ALOs are held to account for

July 2017  performance was not prescribed.

There was therefore an increased unmitigated risk that organisations are funded where their work or mechanisms for service delivery no longer best promoted the States' objectives.

Jersey  There was an underdeveloped approach to risk management: Innovation Fund  Treasury and Resources was not sufficiently and actively

January 2017  involved from the outset of the project in establishing robust

arrangements to mitigate risks;

• the overall risk appetite was not clearly articulated in the Terms of Reference;
• there was no risk register for the Fund as a whole; and

• the assessment of risk in the risk registers for individual projects was at times unrealistic and not an effective tool of management.

Follow-up of the  The Health and Social Services Department (HSSD) could not review of  demonstrate, or be confident, that risks identified in my initial report Private Patient  had been adequately responded to. For example, in developing a Income  new Policy on Private Patients, HSSD had not established a February 2017  monitoring process to ensure the Policy mitigated identified risks as

intended.

Use of  In the sample of consultancy projects reviewed, only 60% included a Consultants  project management framework setting out responsibilities and October 2016  accountabilities, how risks would be managed and arrangements for

dealing with operational issues.

Management  The Education Department had not established criteria for routine Information in  and exception reporting of performance and risk or mechanisms for Education  reporting to CMB as appropriate.

September  Arrangements for collation and communication of management 2016  information were underdeveloped. A template to show strategic

progress against Business Plan objectives, bringing together an evaluation of progress against objectives and an assessment of risk to delivery, lacked hard data.

eGovernment  Weaknesses in the operation of the risk log indicated a lack of active May 2016  management of eGov risks. For example:

• there was insufficient evidence to demonstrate why some risks had been closed'; and
• thresholds within which to tolerate' risks had not been set out.

The absence of an agreed eGov strategy and objectives meant that decisions to fund individual projects were taken on an ad hoc basis. As a result, the States could not demonstrate how funded project activity reduced the risk to delivery of the programme as a whole.

Information  In the context of new threats to data and information when held in Security  digital format, the States had not yet:

June 2015  completed detailed corporate and departmental information

security risk assessments against international standards; or

• ensured the availability of adequate qualified security resources to assess and address security risks, including those arising from the eGov programme.

Approach

11. This review assesses the States' risk management arrangements three years after the Marsh report. In addressing the objectives, I have considered the components that typically demonstrate effective and mature risk management in four areas (see Exhibit 3).

Exhibit 3: Elements of effective risk management

Effective Leadership and  identification, strategy  classification

and mitigation

Regular Oversight and  monitoring and

governance  reporting

Risk Management

12. In undertaking my review, I focussed on a number of corporate areas and a sample of departments (see Exhibit 4).

Exhibit 4: Areas of focus for my review

Oversight and governance

1. The best performing organisations have strong arrangements for the oversight and governance of risk management activities. My work focusses on these areas (see Exhibit 5).

Exhibit 5: Oversight and governance: areas of focus

Are there effective arrangements consistently applied for the oversight of risk management activities at Audit Committee level?

Are there appropriate arrangements consistently applied for the governance of risk management activities?

Are there effective arrangements consistently applied for the oversight of risk management activities at Audit Committee level?

2. In high performing organisations Audit Committees or similar bodies provide a valuable oversight of risk management activities with responsibilities appropriately reflected in their terms of reference and a clear programme of work to discharge their responsibilities. In many cases this important remit is reflected through the adoption of the title Audit and Risk Committee'.
3. The States' Audit Committee has specific responsibilities for:

• reviewing and challenging the States' risk management policies and procedures to ensure that they reflect best practice tailored to Jersey and to receive assurance that they are embedded across the States; and
• reviewing the Corporate Risk Register at least annually and when significant changes and concerns arise, considering whether risks have been properly addressed.

4. The Committee also has the power to request the attendance of relevant officers to provide presentations on corporate risks for which they are responsible, such as those relating to Information Technology (IT), major capital projects and human resources matters.
5. In my view these terms of reference are appropriate, focussing on overall arrangements for risk management and the management and mitigation of corporate risks. To establish how the Audit Committee has discharged its responsibilities, I have reviewed work undertaken over a 12-month period (see Exhibit 6).

Exhibit 6: work of the Audit Committee on risk management July 2016 - June 2017

6. The increasing focus of the Audit Committee on risk is welcome. However, although the Audit Committee has undertaken a significant volume of work related to risk:

• the work on review and challenge of risk management policies and procedures has been limited. It has not extended to evaluating whether they reflect best practice or whether they are embedded; and
• when it receives reports on specific risk areas, those reports do not clearly analyse and recommend a consideration of the risk and mitigation recorded in the Corporate Risk Register. As a result, it is harder for the Committee to demonstrate that it has evaluated the effectiveness of the management of those risks as required by its Terms of Reference.

Recommendation

R1  Strengthen the mechanisms by which the Audit Committee discharges its

responsibilities for risk management, including by:

• increasing the review and challenge of the design and operation of risk management polices and procedures; and
• directly linking the review of specific risk areas to the contents of the Corporate Risk Register.

Are there appropriate arrangements consistently applied for the governance of risk management activities?

