Risk Management Follow-up

07 October 2022

jerseyauditoffice.je  R.150/2022

Contents

Summary ......................................................................................................................................... 3

Introduction........................................................................................................................ 3 Key Findings....................................................................................................................... 4

Conclusions ........................................................................................................................ 5 Objectives and scope of the review ............................................................................................ 6 Detailed findings ............................................................................................................................ 7

Oversight and governance............................................................................................... 7

Leadership and strategy .................................................................................................13

Risk identification, classification and action .................................................................20

Monitoring, reporting and review .................................................................................30

Risk management culture ...............................................................................................33 Appendix One – Audit Approach ..............................................................................................35

Appendix Two – Summary of Recommendations, Work planned that should be

prioritised and Areas for consideration ....................................................................................38

Summary

Introduction

1. Processes to identify, assess, prioritise and manage risk are fundamentally important in achieving organisational goals. Corporate risk management processes focus on reducing, mitigating or otherwise managing the uncertainties faced in delivering strategic and key operational objectives. Effective risk management embraces processes at corporate, departmental and service levels.
2. In 2017, the then Comptroller and Auditor General (C&AG) undertook a review of the States of Jersey's approach to risk management. The C&AG found that, whilst work had been undertaken to create a risk management framework, the effective management of risk was not adequately embedded across the States. The 2017 report Risk Management made 18 recommendations, all of which were accepted for implementation by the States.
3. Exhibit 1 summarises the key elements of effective risk management. I have reviewed risk management arrangements against these key elements.

Exhibit 1: Elements of effective risk management

Effective identification, classification and mitigation

Regular Leadership and  monitoring and

strategy reporting

Oversight and  Risk  Risk managment

governance management culture

Source: Jersey Audit Office

4. The Government of Jersey launched a new Risk Management Strategy during 2019. This Strategy was further updated in March 2022.

5. This review has followed up recommendations made in 2017. I have considered arrangements at the corporate level as well as at departmental level. In considering departmental arrangements, I have reviewed three specific departments – Health and Community Services (HCS), the Chief Operating Office (COO) and the Probation and After-Care Service.

Key Findings

6. The key findings from my review are as follows:

• 11 out of the 18 recommendations made in 2017 have been fully implemented. Three recommendations have not been implemented with the remaining recommendations partially implemented

• a new Risk Management Strategy was launched in 2019 and was last updated in 2022. The Strategy is in line with best practice

• risk management arrangements have been enhanced since 2017 including the appointment of a Head of Risk. A new Enterprise Risk Management (ERM) system has been implemented, training has been rolled out and online risk management guidance is now in place

• corporate risk information is provided to the Executive Leadership Team (ELT), the Risk and Audit Committee and the Council of Ministers (CoM). There is, however, an opportunity to refine the level of detail that goes to each of these bodies in order for it to be more effective

• whilst risk is referred to in the Government Plan and to some degree in departmental plans, there is more to do to ensure consistency in approach. There is also room for improvement in ensuring consistent interpretation of risks that may impact on delivery of the Common Strategic Policy priorities and the Government Plan

• the Government of Jersey is a complex organisation with a diverse range of services. Whilst risk appetite is inherently considered as a part of making key decisions, risk appetite is not systematically debated and agreed by CoM, ELT or the Risk and Audit Committee in the context of the overall management of risks. The Strategy includes a policy with different appetites to empower users to make different judgements where a higher risk appetite is permitted. In practice, however, until risk management becomes more mature, it is unlikely that risk appetite will be used as an effective tool in day to day risk management

• there is a need for greater clarity on what the Corporate Risk Register is for. There is currently an imbalance and inconsistency in the risks, mitigating controls and actions recorded in the Corporate Risk Register; and

• at departmental level, the identification of risks has improved since the 2017 C&AG Report although the recording of entries in risk registers requires further improvement.

Conclusions

7. Risk management in the States of Jersey has continued to develop since the 2017 C&AG Report. Effective implementation of the Risk Management Strategy and of the recommendations in this report will be key to embedding risk management as an integral tool of management.

Objectives and scope of the review

8. The review has evaluated:

• the arrangements established to manage and monitor the implementation of the recommendations contained in the 2017 report

• the progress the States of Jersey have made in implementing the agreed recommendations

• the effectiveness of corporate arrangements for managing risk. These include arrangements for escalation of risks from departments and from other bodies whose accounts are consolidated in the financial statements of the States; and

• the effectiveness of arrangements for risk management within departments.

10. The review has not considered risk management relating to:

• strategic investments, the results of which are excluded from the States Accounts (Jersey Telecom, Jersey Post, Jersey Water and Jersey Electricity); and

• the States' pension funds.

10. The review has also not considered the management and mitigation of investment risk (for example relating to the Strategic Reserve and the Social Security (Reserve) Fund).

Detailed findings

Oversight and governance

11. Effective risk management requires organisation leaders to actively seek to recognise risks and direct the response to these risks.  In the best performing organisations, an audit and riskassurancecommittee will provide proactive support in advising on and scrutinising the management of key risks and the operation of efficient and effective internal controls.
12. Within the States of Jersey, risk management sits within the overall governance framework. This overall governance framework includes strategic and operational leadership and decision making through CoM, ELT and Directors General. It also encompasses oversight and assurance functions including a Risk and Audit Committee.
13. The 2017 C&AG review considered two aspects of oversight and governance of risk management.

• Are there effective arrangements consistently applied for the oversight of risk management activities at the (then) Audit Committee level?

• Are there appropriate arrangements consistently applied for the governance of risk management activities?

14. Two recommendations were made in respect of the oversight and governance of risk by the States of Jersey. Progress against these recommendations is summarised in Exhibit 2.