7. Effective risk management at corporate level requires clear allocation of responsibilities with established reporting lines between groups, consistently applied.

8. At corporate level the States allocate responsibilities for risk management to three groups (see Exhibit 7).

Exhibit 7: Corporate responsibilities for risk management

9. Although the emphasis on corporate and departmental risk management is welcome, there is scope for improving the Terms of Reference:

• the responsibilities of CMB have not been updated to reflect the establishment of the CMB Risk Management Sub-Group;
• the responsibilities of the CMB Risk Management Sub-Group are very wide-ranging and in areas confusing or ambiguous. It is not clear in what areas the Sub-Group is responsible for advising CMB and in what areas it has delegated power to act. There are many duties placed on the Sub-Group to review without being clear as to the outcome of the review. The Sub-Group is given responsibilities for establishing an assurance framework in apparent isolation from wider assurance frameworks relating to internal control; and
• the responsibilities of DRMG are operational but there are ambiguities about its role. In particular, in relation to escalation of issues, there is reference to both CMB and the CMB Risk Management Sub-Group but no reference to the duties of individual Accounting Officers. There is no clear statement on what the Group is expected to report routinely to either CMB or the CMB Risk Management Sub-Group.

10. I make further comments on the Terms of Reference for the CMB Risk Management Sub-Group and DRMG later in this report.
11. I have reviewed relevant minutes to consider how the three groups discharged their responsibilities in practice. My analysis shows that compliance with their Terms of Reference has varied substantially between the different groups:

• the minutes record that CMB explicitly considered risk management six times in the period January 2015 to February 2017, a period that covered the development and roll-out of new arrangements for risk management. In addition to the Chief of Police, another representative of the CMB Risk Management Sub-Group usually attended CMB when it considered risk management. The minutes reflect an increasing focus on the content of the Corporate Risk Register. Although they record some limited consideration of wider aspects of risk management, they do not show an explicit focus on the effectiveness of arrangements across departments;
• the minutes of the CMB Risk Management Sub-Group reflect concentration on the development and maintenance of the Corporate Risk Register. From my review of the minutes I did not identify explicit consideration of many of the wider responsibilities of the Sub-Group. It did not prepare the required report to CMB on the adequacy of arrangements for the management of risk (see Exhibit 8); and
• the minutes of DRMG demonstrate that it discharged the responsibilities assigned to it (see Exhibit 9).

Exhibit 8: Work of the CMB Risk Management Sub-Group January 2015 - February 2017

Exhibit 9: Work of DRMG December 2015 - May 2017

12. I understand that a review of the Terms of Reference of the various groups involved in risk management is due to begin in the Autumn.

R2 Prioritise the completion of the review of the Terms of Reference of CMB,

the CMB Risk Management Sub-Group and DRMG to:

• resolve confusion and ambiguity;
• clearly specify risk management reporting responsibilities; and
• place an explicit duty on CMB and groups' to satisfy themselves that any groups responsible to them for risk management activities discharge their responsibilities.

Leadership and strategy

1. My work has focussed on three specific questions (see Exhibit 10).

Exhibit 10: Leadership and strategy: areas of focus

Is there a risk management strategy and guidance for staff?

Do senior managers give a visible lead in promoting risk management?

Is risk management fully embedded in business processes?

Is there a risk management strategy and guidance for staff?

2. Effective risk management in organisations starts with a clear strategy supported by appropriate guidance and review mechanisms.
3. The States are in a period of change. In 2014, the risk management framework comprised:

• Financial Direction (FD) 2.7 that provided a high-level framework for risk management together with supporting guidance; and
• various Departmental strategies and policies.

4. However, following the Marsh review, the States recognised that a strengthened corporate framework was required. In September 2016, the Chief Executive issued a Code of Practice for Risk Management, as one of the new statutory Employment Codes of Practice. This was developed by DRMG.
5. The stated aims of the Code are:

• to promote a consistent and comprehensive approach to risk management;
• to promote an innovative, less risk averse culture that encourages the pursuit of opportunities as well as the management of risks;
• to provide a sound basis for integrating risk management into decision making; and
• to embed risk management as a component of excellent corporate governance and management practices.

6. The Code applies to all employees of the States and requires that mechanisms are in place within all departments to:

• identify and evaluate risks;
• record and monitor risks using a suitable risk management information system or risk register;
• document and assess strengths and mitigating actions, including controls;
• identify suitable responses to risk;
• provide assurances that risks are regularly reviewed and action points carried out in a timely manner;
• identify any third-party vendors and services that are in scope of risk management activities and establish appropriate monitoring and control requirements where necessary;
• ensure the effectiveness of risk policies;
• provide training and awareness on risk management;
• record and review near misses as part of the risk management process; and
• document and regularly review the risk management strategy.

7. Steps were taken to ensure that Accounting Officers were aware of and understood the provisions of the new Code:
   1. the Chief Executive issued the Code, along with 12 other Employment Codes of Practice, under cover of an explanatory letter;
   2. presentational materials about the Codes, including material developed by DRMG, were available for use in departmental Senior Management Team (SMT) meetings in November and December 2016; and
   3. the Codes were published on the MyStates website in December 2016.

9. The States' Wellbeing and Employment Relations function had planned to:
   1. roll-out an e-learning course on the new Codes of Practice; and
   2. ensure that SMT members had completed it by the end of February 2017.

However, while the course was developed, issues with resources and the lack of a common e-learning platform across the States resulted in the planned e-learning course being abandoned.

9. I welcome the development of the Code. I recognise that the Code was issued under the Employment of States of Jersey Employees (Jersey) Law 2005 and does not therefore extend to all bodies within the States' accounting boundary', including the Jersey Overseas Aid Commission, Andium Homes, Ports of Jersey and the States of Jersey Development Company. In consequence, there is an increased risk that risks relating to these entities are not appropriately identified, evaluated, mitigated, managed and escalated.

10. The States plan to support the Code with Risk Management Guidance that will allow the withdrawal of FD 2.7. The Guidance is currently being developed by DRMG. Using members of DRMG to develop the Guidance allows existing good practice to be harnessed.
11. The final draft' sets out examples of good practice in identifying, assessing, documenting and reporting risks, aiming to consolidate the approach across departments. However, despite its description as guidance', it highlights mandatory requirements and key responsibilities, including that:

• Accounting Officers are personally accountable for managing the risks to effective service delivery and the achievement of business objectives within their department. A framework of senior level delegation is essential if risk management is to be effective;
• each department has a risk management strategy and shows how risk management has been embedded into its plans;
• each department maintains a risk register; and
• whatever structure is adopted to allocate responsibilities for risk management, a mechanism is in place for reporting risks to the Chief Officer or Accounting Officer.

12. I am concerned that:

• unless there is clarity about the respective roles of the Risk Management Code and supporting Guidance, there is an enhanced risk that mandatory requirements are not properly understood and complied with;
• there is a risk that consistent States-wide adoption of a new corporate framework will be compromised if the Guidance is not made available and rolled out effectively as a matter of urgency;
• the draft Guidance focuses on how to identify, evaluate, mitigate and record risks; it currently lacks good examples of using risk management to inform strategic decisions; and
• there are no developed plans to capture feedback and learning once the Guidance is launched, to identify barriers to embedding risk management in the day to day running of the States' business.

13. Prior to the development of the Code of Practice and draft Guidance, there were departmental arrangements, with more fully developed written strategies and policies found in HSSD, Social Security and Community and Constitutional Affairs. I have evaluated the variation in arrangements in four departments against some of the key elements of the Code and draft Guidance. I welcome the effective action taken by some departments but am concerned that in other areas progress has been slower and that, in one case, arrangements appear inconsistent with the corporate framework. Exhibit 11 compares progress between the four departments, recognising that some progress is recent and further progress is planned. The use of a different risk evaluation approach in ISD impedes effective comparison of risks and responses across the States. The Chief Executive is currently reviewing the approach adopted by ISD to ensure that corporate arrangements for risk management are not compromised.

Exhibit 11: Comparison of a sample of departmental arrangements Established  In progress  Recognised  Not addressed Health and Social Services Department

Risk Management  Updated reporting  The need to be Strategy (2011) and  framework to provide  more consistent Policy and Procedures  more objective  about how project' (2014) consistent with  assurance that risks  risks are managed the Code and draft  are being managed,  as part of the Guidance  including information  departmental risk Integrated Governance  about:  register.

Committee supports  the direction of

production of a Board  travel of risk

Assurance Framework  scores;

covering clinical and

non-clinical risks.  review dates; and

Integrated Report  risk appetite.

recording progress  Improved assurance

against Business Plan  about the

objectives and notes  effectiveness of

risks to delivery and  controls in place to

mitigating actions.  mitigate risks.

Economic Development, Tourism, Sport and Culture Department

Improved  Cascading the new  Need to do more to  arrangements for  risk register template  ensure risk  managing the strategic  throughout the  management and  risk register:  department so that all  learning from risks  

• feeder' registers can  are joined up,  

  focussing on key  be aligned.  including through  

risks only, reducing  capturing patterns  number from 60 to  and trends of  

11;  incidents and near  

• identifying  misses'.  escalation  

arrangements for  

each risk; and  

• defining levels of  'risk appetite' and  tolerance levels for  each risk.  

Established  In progress  Recognised  Not addressed Education Department

The department has  Facilitated by

well established  upgrades to the arrangements for  Management managing:  Information System

• strategic risk  used in the department, schools

through the  and colleges: Corporate Risk

Register taken to  action to ensure SMT;  that risk

• project risk, through  management is

a standardised  integral to

project  decisions on management  delivering recording and  Business Plan reporting process;  objectives,

and  including by

• health, safety and  setting a risk wellbeing risk  appetite; and through the  in schools and facilities  colleges, management  assimilation of function.  Code

requirements in other policies and procedures e.g. the Health and Safety, Wellbeing Codes of Practice.