Exhibit 2: Progress in oversight and governance recommendations

Recommendation Current Position  Evaluation

R1 Strengthen the  The Audit Committee,  Partially implemented mechanisms by which the  re-formed as the Risk and

Audit Committee  Audit Committee continues  Wbeheilst imn madpero sinvecmene 20ts 17h, ave discharges its  to have a responsibility in  there remain areas where

responsibilities for risk  respect of risk oversight.  the involvement of the Risk management, including by:  The Risk and Audit  and Audit Committe

• increasing the review  Committee challenges risk  could be strengthenee d  . scores as well as the

and challenge of the

controls and details of

design and operation of

mitigating actions.

risk management

policies and  A 'deep dive' process is in

procedures; and  place which requires

• directly linking the  departments to present on review of specific risk  all risks scoring over 15. areas to the contents of  The status of the deep the Corporate Risk  dive' process has not Register.  however always been clear.

I have identified areas relevant to its responsibilities where the Risk and Audit Committee has not been consulted.

R2 Prioritise the completion  The Risk Management  Implemented of the review of the Terms  Strategy indicates how

of Reference of Corporate  each lead role within the

Management Board (CMB),  risk governance structure

the CMB Risk Management  exercises responsibility.

Sub-Group and  Responsibilities are clearly

Departmental Risk  set out for:

Management Group

(DRMG) to:  CoM

• resolve confusion and  ELT ambiguity  Risk and Audit

• clearly specify risk  Committee

management reporting  Head of Risk and

responsibilities; and  Enterprise Risk Team

• place an explicit duty

on CMB and groups' to   DLeeadpartersmheipn Ttael ams satisfy themselves that

any groups responsible  Departmental Risk to them for risk  Leads management activities  Jersey Resilience discharge their  Forum responsibilities.

• Departmental Risk Group; and

• all staff and contractors.

Source: Jersey Audit Office analysis

The role of the Risk and Audit Committee

15. The Terms of Reference for the Government of Jersey Risk and Audit Committee include a role to advise on the effectiveness of the policies and strategic processes for risk management, internal control and governance.
16. The Risk and Audit Committee has developed the way in which it discharges its responsibilities in respect of risk management since the 2017 C&AG Report. This includes scrutiny and challenge of the quarterly report from the Head of Risk. The detailed reports provided to the Risk and Audit Committee are not always timely due to the reporting cycle. For example, the Risk and Audit Committee on 4 July 2022 considered data from the first quarter of 2022, as well as including data from Customer and Local Services (CLS) that was out of date. Furthermore, there are instances where the nature and volume of the information provided focusses the Committee on detail and minutiae rather than strategic matters.
17. The Risk and Audit Committee review process also includes deep dives' into risks scoring more than 15 on the Corporate Risk Register. The status of the deep dive' process has not, however, always been clear. The Deep Dive Template seeks to resolve this issue and is in the process of being embedded across Government. The revised draft Terms of Reference for the Risk and Audit Committee that are being finalised currently also seek to clarify the status of the deep dive' process.
18. Whilst the Risk and Audit Committee is presented with a large volume of information in respect of risks, there are certain areas where I would have expected the Risk and Audit Committee to provide advice and challenge but where it has not been consulted. The Committee has recently been provided with the detailed analysis from the Corporate Risk Register for the first time. However, it has not been consulted on:

• the updated Risk Management Strategy 2022

• an Implementation Plan supporting delivery of the objectives in the Risk Management Strategy

• success measures included in the Risk Management Strategy and monitoring arrangements for these; and

• risk appetite.

19. In recent months, a separate Audit Committee for the Non-Ministerial Departments has been established. I welcome this development. Induction training has taken place for this Committee and it is due to have its first formal meeting in the autumn of 2022.

Governance of risk management activities

20. The States of Jersey operate a hierarchy of risk registers at three levels:

• Community – this register is under development. It is planned to be developed on the basis of the UK National Security Risk Assessment Framework 2019. This work will be undertaken by a Risk Working Group within the Jersey Resilience Forum (which is a multi-agency group of stakeholders)

• Corporate – this register contains corporate risks. Risks are added by the Head of Risk following referral from ELT or by escalation from authorised users within departments following discussion with the Head of Risk; and

• Departmental – these registers record departmental risk. Risks owned by departments are discussed in quarterly meetings between the departmental Accountable Officer and the Head of Risk.

21. Corporate risk information is provided quarterly to ELT, the Risk and Audit Committee and CoM. There is however an opportunity to refine and reduce the level of detail that goes to each of these bodies in order for it to be more effective.
22. The Departmental Risk Group (DRG) meets every two months. It includes representatives of each of the Ministerial Departmental Management teams, Non - Ministerial Departments, Corporate Portfolio Management Office (CPMO) and other relevant functions such as internal audit, insurance, health and safety, business continuity and information security. The DRG Terms of Reference include reviewing the Corporate Risk Register to assess the impact on departmental risks. However, DRG members do not have access to the detailed Register and therefore the review is based on information extracted from the Corporate Risk Register. The DRG scrutinises departmental risk registers for new and emerging risks that need to be considered by ELT. When risk scores are reduced, this is properly challenged and discussed at the DRG.
23. The Corporate Risk Register is completed by authorised users on a bottom-up' basis and does not consistently reflect those corporate risks which may impact on delivery of the Government Plan and corporatestrategic priorities. There would be merit in ELT reviewing all risks in the Corporate Risk Register more systematically for consistency and relevance.
24. There is a 'risk champion' in each department and risk appears on departmental Senior Leadership Team (SLT) agendas. The Head of Risk meets with Accountable Officers every three months and risk leads or departmental representatives monthly, to discuss departmental risks. Within HCS, risk is also considered at the HCS Executive Performance Review meetings and at the quarterly meetings of the Quality and Risk Committee, the Operations, Performance and Finance Committee

and the People and Organisational Development Committee, all of which report into the HCS Board.