Information Services Department (within Chief Minister's Department)

Draft Risk  Need to develop  A six-level risk Management Policy  the risk  evaluation matrix was dated February 2017  management role  used as opposed to that does not reflect  of the Portfolio  the corporate five-

the requirements of  Office that took on  level matrix.

the new Code.  the responsibility

Draft Risk  from the previous  Aexllpressed inrisks are financial

Project

Management Strategy  Management  tbroadeerms rather cater gthaornies in tGhauitdarencefers. to the Draft  Office.   the draft Guidance.

Management has subsequently agreed to move to the corporate risk evaluation model.

Source: Audit review of arrangements in four departments up to June 2017

R3 Review the contents of the Code and associated Guidance so that the

Code contains all mandatory requirements and that the role of the Guidance is to support States officers in complying with the requirements of the Code.

R4 Develop and implement a plan for effective roll-out of the new Guidance

once finalised to ensure:

• a consistent understanding by all staff involved in risk management activities across the States; and
• that there is an active process to capture feedback and learning once the Guidance is launched, to identify barriers to embedding risk management in the day to day running of the States' business.

R5 Adopt a timetable for review, updating and adoption of departmental

arrangements to ensure consistency with the Code and Guidance.

Do senior managers give a visible lead in promoting risk management?

14. Visible leadership from senior managers is central to embedding risk management within the States.
15. The Marsh report criticised the States for uncertain corporate ownership and the absence of corporate roles and responsibilities for risk management.
16. The Chief Executive appointed the former Chief of Police as CMB's lead officer for risk management. Since then the States have responded by defining roles and responsibilities for risk management at political and management levels (see Exhibit 12).

Exhibit 12: States of Jersey Risk Framework

Source: States of Jersey

17. Specific steps taken are:

• review of the Corporate Risk Register by the Audit Committee;
• establishment of the CMB Risk Management Sub-Group to undertake detailed work on corporate risk management, chaired by the former Chief of Police until he retired and now by the Head of Public Sector Reform supported by the Interim Chief of Police;
• formalisation of linkages between corporate risk management and emergency planning;
• establishment of an Emergency Planning Board Risk Assessment Group led by the Deputy Chief Fire Officer charged with maintaining a Community Risk Register of island-wide risks in parallel with the Corporate Risk Register;
• establishment of DRMG, chaired by the Chief Fire Officer, that developed the Code of Practice and draft Guidance referred to above. DRMG includes representatives of key corporate functions, including Human Resources and ISD; and
• integration of Business Continuity Management into corporate risk management arrangements: the remit of the previous DRMG was recently widened and the States' Business Continuity Manager is a member of the new Departmental Risk Management and Business Continuity Group.

18. However, non-ministerial departments are not represented on DRMG. Whilst they have access to resources developed by DRMG, there are no formal mechanisms for peer support, or indeed peer pressure, and therefore an enhanced risk that risk management arrangements are not as effectively developed in non-ministerial departments. The Chair of DRMG is seeking to develop ways of engaging non-ministerial departments without expanding DRMG to an unmanageable size.
19. There is evidence that the corporate leadership onrisk management has had an impact. Although the profile accorded to risk management varied between the departments reviewed, in all cases risk was subject to discussion by Senior Management Teams.
20. The Chief Executive recognises both the progress made and the challenges that remain. He is confident that the leadership of CMB and the specific leadership role assumed by the Head of Public Sector Reform will facilitate the ongoing drive to embed risk management across the States at corporate and departmental level.

Recommendation

R6 Establish enhanced arrangements, including peer support where

appropriate, to engage and support non-ministerial departments in complying with the corporate approach to risk management.

Is risk management fully embedded in business processes?

21. Effective organisations integrate risk management with business planning procedures rather than regarding it as a one-off or annual operational activity.
22. My review of Financial Management (April 2015) concluded that there was a lack of effective integration of two components of planning - financial planning and business planning - throughout the States. In the case of risk management, I identified similar weaknesses in integration into wider business planning but also recognise improvements since the Marsh report:

• the (draft) Guidance focuses on basing risk identification on business objectives and monitoring it alongside business performance management; and
• at a corporate level, strategic risks are now appropriately assigned to the States' strategic objectives.

23. At a departmental level, embeddedness is variable, ranging from embedded to absent. In Exhibit 13, I consider the links between risk management and published business plans. Although I would not anticipate full details of risk registers to be published routinely, I would anticipate consistency between risk registers and details of risks contained in business plans.

Exhibit 13: Links between risk management and department plans

Recommendation

R7 Ensure that all departments integrate risk management into wider business

planning processes, including published business plans.

Risk identification, classification and action

1. My work has focussed on four specific questions (see Exhibit 14).

Exhibit 14: Risk identification, classification and action: areas of focus

Is risk management applied to all business areas?

Are staff provided with appropriate training to ensure they are equipped to support risk management?

Is a systematic approach used to identify and evaluate risks?

Is action taken to mitigate each risk properly considered and recorded?

Is risk management applied to all business areas?