25. High-level roles and responsibilities indicating how each lead role exercises responsibility are included in the Risk Management Strategy.
26. Two Government of Jersey departments do not currently use the ERM system – HCS and CLS.
27. HCS uses a recognised clinical risk management system – Datix - which enables comparison with other health entities. Appropriate arrangements are in place to manage the link between the Corporate Risk Register and Datix recorded risks. However my 2022 report Child and Adolescent Mental Health Services (CAMHS) found weaknesses in risk management in respect of CAMHS which is managed jointly across HCS and Children, Young People, Education and Skills (CYPES).
28. For CLS, data was initially migrated into the ERM system but has not been kept up to date by CLS due to other priorities. CLS has instead maintained risks in its own internal system. The top CLS risks are discussed quarterly between the Head of Risk and the CLS Accountable Officer. The CLS risk data reported in the quarterly pack is however out of date and meaningless as recognised in a footnote to the report. Updated CLS risk data is now planned to be migrated to the ERM system in the last two quarters of 2022. Training has already been given in advance of the transition.
29. The role of the Head of Risk includes review of the risk registers and meeting with States owned entities in advance of quarterly shareholder meetings as part of a Memorandum of Understanding. The role does not extend to reviewing the wider risk of the Government's arrangements and relationships with States owned entities. Neither does it extend to reviewing risks and meeting with arm's length bodies. These roles fall to the lead department for the entity concerned.
30. Risks from major projects are managed separately through the CPMO. The CPMO lead is a member of the DRG and there is evidence of:

• revised risk management processes being developed recently. These are tailored to different project types and demonstrate good practice

• liaison with and support from the Head of Risk on specific projects; and

• the opportunity to escalate project risks to departmental risk registers or the Corporate Risk Register via the Senior Responsible Officer for the project in the lead department.

Recommendations

R1 Tailor information provided to strategic groups including CoM, ELT and the Risk

and Audit Committee to present key messages more effectively at a strategic level and on a more timely basis. In doing so, ensure streamlining of the quarterly data pack to focus on the risk management of delivery of strategic priorities.

R2 Implement more effective arrangements to consider and integrate risks in States owned entities and arm's length bodies into the Corporate Risk Register.

Work planned that should be prioritised

P1 Complete the planned update to the Community Risk Register. P2 Integrate CLS fully into the Enterprise Risk Management system.

Leadership and strategy

31. In 2017 the C&AG made five recommendations in respect of risk management leadership and strategy. Progress has been made in implementing these recommendations as shown in Exhibit 3.

Exhibit 3: Progress in leadership and strategy recommendations

Recommendation Current Position  Evaluation

R7 Ensure that all departments  Whilst risk is referred to in  Partially integrate risk management into  Government Plans and to some  implemented wider business planning  degree in departmental plans,

processes, including published  there is more to do to ensure

business plans.  consistency in approach.

Source: Jersey Audit Office analysis

Risk Management Strategy and Guidance

32. The Risk Management Strategy was updated in March 2022 and approved by ELT in May 2022. Whilst the Risk and Audit Committee considered the original strategy, it was not consulted on the updated draft Strategy and has not been presented with the final Strategy. This is a gap given that the Risk and Audit Committee is the advisory committee on risk.

33. The detailed Strategy covers:

• introduction

• risk policy, strategy and objectives

• integrating with assurance and audit

• roles and responsibilities; and

• embedding and evaluating progress.

34. I have reviewed the Strategy against other best practice examples and consider that the Strategy includes the areas expected. The Strategy includes a series of six objectives for 2022 as shown in Exhibit 4.

Exhibit 4: Risk Management Strategy 2022 - Objectives

Source: Government of Jersey Risk Management Strategy/Jersey Audit Office analysis

35. To deliver the objectives, the Strategy includes a series of actions for 2022 split into five key focus areas. A series of success measures is included in the Strategy showing expected benefits to be achieved from the Strategy and how their achievement will be measured. There is however no plan available to provide a basis for implementing the Strategy and no mechanism in place to routinely measure and report the success measures and outcomes.
36. Online guidance has been developed on risk management. The Strategy covers a lot of the detail which is also replicated in the detailed online guidance. In general, I found the online guidance to be long, detailed and very descriptive. The online guidance does emphasise that it allows a flexible approach' and should be seen as an enabler rather than a constraint.
37. Whilst risk appetite is inherently considered as a part of making key decisions, risk appetite is not systematically debated and agreed by CoM, ELT or the Risk and Audit Committee in the context of the overall management of risks. The Strategy includes a policy with different appetites to empower users to make different judgements where a higher risk appetite is permitted. In practice, however, until risk management becomes more mature, it is unlikely that risk appetite will be used as an effective tool in day to day risk management.
38. I could find no evidence to indicate that risk appetite is considered periodically by ELT, CoM or the Risk and Audit Committee.

Corporate leadership

39. Risk information is provided to ELT and CoM on a quarterly basis. The volume of information is substantial and I question whether this is appropriate, particularly for CoM.
40. The Risk and Audit Committee is an advisory committee which receives the same information as CoM and ELT. This Committee is attended by the Chief Executive, States Treasurer and Chief of Staff.
41. The risks in the Corporate Risk Register are populated on a bottom up' basis by departmental users and the Head of Risk. It is hard to see the link between the risks in the Government Plan and the risks in the Corporate Risk Register.
42. Whilst ELT reviews the entries in the Corporate Risk Register, it does not undertake a systematic review to challenge the content of the Register for consistency, relevance and the link to the Government Plan.
43. Since the start of  2022, the Enterprise Risk Management Team comprising the Head of Risk and a Risk Adviser has been part of the Office of the Chief Executive reporting to the Chief of Staff. The move from Treasury and Exchequer emphasises that risk management is a corporate business function.

Integration of risk management into wider business planning

44. Some corporate risks are published in an Appendix in the GovernmentPlan 2022 -
    25. However, these are not consistent with the Corporate Risk Register. Risk examples in the GovernmentPlan 2022-25 include specific extracts from the Corporate Risk Register rather than being a top down' analysis of those risks that may impact on the delivery of the Common Strategic Policy priorities in the Government Plan.
45. The headline risks documented in the Government Plan 2022-25 are:

• rebalancing budgets

• pressures in expenditure and borrowing capacity

• UK and EU Policy and relations

• economic recovery planning

• information and cyber security

• One Government accommodation

• education reform programme; and

• estates strategy and management.

46. These, however, do not all appear in the current Corporate Risk Register.
47. Similarly, the Government Plan 2022-25 and the Corporate Risk Register do not both include all of the specific risks that may impact on delivery of the Government Plan such as:

• delivering rebalancing measures

• the Our Hospital project

• resourcing pressures

• the office accommodation programme

• ongoing and emerging COVID-19 pandemic risks

• economic diversification; and

• immigration/population issues.

48. There is no reference in the commentary relating to the strategic priorities in the Government Plan 2022-25 to show risk considerations in respect of individual strategic priorities.

Departmental arrangements

49. Each departmental business plan has a detailed section on risk management processes but there is limited evidence across all departments to demonstrate risk management in the context of delivering individual departmental plans.
50. I considered the integration of risk management into wider business planning in three departments – HCS, COO and the Probation and After-Care Service.

HCS

51. Risk management is increasingly discussed and considered in relevant business planning meetings within HCS. Whilst risk management is cascaded to the middle level of management, further work is needed to fully embed it.
52. Risks and risk management are considered in senior leadership business plan discussions and in business planning sessions at a service level. Business Planning templates have sections on risk included at a Care Group and HCS level. The process is increasingly well-defined.
53. Risk and thinking about risk is increasingly being used to drive HCS decisions.

COO

54. I found evidence that many aspects of the COO business plan have been driven by risk identification and mitigation, including the cyber security programme, the ITS programme and the People Strategy.
55. Risk appears on SLT and related agendas with a risk lead in each functional area within the COO.
56. The health and safety function and the business continuity function within the COO were two of the earliest adopters of the new ERM approach. There is, however, more work to be undertaken to improve the quality of the recorded risk information. For example, some of the fields on the risk system are empty, incomplete or contain basic entries that do not give a clear view of the nature of the risk and controls.

Probation and After-Care Service

57. There are seven key strategic priorities for the Probation and After-Care Service, and these are driven in part by consideration of risk. The Probation and After-Care Service senior management team reviews and discusses the top 10 risks at bi - monthly strategic management meetings as part of its overall performance management activity.
58. Business planning is informed by risk although this could be embedded further by making formal consideration of risk and risk management a more established, documented and explicit part of the process.

Recommendations

R3 Develop an action plan to implement and monitor delivery of the 2022 Risk

Management Strategy particularly around the key objectives, success measures and outcomes identified in the key focus areas.

R4 Formally review risk appetite across a range of dimensions on an annual basis.

R5 Undertake a full review of the Corporate Risk Register to ensure consistent

interpretation of risks that may impact on delivery of the Common Strategic Policy priorities and the Government Plan.

R6 Review the Managing Risk section in future Government Plans to ensure that it

reflects high level risks of delivering the priorities in the Government Plan rather than a small sample of risks taken from the Corporate Risk Register.

R7 Include significant risks that may impact on delivery of departmental business

plans in these business plans.

Areas for consideration

A1 Review the detailed content of the Risk Management Strategy alongside its

supporting guidance to ensure that balance and level of detail are appropriate for users.

A2 Review whether any aspects of the risk management guidance should be

mandated.

A3 Include more practical examples in the risk management guidance to help users in

interpretation and to promote consistency in application. Areas that should be considered for practical examples include:

• population of the risk register

• scoring examples

• controls; and

• mitigating actions.

Risk identification, classification and action

59. In 2017 the C&AG made seven recommendations in respect of risk identification, classification and action. Progress in implementing these recommendations is shown in Exhibit 5.

Exhibit 5: Progress in risk identification, classification and action recommendations

Recommendation Current Position  Evaluation

R8 Undertake a  Risk registers are now  Implemented comparative review of the  reviewed regularly. The

content of all departmental  involvement of the central

risk registers and the rigour  risk team provides an

and frequency of their  element of consistency.

review.

R9 Strengthen risk  Risk escalation  Implemented escalation arrangements,  arrangements have been

including for non- strengthened through the

ministerial departments. DRG.

R10 Ensure that risks  Risks associated with States  Implemented associated with entities  owned bodies and arm's

controlled by the States are  length organisations are

reflected in the Corporate  now included in the risk

Risk Register and Treasury  registers of the appropriate

and Resources  department. No such risks

departmental risk register  are currently included in

as appropriate. the Corporate Risk Register

as no risks have been

required to be elevated to

this level.

R11 Prioritise development  System improvements to  Not implemented of a common e-learning  resolve technical issues and

platform across the States  licencing are required

to facilitate effective roll-out  before e-training for risk

of corporate training. management can be

developed and rolled out.

Development of risk management e-training is within the documented work plan for 2022.