2. It is important that risk management covers all activities within an organisation and is a top-down process driven by corporate and departmental objectives. High performing organisations maintain and update corporate and departmental risk registers to ensure that risks are captured and mitigating actions remain relevant and effective.
3. I have reviewed both the Community and Corporate Risk Registers and a sample of departmental risk registers.
4. Both the Corporate and Community Risk Registers are comprehensive and maintained up-to-date. There are established processes for adding, re- evaluating and removing risks.
5. At departmental level, the picture is less consistent. Whilst two departments identified in 2015 not to have risk registers have now established them:

• the linkage between business planning and risk assessment is inconsistent across departments; and
• the frequency of review of risk registers is variable. Of the departments reviewed only Social Security, Health and Social Services, Education and Community and Constitutional Affairs rigorously reviewed and updated their risk registers at least quarterly.

6. Even where strong arrangements for risk management have been established in a department, there are risks that they are not consistently applied. This can have important financial and service delivery consequences (see Case Study 1).

Case Study 1

In my Review of Community and Social Services published in December 2015, I reported that HSSD's System Redesign and Delivery Directorate had demonstrated effective risk identification and evaluation:

• the development of the White Paper Caring for each other, Caring for ourselves' was based on a substantial review of current service provision and anticipated future needs and the risks of doing nothing; and
• a well-established risks and issues log was updated for quarterly discussions at the Transition Plan Steering Group. The log was supported by processes for scaling, scoring and escalating risks that informed the implementation of the delivery plans.

However, I also reported that:

• the initial assessment of the potential impact of the introduction of the States' Long-Term Care Scheme was weak, leading to unanticipated volumes of referrals and consequent strains on the system; and
• for the Community and Social Services Department's activities as a whole there was no consistent, effective approach to risk identification and evaluation in place.

In due course, I will be reviewing how actions since my report was published have delivered planned improvements.

7. But good risk management arrangements at departmental level, operating as intended, will not automatically lead to effective risk management for the States as a whole. There also need to be good arrangements for escalation of risks from departmental risk registers to the Corporate Risk Register where appropriate. Currently Accounting Officers are expected to escalate risks via CMB. Both the existing Financial Direction and the draft Guidance include that:

Any serious threats to achievement of objectives should be brought to the attention of the CMB (through another accounting officer if appropriate where a service is not represented directly at CMB).

8. However:

• there is no definition of serious threats';
• inconsistencies in identification or understanding of risk appetite and evaluation of risk between departments mean that risks that should be escalated may not be;

• arrangements for escalation of risks by Accounting Officers for non- ministerial departments who do not attend CMB are insufficiently formal; and
• some departments expressed the view that risks could usefully be escalated to CMB before they become a serious threat', for information and discussion, and to enable sharing with other departments.

9. In May 2017, DRMG agreed that its Chairman, the Chief Fire Officer, would act as a check and balance' to test the process for sharing and escalating risks via CMB and also to feed back to DRMG corporate risks which should feature in departmental risk registers.
10. The Corporate Risk Register relates to the States' comprising ministerial and non-ministerial departments. There is no direct reflection of risks relating to:

• other entities whose financial performance is consolidated in the financial statements of the States: Andium Homes, Ports of Jersey and the States of Jersey Development Company; or
• other entities controlled by the States: Jersey Telecom, Jersey Water, Jersey Post and Jersey Electricity.

11. However, the States are exposed to both financial and reputational risks associated with these entities. Given the scale of activities of these bodies, and the risk profiles associated with some of them, I would have expected that such risks would be captured either directly or through the shareholder function within Treasury and Resources. However, no risks in respect of the entities as a group or individually are reflected in the Treasury and Resources departmental risk register.

Recommendations

R8 Undertake a comparative review of the content of all departmental risk

registers and the rigour and frequency of their review.

R9 Strengthen risk escalation arrangements, including for non-ministerial

departments.

R10 Ensure that risks associated with entities controlled by the States are

reflected in the Corporate Risk Register and Treasury and Resources departmental risk register as appropriate.

Are staff provided with appropriate training to ensure they are equipped to support risk management?

12. Staff in all areas of an organisation should be provided with training, appropriate to their role, to ensure that they are equipped to support risk management. Effective training challenges existing views and helps staff to see risk management as:

• an enabler, not an overhead;
• Business as Usual', not someone else's job; and
• an integral part of continuous planning and service improvement.

13. Effective training is particularly important outside the departments (such as Infrastructure and Education) that have wide experience of risk management relating to collaborative projects with other agencies.
14. The States have previously used a specialist external trainer to deliver a risk management training workshop that was well received.
15. Moreover, training is best undertaken not only in response to individual initiatives but driven by a relevant competency framework and as part of an integrated training programme. However:

• currently the corporate training programme does not include any aspects of risk management training other than risk assessment associated with health and safety training; and
• although there are references to risk management in the new leadership programme, it is not explicitly referred to in the Modern Manager Training modules.

16. At a departmental level, there have been some good initiatives. For example:

• HSSD's Risk Management Policy requires all staff to understand and use the Datix Risk Management System within their service area. Training to enable this is part of all staff members' induction programmes; and
• in the Education Department, training has been an integral part of a wider focus on risk management (see Case Study 2).

Case Study 2

The Education Department's focus on risk management support and training has included the needs and responsibilities of staff in schools and colleges.

The Department's 2017 Business Plan includes ensuring excellent governance standards are adopted in schools and facilities'. To support this, risk assessment protocols have been or are being developed in areas such as:

• health and safety and wellbeing;
• information security and records management; and
• online safety.