R12 Update the  There is no longer a  Not implemented competency framework  relevant competency

and corporate training  framework to reflect risk

programme to reflect risk  management skills. Work is

management skills as part  however in place to

of the wider cultural  develop common

change programme within  objectives and goals which

Public Sector Reform.  will include risk

management for Tier 1-3

officers.

R13 Develop mechanisms  Training is arranged and  Implemented to capture and share  delivered by the Head of

experience of  Risk. Terms of Reference

departmental training  for the DRG include

initiatives across the States. specific reference to

sharing learning from

training in departments.

R14 Undertake a  Risk registers are now  Partially implemented programme of peer review  reviewed regularly. The

of departmental risk  involvement of the central

registers to promote  risk team provides an

consistency of approach  element of consistency and

and challenge risk  challenge.

identification, evaluation,  However risk registers for

mitigation and reporting. other departments are not

currently visible to risk

leads or non-departmental

staff, preventing the

opportunity to learn from

others in this way. The

rationale for this is the

confidential content of

some registers.

Source: Jersey Audit Office analysis

Risk identification and classification

60. The Corporate Risk Register includes a number of inherent business as usual (BAU) risks as well as specific current risks. The Risk Management Strategy states that the Corporate Risk Register identifies those risks that could materially threaten the Government of Jersey's business model, future performance or prospects. These are strategic, emerging or exceptional risks including:

• financial

• service delivery

• reputational

• legal and regularity

• people (for example Health and Safety)

• economic

• social; and

• environmental.

61. The Strategy outlines the expectation that the Corporate Risk Register will include the following type of risks:

• principal risks – to the achievement of Government priorities

• common risks across all departments

• new and emerging risks that may impact on Government objectives

• risks by exception – that is where the risk cannot be controlled by a department

• significant risks (scoring over 15); and

• project risks.

62. As part of my review, I considered risks within the Corporate Risk Register. I identified a number of examples where risks could have been documented more consistently and effectively, including:

• generic, inherent risks without specific concerns being referenced. These include major projects which are recorded as an inherent high risk but there is no record of specific concerns with individual projects. In addition, resourcing is included as a generic risk with no reference to specific issues

• one extreme risk in a significant service area, the scoring of which suggests that no mitigating actions or controls are effective in managing the risk and that a catastrophic event is almost certain

• risks of narrow significance when compared to others (for example, the risk of exceeding software licences); and

• uninsured losses – the exposure associated with this risk is not quantified. Whilst I accept it can be difficult to quantify uninsured losses fully, an indication of the potential range of loss would be helpful to provide more context.

63. In my view there is a need for greater clarity on what the Corporate Risk Register is for. There is currently an imbalance and inconsistency in the risks recorded in the Corporate Risk Register. For example, under the current Corporate Risk Register, the risk of exceeding software licences (which appears to be mitigated) is seen as a higher risk than loss of economic prosperity, resourcing and safeguarding.
64. At departmental level, the identification of risks has improved since the 2017 C&AG Report although the recording of entries in the risk register requires further improvement.
65. The volume of risks reported in quarterly reports varies significantly between departments. For example, at April 2022, Infrastructure, Housing and Environment (IHE) was reporting 149 risks whereas CYPES was reporting 75 risks. Whilst the difference could be reflective of the range of activities undertaken it may also be indicative of varying interpretations in departments as to the recording of risks. The full analysis by Government department is shown in Exhibit 6.

Exhibit 6: Departmental risk totals April 2022

350 300 250 200 150 100 50 0

HCS IHE JHA COO CYPES CLS* T&E DoE OCE SPPP *CLS data from departmental system which is in transition and not up to date

HCS data taken from HCS risk system

Source: Head of Risk Quarterly Report Quarter One 2022

Risk action

66. The ERM system does not record gross risk (the raw' risk) and residual risk (after taking into account mitigating controls). The system only shows residual risk and, as a consequence, reports to management do not show the full story of risk and judgement on mitigations.
67. The Corporate Risk Register records risks on a five-box matrix based on assessment of likelihood and impact of a risk event. Exhibit 7 shows the risk profile (number of risks in each category) on the Corporate Risk Register on 1 April 2022.

Exhibit 7: Risk matrix and risk profile April 2022

Impact

1  2  3  4  5 Negligible  Minor  Moderate  Major  Extreme

5

2  2  1 Almost certain

4

9  4  1 Likelihood  Likely

3

1  2  3  4 Probable

2

1  2  3 Unlikely

1

1 Rare

Source: Government of Jersey Corporate Risk Register April 2022

68. A different approach has recently been adopted by the CPMO for project risk management. This approach does record the gross risk in terms of likelihood and impact across a range of dimensions, as well as the residual risk score following mitigating actions. The CPMO Risk Logbook therefore provides the opportunity for a full audit trail with commentary on what the mitigating action is seeking to do.
69. The completion of the risk description field within the ERM system varies in respect of the level of detail and interpretation. Some entries are limited and the recording of the rationale for individual risks is also variable. I would expect this field to set out the rationale for inclusion as a risk and why it is classified as such.
70. There is some confusion and inconsistency in the recording of mitigating controls and actions. There is also limited detail in some instances in respect of the controls and actions recorded.
71. Whilst the majority of mitigating controls across all departments are described as effective, in some departments many are described as ineffective or in need of enhancement. The volume of actions is not related to severity of risk. For example, one risk is recorded as extreme and has the maximum score of 25 on the risk matrix after controls are taken into account. Other risks are recorded as almost certain to happen with high impact after all controls. I would expect these to be subject of detailed action plans with specific timeframes to reduce the risk level if the risk to the Government is so extreme that it is very likely to happen and will have a catastrophic outcome. However, I did not find detailed action plans in place.
72. There is inconsistent compliance by departments with actions identified to mitigate risks. For example, the data as at 1 April 2022 reported in July 2022 indicates that CYPES had 85% of its actions marked as overdue. Exhibit 8 shows some examples of control and actions for the first quarter of 2022 from the information pack presented in July 2022.

Exhibit 8: Departmental risk actions and controls April 2022

Department  Comment on actions and controls at 1 April 2022

13 of 25 actions overdue

OCE

6 of 45 controls ineffective, 10 of 45 need enhancement CYPES  40 of 47 actions overdue

Department  Comment on actions and controls at 1 April 2022 COO  11 of 149 controls ineffective, 59 of 149 need enhancement

JHA  32 of 85 controls need enhancement

DoE  4 of 58 controls ineffective, 19 of 58 need enhancement

Different terminology used as data is maintained on a different system. Actions and controls are described as follows:

Adequate 68 HCS

Limited 192

Poor 62

To be confirmed 6

Source: Head of Risk Quarterly Report Quarter One 2022

73. A process is in place which requires departments to carry out a detailed deep dive' review into all risks scoring over 15. The results of these deep dives' are reported in the quarterly pack provided to ELT. The aim of the deep dive' is to move a risk from a red or amber rating to green. Compliance with the deep dive process is not, however, consistent. CLS, the DoE and IHE did not comply with the process in the first quarter of 2022.
74. With the exception of four risks, the risk appetite recorded against risks in the ERM system is low' for all risks. There is no rationale provided for these four risks as to why the risk appetite is medium' and how this appetite relates to the very low', low' or moderate' risk appetite described in the Risk Management Strategy, depending on particular circumstances.

Specific departmental risk identification and classification

75. I reviewed risk identification and classification in more detail within three departments.

HCS

76. The HCS risk management system is separate from the Government of Jersey ERM system. The HCS system produces exception reports that show where fields need updating and overdue risks are reported to risk handlers directly for action. The HCS Risk Manager has regular meetings with Care Group Governance leads and the Business Continuity lead, as well as frequent meetings with executives and senior stakeholders concerning risk management. The HCS Risk Manager also attends monthly risk governance meetings in high-risk areas.

77. A HCS Risk Management Committee has been established and meets monthly and reports into the Quality and Risk Assurance Committee. Risks are also considered in the Operations, Performance and Finance Committee and in the People and Organisational Development Committee that covers workforce  and human resources related risks.
78. Each Care Group has a governance lead who covers both clinical governance and risk.
79. A Quality and Performance Report is produced on a monthly basis and includes coverage of key risks which are presented to Executives in monthly Care Group Performance Review meetings.
80. Despite HCS operating a separate risk management system, there has been an effective escalation of departmental risks from HCS to the Corporate Risk Register. There were two HCS risks on the Corporate Risk Register at the time of my review.

COO

81. The identification of risks within COO is increasingly effective. The departmental risk register is considered regularly, reviewed frequently and is up to date. Work has been ongoing to refine and enhance the quality of the content of the departmental risk register with a further focus on reviewing controls and on identifying a broader range of risks.
82. The output from Health and Safety risk workshops is being reviewed to better understand health and safety risk across the States of Jersey. This work is planned to lead to further refinements to the health and safety risk register.
83. A corporate workforce risk register has been developed and is part of the BAU papers for the States Employment Board to review. Key risks are included on the register, each with a detailed and comprehensive narrative. In some areas it is clear that the resources required for the recorded mitigating actions are not in place. It can therefore be difficult to assess how effective the proposed mitigating action is in some instances.
84. The workforce risk register is reviewed by both the ELT and the States Employment Board.  However, outside of the workforce risk register held by COO there are no corresponding departmental risk registers on workforce issues and the process for

escalation to the COO corporate workforce risk register is not clear. As a result, it is hard to see how the workforce specific risks flow both from departments and back to departments and where responsibility and actions are held.

85. I have seen evidence of effective discussions between the COO and the Head of Risk regarding changes in departmental risk scores, most recently over the reduced scores for two COO risks. Risks have been escalated from the COO to the Corporate Risk Register, for example around data quality and business continuity.

Probation and After-Care Service

86. Whilst there has been progress since 2017, there is more work required to identify, classify and record risks effectively. In the top ten risks reviewed as part of my work it was apparent that the risk register sections on controls and actions were sparsely populated. A further emphasis on filling out the ERM template for risks is required.
87. The escalation of significant risks to the Corporate Risk Register has occurred in the past and the process appears to have been seamless.

Risk management training

88. Training has taken place across the States of Jersey on the Risk Management Strategy and guidance. However this training was not mandatory.
89. Training is also available on request from the Head of Risk on wider risk management as well as specific issues. For example, in HCS, training was commissioned for the clinically-led Care Groups and received in 2019/20. For the Probation and After-Care Service the central team ran a well-received workshop recently.
90. There is no evidence of training being provided or planned for States Assembly Members.
91. The Head of Risk acknowledges that there is a need for more structured training. This has been delayed due to resourcing pressures and other priorities. There are plans to include a core objective on risk management for staff in Tiers 1-3 as part of the new corporate Performance Management Framework from January 2023. As part of the development process, a competency framework is also being prepared which will provide the opportunity to include risk management as a core competency. A draft is anticipated in September 2022.

Recommendations

R8 Undertake a full review, led by ELT, of all risks on the Corporate Risk Register to

confirm that:

• inclusion as a risk and scoring is justified and a consistent interpretation of the guidance

• controls recorded are appropriate and meaningful; and

• recorded mitigating actions are robust and timetables are realistic.

R9 Enhance mechanisms to hold Accountable Officers to account for the effectiveness

of mitigating controls and actions recorded on the risk register. In doing so, review the purpose and operation of the deep dive' processes operated by the Head of Risk and the Risk and Audit Committee to consider their effectiveness and ensure that they do not duplicate one another.