The aim is to ensure both the physical and information security of staff, students and the public. This is supported by a programme of training, audit and inspection to improve compliance with risk management arrangements.

In the last three years, significant progress has been made in how staff in schools and colleges play a part in assessing and managing risk. Training has been expanded to include new staff groups. Online systems have helped move the process from a tick box' and reactive exercise to much more proactive approach - for example in logging incidents and near misses' so that learning is shared. This information is used as part of a Department Key Performance Indicator.

In the last year, the Department has extended risk management internal compliance inspections to the Youth Service and Library Services. Private schools are also given access to risk assessment and audit protocols.

Results from audit and inspection are used to create a school risk profile and this is summarised in a league table'. This is the basis for the Department's future risk management workplan; a key focus for 2017 is improving Business Continuity Management.

Recommendations

R11  Prioritise development of a common e-learning platform across the States

to facilitate effective roll-out of corporate training.

R12  Update the competency framework and corporate training programme to

reflect risk management skills as part of the wider cultural change programme within Public Sector Reform.

R13  Develop mechanisms to capture and share experience of departmental

training initiatives across the States.

Is a systematic approach used to identify and evaluate risks?

17. Good practice in identifying and evaluating risks is typically characterised by use of a consistent set of criteria to assess risks including financial impact, service quality and reputation.
18. The draft Guidance provides for a systematic approach to identification and evaluation of risk, using:

• an illustration of the categories into which risks fall, for example, political risk, reputational risk and financial risk; and
• a standard 5x5 scoring matrix that attributes a risk score based on likelihood and impact (see Exhibit 15).

However, the approach is not reflected in the Code and is not therefore mandatory. This impedes effective aggregation and escalation of risks.

Exhibit 15: Risk evaluation matrix

Impact  Minor  Moderate  Significant  Serious  Major Likelihood  1  2  3  4  5

Very likely 5

Likely 4

Possible 3

Unlikely 2

Very unlikely

1

19. The Guidance includes a practical example of risk identification and standard templates for risk registers are available to departments.
20. The existence of a standardised approach to risk assessment does not automatically secure consistent application. There are established mechanisms for maintenance of the Corporate and Community Risk Registers, but:

• there is no explicit process for structured CMD review of the corporate register, including in light of changes in risk appetite and tolerance and wider learning;

• there is significant variability in the form and content of departmental risk registers (see Exhibit 16); and
• there is significant variability in the assessment of essentially the same risk in departmental risk registers. Whilst such variability may be justified, there is no established corporate mechanism for reviewing and validating such variations (Exhibit 17).

Exhibit 16: Examples of practice identified in departmental risk registers

Exhibit 17: Variation in risk assessment related to budget pressures Department  Detailed risk (summarised)  Impact  Likeli- Total

hood Community and  Insufficient revenue funding  4  4  16

Constitutional  limits the ability to deliver

Affairs  services.

Education  Inadequate resource  4  4  16

allocation may curtail the

organisation from achieving

objectives.

Environment  Corporate requirement for  4  2  8

budget reductions.

Probation and  Unreasonable cuts to cash  5  1  5 After Care  limit.

Chief Minister's  Cannot deliver needs of  4  4  16

organisation due to restricted

budget and resources.

Recommendation

R14  Undertake a programme of peer review of departmental risk registers to

promote consistency of approach and challenge risk identification, evaluation, mitigation and reporting.

Is action taken to mitigate each risk properly considered and recorded?

21. Once risks are identified, it is important that action taken to mitigate each risk is properly considered and recorded.
22. Each risk register reviewed includes actions to be taken to mitigate the risks. But the clarity of expression of mitigation varies between risk registers. On the one hand:

• the Corporate Risk Register contains detailed actions in response to risks; and
• the Community Risk Register includes prioritised proactive and reactive actions in hand or proposed.

On the other hand:

• the approach to establishing and recording actions to mitigate risk as set out in the draft Guidance is powerful but not yet fully applied. The recommended approach includes:

• categorising the response (tolerate, threat, transfer or terminate);

• evaluating the impact of mitigating actions on either the likelihood of risk, the impact of risk or both; and
• identifying the target impact of and timeframe for action.

• in most departmental risk registers, there is scope for improvement in specifying the actions to mitigate risks. For example:

• those for Probation and Aftercare are very brief and lack clarity. For example, for the risk Adverse Findings' which is a red risk, the mitigation is Policy; standards; supervision'; and
• several actions in the Department of the Environment risk register are insufficiently specific, particularly in relation to high category risks. For example, Unplanned infrastructure failure' is identified as a high risk and the mitigation response lacks detail beyond monitor infrastructure'.

23. The findings of this review echo those of previous reviews where I identified inadequate action or description of action in response to identified risks (see Exhibit 18).

Exhibit 18: Examples of weaknesses in risk mitigation from previous reports Date and review  Issue reported  Weakness

December 2015  Key recommendations on  Identified risks were, by Review of  Children's Services made  default, tolerated but no early Community and  following an external review in  warning' indicators were Social Services  2008 were not implemented on  established to monitor the

budgetary grounds.  consequences of inaction.

May 2016  The risk register included:  The mitigation does not Review of  Unable to recruit cost-effective  address the cost element of eGovernment  project managers and analysts;  the recorded risk.

increased costs, project delays.

Recorded mitigation: Can be covered by an extended Professional Services contract (more costly).

January 2017  There was no requirement for a  Risk and risk management Review of the  risk register covering the  were not viewed holistically Jersey Innovation  operations of the Fund rather  and lessons from one loan Fund  than individual loans.  were not applied to others.

24. Earlier in this report I have made a recommendation for peer review of risk registers that could assist in identifying and appropriately describing risk mitigation action.  

Monitoring, reporting and review

1. My work has focussed on two specific questions (see Exhibit 19).

Exhibit 19: Monitoring, reporting and review: areas of focus

Are key risks and mitigating actions monitored and reported throughout the year?

Is the risk management process subject to review?

Are key risks and mitigating actions monitored and reported throughout the year?

2. Risk management is an ongoing process. The best performing organisations ensure that risks and mitigating actions are monitored and reported to stakeholders throughout the year.
3. Since the publication of the Marsh report there have been significant developments in the reporting of risk. The framework detailed in Exhibit 7 above now includes:

• quarterly reporting of the Corporate Risk Register to CMB;
• provision of summary risk map showing risks by category and direction or travel to the Council of Ministers;
• reporting of the Community Risk Register to the Emergency Planning Board and the Emergencies Council every six months;
• reporting on business continuity to CMB quarterly;
• reporting on departmental risks annually via the Accounting Officers' Annual Governance Statements that are subject to review by the Chief Internal Auditor.

4. The CMB Risk Management Sub-Group is actively managing the Corporate Risk Register and reporting to CMB and the Council of Ministers:

• changes to key risks are discussed by considering any movement in risk appetite, likelihood, impact and mitigating action; and
• there is evidence that new risks escalated from departments are considered.

However, there is less focus on learning by DRMG, especially through the evaluation of the effectiveness or otherwise of mitigating actions.

5. The Chief Minister's Department has implemented a web-based system - Perform - to enable high level monitoring and reporting of the projects which constitute the Public Sector Reform programme, within the Corporate Change Portfolio. This enables a corporate view of projects, including the ability to present the risk profile of parts of the programme in a dashboard. It has taken some time to implement the Perform system across all parts of the Public Sector Reform programme. Its use in reporting and managing risk is developing.
6. At departmental level, there are examples of well-established monitoring and reporting processes (see Exhibit 20). However, reporting of risks to ministers is less embedded with reporting of risks and actiononan ad hoc basis.

Exhibit 20: Departmental risk reporting

Department  Strengths  Areas for development

Health and Social  Detailed monitoring and reporting Services  structure including review by a Risk

Register Governance Group which reports to the SMT through the Integrated Governance Committee.

Social Security  Routine consideration by the SMT

with a quarterly meeting dedicated to risk alone.

Education  Risk' is included in the core'

management team agenda.

Community and  Evidence of established Constitutional  management debate. Affairs

Treasury and  Recent inclusion of risk as a  Processes are less Resources  routine agenda item.  developed.

Chief Minister's  Inclusion of risk on management  Evidence of slippage where Department  team agendas.  urgent issues arise.

Information  Risk not routinely included Services  on agendas (although there Department  are plans to do so).

Probation and  Reporting of risks to the Aftercare  Probation Board is via a

word document. Moving from narrative reporting of risks to use of the risk register to ensure that risk, mitigation and residual risk are clearly reported on a consistent basis.

R15 Include in the amended Terms of Reference for DRMG a duty to review the

effectiveness of mitigating action and share learning acquired as a result.

R16 Stengthen arrangements for reporting of risk and mitigation to ministers.

Is the risk management process subject to review?

7. High performing organisations periodically review corporate processes to ensure that they remain fit for purpose and reflect changes in the environment in which the organisation works.
8. The States commissioned the Marsh review that was issued in 2014 and have implemented a substantial programme of change in response. Subsequently:

• the process for reviewing, updating and reporting the Community Risk Register has been reviewed and reinvigorated; and
• Business Continuity Management arrangements have been subject to annual review.

9. Given the scale of change, after the roll-out and implementation of the Guidance and in response to this report, a comprehensive structured review maybe helpful.
10. The Terms of Reference for the CMB Risk Management Sub-Group provide a valuable focus on learning through:

• a monitoring report to CMB quarterly on compliance with the risk management framework, identifying areas needing further action; and
• an annual report setting out the activities of the Sub-Group including a statement on the adequacy of the States' management of risk.

However, as highlighted above, the focus of the work of the Sub-Group to June 2017 has been on the Corporate Risk Register to the exclusion of some other responsibilities meaning that this focus on learning has been missing.

Recommendation

R17 Determine the timing and frequency of internal review of risk management

arrangements.