Work planned that should be prioritised

P3 Complete the development of core objectives for risk management for Tier 1-3

staff as part of the Performance Management Framework.

P4 Complete the work on the Competency Framework, including a reference to risk

management as a core competency.

Areas for consideration

A4 Develop and implement a mandatory training programme on risk management

processes.

A5 Enhance the system to document both initial (gross) risk and current (residual) risk

to provide a better audit trail of risk, mitigating controls and action.

A6 Provide some specific training in risk management processes for States Assembly

Members more widely.

A7  Review and determine the best way to improve sharing of risk registers across the

States of Jersey risk community to enable additional learning from others in a controlled and measured way.

Monitoring, reporting and review

92. In 2017 the C&AG made three recommendations in respect of monitoring, reporting and review. Progress in implementing these recommendations is shown in Exhibit 9.

Exhibit 9: Progress in monitoring, reporting and review recommendations

Recommendation Current Position  Evaluation R15 Include in the  Terms of Reference for the  Not implemented

amended Terms of  DRG include a requirement

Reference for DRMG a duty  for departmental

to review the effectiveness  representatives to present

of mitigating action and  evidence of risks, controls

share learning acquired as  and actions.

a result.  There is no requirement for

the DRG to review

effectiveness of mitigating

controls and actions.

R16 Strengthen  Quarterly packs on risk  Implemented arrangements for reporting  management are now

of risk and mitigation to  provided to CoM.

ministers.

R17 Determine the timing  The Risk Management  Implemented and frequency of internal  Strategy was launched in

review of risk management  2019 and updated in 2022.

arrangements.  The online guidance to

support the Strategy is

subject to ongoing review.

Source: Jersey Audit Office analysis

93. The DRG is a large group and is well attended. In a sample of two meetings reviewed, the attendance with guests averaged 25. The Terms of Reference for the DRG set out its purpose and are shown in Exhibit 10.

Exhibit 10: Departmental Risk Group purpose

The purpose of the DRG is to:

• ensure a consistent approach to risk management across the Government of Jersey (GoJ)

• ensure that risk management practices are operating effectively within each Department

• provide a consolidated, and considered view of Departmental risks, to inform the Corporate Risk Register

• support the objectives of the Enterprise Risk Management Strategy, and the implementation of this, to further increase the maturity of risk management across GoJ

• provide assurance and advice to the ELT and Risk and Audit Committee in respect of the risks facing the Government and the plans to mitigate these risks; and

• review and update the Government's Risk Management Policy and Risk Management Strategy, making recommendations as necessary to ELT.

Source: Terms of Reference for Departmental Risk Group

94. A review of a small sample of minutes from 2022 shows that the DRG discussed some specific risks such as cyber-security, health and safety, money laundering, climate change and business continuity. The DRG also considered the draft Risk Management Strategy.
95. However, discussion and review of the Corporate Risk Register and departmental risk registers, which are key aspects of the role of the DRG, are difficult because the DRG does not have access to the Corporate Risk Register or departmental risk registers. Discussion and debate are therefore based on the corporate report produced by the Head of Risk, reports that have been presented on specific risks, deep dives' and on input provided by departmental representatives.
96. The minutes seen as part of my review indicate some useful discussions on key risk areas but it is evident to me that the DRG is not consistently meeting its responsibilities and delivering its purpose as set out in the Terms of Reference.
97. I have commented on the arrangements for reporting to CoM in earlier sections of this report.

Recommendation

R10 Review the Terms of Reference of the DRG to maximise its effectiveness. In doing

so, clarify the purpose and corresponding information and access needs for the DRG as a resource to add value to the corporate risk management framework.

Risk management culture

98. In 2017, the C&AG made a final recommendation regarding the culture for risk management. Exhibit 11 summarises the progress made in implementing this recommendation.

Exhibit 11: Progress in risk management culture recommendation

Recommendation Current Position  Evaluation

R18 In implementing the  Whilst risk management  Partially implemented other recommendations in  processes have been

this report, focus on steps  enhanced since 2017, more

to secure cultural change  work is required to embed

within the States' workforce  risk management as an

to embrace risk  integrated tool of

management as an integral  management.

tool of management.

Source: Jersey Audit Office analysis

99. The Risk Management Strategy states that:

The Government of Jersey, Council of Ministers and Executive Leadership Team have signed up to the following cultural statement regarding risk:

The Government of Jersey promotes a transparent no surprises,' no blame' culture where well managed risk taking is encouraged.

Ministers and Managers lead by example to encourage the right behaviours and values.

Risk management behaviours and practices should be embedded into all Government activities including those with partners and Arms' Length Bodies (ALBs).'

100.  The findings of my follow up review demonstrate that risk management in the

States of Jersey has moved forward since the 2017 C&AG review. However, it is apparent that risk management is still not embraced as an integral tool of management. Examples from this review that demonstrate that risk management is not yet embedded as a fully effective tool include:

• the need to improve the timeliness and quality of the recording and scoring of risks, controls and actions on the departmental and corporate risk registers

• the need to demonstrate a link between Government Plans and departmental business plans and risks recorded in the risk registers

• the need to challenge departmental plans to ensure that actions planned result in an effective mitigation of risk

• the need to use risk appetite in a more dynamic way to analyse whether the impact and likelihood of identified risks are tolerable and whether associated actions are appropriate

• the need for a structured action plan for implementation of the Risk Management Strategy alongside mechanisms to record and report success measures and outcomes to management; and

• the need to harness the capacity of the DRG as a resource to inform risk management at a strategic level both within departments and ELT.

101.  In addition, in my report on Governance and Decision Making during the

COVID-19 pandemic (May 2022) I noted that risk assessment and management were not consistently embedded in political level decision making on the COVID - 19 pandemic.