Conclusion

1. The States have come a long way in a relatively short time in developing risk management as a key tool of corporate management. The States recognised that their corporate arrangements were undeveloped. They engaged external support to undertake a baseline review. From a standing start, they developed and implemented a corporate framework with appropriate accountabilities at a corporate level. Existing arrangements for Business Continuity Management have recently been integrated into the new arrangements for risk management. Community and Corporate Risk Registers are now in place. At a departmental level, there are some examples of developed arrangements for risk management with appropriate engagement by staff at all levels.
2. But risk management is not yet adequately embedded across the States so that it is integral to everything that the States do and an inherent part of a shared culture across government. In particular:

• the CMB Risk Management Sub-Group has focussed on the Corporate Risk Register rather than important wider responsibilities about arrangements for risk management, ensuring compliance and promoting learning;
• there has been insufficient urgency in finalising and developing an effective plan for rolling out the corporate Guidance designed to support the high-level Code on risk management;
• there has been insufficient engagement of non-ministerial departments in corporate arrangements for risk management;
• risk management is not adequately embedded in departmental business planning processes;
• departmental risk management arrangements vary substantially in maturity, with insufficiently formal processes for escalation of risks from departmental to corporate level;
• risk management processes do not adequately capture risks associated with other entities controlled by the States;
• training on risk management has not been comprehensive or reflective of a wider vision for skills and competencies to underpin Public Sector Reform; and
• in some key areas, a common approach for departments is not prescribed, hindering the scope for aggregation and escalation of risks. In any event, there are inadequate mechanisms for comparative review across departments, both to promote consistent, high standards and to capture learning and best practice.

3. It is all too easy to see risk management as, at worst, a box-ticking exercise and, at best, about systems and processes alone. To move to the next level the focus must be not only on systems and processes but also on cultural change. Only then can risk management be an integral part of management and, indeed, drive positive, considered risk-taking. Guidance and training can serve an important role in supporting the transition but the necessary change requires time, effort, constant reinforcement and strong, consistent leadership. Handled well, embedding risk management will facilitate the wider cultural change that the States have recognised is needed to deliver high quality public services in a changing environment.

Recommendation

R18 In implementing the other recommendations in this report, focus on steps

to secure cultural change within the States' workforce to embrace risk management as an integral tool of management.

Appendix 1: Summary of Recommendations

Oversight and governance

R1 Strengthen the mechanisms by which the Audit Committee discharges its

responsibilities for risk management, including by:

• increasing the review and challenge of the design and operation of risk management polices and procedures; and
• directly linking the review of specific risk areas to the contents of the Corporate Risk Register.

R2 Prioritise the completion of the review of the Terms of Reference of CMB,

the CMB Risk Management Sub-Group and DRMG to:

• resolve confusion and ambiguity;
• clearly specify risk management reporting responsibilities; and
• place an explicit duty on CMB and groups' to satisfy themselves that any groups responsible to them for risk management activities discharge their responsibilities.

Leadership and strategy

R3 Review the contents of the Code and associated Guidance so that the

Code contains all mandatory requirements and that the role of the Guidance is to support States officers in complying with the requirements of the Code.

R4 Develop and implement a plan for effective roll-out of the new Guidance

once finalised to ensure:

• a consistent understanding by all staff involved in risk management activities across the States; and
• that there is an active process to capture feedback and learning once the Guidance is launched, to identify barriers to embedding risk management in the day to day running of the States' business.

R5 Adopt a timetable for review, updating and adoption of departmental

arrangements to ensure consistency with the Code and Guidance.

R6 Establish enhanced arrangements, including peer support where

appropriate, to engage and support non-ministerial departments in complying with the corporate approach to risk management.

R7 Ensure that all departments integrate risk management into wider business

planning processes, including published business plans.

Risk identification, classification and action

R8 Undertake a comparative review of the content of all departmental risk

registers and the rigour and frequency of their review.

R9 Strengthen risk escalation arrangements, including for non-ministerial

departments.

R10 Ensure that risks associated with entities controlled by the States are

reflected in the Corporate Risk Register and Treasury and Resources departmental risk register as appropriate.

R11 Prioritise development of a common e-learning platform across the States

to facilitate effective roll-out of corporate training.

R12 Update the competency framework and corporate training programme to

reflect risk management skills as part of the wider cultural change programme within Public Sector Reform.

R13 Develop mechanisms to capture and share experience of departmental

training initiatives across the States.

R14 Undertake a programme of peer review of departmental risk registers to

promote consistency of approach and challenge risk identification, evaluation, mitigation and reporting.

Monitoring, reporting and review

R15 Include in the amended Terms of Reference for DRMG a duty to review the

effectiveness of mitigating action and share learning acquired as a result.

R16 Stengthen arrangements for reporting of risk and mitigation to ministers.

R17 Determine the timing and frequency of internal review of risk management

arrangements.

Conclusion

R18 In implementing the other recommendations in this report, focus on steps

to secure cultural change within the States' workforce to embrace risk management as an integral tool of management.

KAREN McCONNELL COMPTROLLER and AUDITOR GENERAL

JERSEY AUDIT OFFICE, LINCOLN CHAMBERS (1ST FLOOR), 31 BROAD STREET, ST HELIER, JE2 3RR T: 00 44 1534 716800   E: enquiries@jerseyauditoffice.je  W: www.jerseyauditoffice.je