102.  The implementation of the recommendations in this report should help the States

of Jersey to embed a more effective risk management culture.

Appendix One Audit Approach

The review included the following key elements:

• review of relevant documentation provided by the States of Jersey

• consideration of risk management processes at corporate level and within three specific departments – HCS, COO and the Probation and After-Care Service; and

• interviews with key officers within the States of Jersey.

Key documents reviewed included:

• C&AG review of Risk Management 2017 and GoJ response

• Risk Management Strategy 2022

• Risk Management Strategy 2020

• Risk Management online guidance

• CPMO Project classification and risk management slide deck – June 2022

• CPMO Logbook

• Risk and Audit Committee pack July 2022

• Risk and Audit Committee Terms of Reference

• C&AG effectiveness review of Risk and Audit Committee – February 2022

• COO Core SLT Agenda, 16 March 2022

• COO Core SLT Agenda, 27 April 2022

• DRG Agenda pack, 10 November 2021

• DRG Agenda pack, 4 May 2022

• DRG Terms of Reference, 2021

• DRG minutes, 2 February 2022

• DRG draft minutes, 4 May 2022

• ELT, Enterprise Risk Management Q1 2022 Report for 26 April 2022 meeting

• Government of Jersey, Corporate Risks, Q1 2022

• Government of Jersey, ELT, Deep Dive Report Q1 2022

• Government of Jersey, Risk Management Strategy, October 2020

• Government of Jersey, Risk Management Strategy, March 2022

• HCS, Quality and Risk Assurance Committee, Risk Management Report, 21 March 2022

• HCS, Top 11 risks, as at 15 June 2022

• Modernisation and Digital, Monthly Risk Committee, Slide pack, 21 January 2022

• Probation and After-Care Service, Top 10 risks extract, as at 9 June 2022

The following people contributed information through interviews or by correspondence:

• Chair, Risk and Audit Committee

• Chief of Staff

• Chief Officer, Probation and After-Care Service

• Head of Risk, OCE

• Governance and Compliance Manager, Modernisation and Digital, COO

• Business Continuity Consultant, COO

• Head of Corporate Services, COO

• HCS Head of Quality and Safety

• Risk Advisor, OCE

• Officer from CPMO, COO

• HCS Risk Manager

• HCS Board Secretary

• Chief Operating Officer

• PA to Chief Operating Officer

• Head of Business Support, COO

• Associate Director and Head of Organisation Development, COO

• Director General CLS

The fieldwork was carried out by affiliates working for the Comptroller and Auditor General.

Appendix Two

Summary of Recommendations, Work planned that should be prioritised and Areas for consideration

Recommendations

R1 Tailor information provided to strategic groups including CoM, ELT and the Risk

and Audit Committee to present key messages more effectively at a strategic level and on a more timely basis. In doing so, ensure streamlining of the quarterly data pack to focus on the risk management of delivery of strategic priorities.

R2 Implement more effective arrangements to consider and integrate risks in States owned entities and arm's length bodies into the Corporate Risk Register.

R3 Develop an action plan to implement and monitor delivery of the 2022 Risk

Management Strategy particularly around the key objectives, success measures and outcomes identified in the key focus areas.

R4 Formally review risk appetite across a range of dimensions on an annual basis. R5 Undertake a full review of the Corporate Risk Register to ensure consistent

interpretation of risks that may impact on delivery of Common Strategic Policy priorities and the Government Plan.

R6 Review the Managing Risk section in future Government Plans to ensure that it

reflects high level risks of delivering the priorities in the Government Plan rather than a small sample of risks taken from the Corporate Register.

R7 Include significant risks that may impact on delivery of departmental business

plans in these business plans.

R8 Undertake a full review, led by ELT of all risks on the Corporate Risk Register to

confirm that:

• inclusion as a risk and scoring is justified and a consistent interpretation of the guidance

• controls recorded are appropriate and meaningful; and

• recorded mitigating actions are robust and timetables are realistic.

R9 Enhance mechanisms to hold Accountable Officers to account for the effectiveness

of mitigating controls and actions recorded on the risk register. In doing so, review the purpose and operation of the deep dive' processes operated by the Head of Risk and the Risk and Audit Committee to consider their effectiveness and ensure that they do not duplicate one another.

R10 Review the Terms of Reference of the DRG to maximise its effectiveness. In doing

so, clarify the purpose and corresponding information and access needs for the DRG as a resource to add value to the corporate risk management framework.

Work planned that should be prioritised

P1 Complete the planned update to the Community Risk Register.

P2 Integrate CLS fully into the Enterprise Risk Management system.

P3 Complete the development of core objectives for risk management for Tier 1-3

staff, as part of the Performance Management Framework.

P4 Complete the work on Competency Framework including a reference to risk

management as a core competency.

Areas for consideration

A1 Review the detailed content of the Risk Management Strategy alongside its

supporting guidance to ensure that balance and level of detail are appropriate for users.

A2 Review whether any aspects of the risk management guidance should be

mandated.

A3 Include more practical examples in the risk management guidance to help users in

interpretation and to promote consistency in application. Areas that should be considered for practical examples include:

• population of the risk register

• scoring examples

• controls; and

• mitigating actions.

A4 Develop and implement a mandatory training programme on risk management

processes.

A5 Enhance the system to document both initial (gross) risk and current (residual) risk

to provide a better audit trail of risk, mitigating controls and action.

A6 Provide some specific training in risk management processes for States Members

more widely.

A7  Review and determine the best way to improve sharing of risk registers across the

States of Jersey risk community to enable additional learning from others in a controlled and measured way.

41 | Risk Management – Follow Up