Corporate Risk Policy

We have a range of documents and files available to the public on our website. The file Corporate Risk Policy is below and you can download a copy, see any archive versions or view accessibility information.

policy

Legal terms and policies

Reading time approx: 8 minutes
Published on 23 March 2022

1.0 STRATEGY      

It is the strategy of the West Midlands Fire and Rescue Authority (WMFRA) to have in place a structured risk management framework that supports the assessment and treatment of its corporate risks. It is recognised that such a strategy will support the WMFRA in achieving its vision of ‘Making the West Midlands safer, stronger and healthier’.  

2.0 PURPOSE

The purpose of this policy is to outline corporate risk management for the West Midlands Fire Service on behalf of the WMFRA.

3.0 RESPONSIBILITY

Responsibilities are detailed within this document.

4.0 PROCEDURES

4.1 Definition of risk management

Risk management is the process of identifying issues, evaluating their potential outcomes, and then determining the most effective and efficient methods of controlling and/or responding to them.  

4.2 The benefits of risk management

An effective risk management framework will enable WMFRA to deliver its core functions of responding, preventing, and protecting, meet its statutory duties and obligations, safeguard its reputation, and demonstrate its ability to deliver value for money.  The benefits of an effective risk management framework include improved:

  • Corporate Governance
  • People engagement
  • Prevention activities
  • Protection activities
  • Response activities
  • Business Continuity and Preparedness
  • Data and Digital
  • Finance and Assets
  • Community Focus through:   
  • Improved internal and external reputation arising from all the above; and
  • Reduction in disruption arising from all the above

This is achieved through informed decision making based on risk identification, analysis, control, and monitoring.​

4.3 Corporate risk management arrangements

4.3.1 Definition of corporate risk

Corporate risks are those, which if they occurred, would seriously affect WMFRA’s ability to carry out its core functions or deliver the objectives and outcomes set out in ‘The Plan’.  This type of risk may be caused by several events or triggers which take place within West Midlands Fire Service or because of external influences. 

4.3.2 Identification

Within West Midlands Fire Service, corporate risks may be identified in a variety of ways, for example by:

  • The Strategic Enabling Team (SET), as part of the individual owners of the Corporate Risks, and as part of their collective responsibility in reviewing ‘The Annual Plan’, and the convergent Community Risk Management Plan and Medium-Term Financial Plan
  • The Strategic Performance Review (SPR) meeting as part of its role in monitoring and managing strategic performance information.
  • The WMFRA and the Audit & Risk Committee as part of its strategic role in managing risk within the service.

4.3.3 Description

All corporate risks are described clearly so that the nature of the risk is understood for example, ‘Unable to respond to (a certain anticipated event), resulting in (the unplanned or unwanted event occurring)’.  Each risk is then considered against one or more of the following categories:-

  • External (Political and Legislative) Environment:
    • The Fire Authority is unable to positively position itself within public service reform to sustain and create new services resulting in reduced confidence, credibility and/or reputational damage.
  • People: 
    • The Fire Authority is unable to maintain positive staff consultation and engagement, resulting in an inability to deliver strategic objectives, outcomes, and continuous improvement. 
    • The Fire Authority is unable to deliver its Service Delivery Model effectively, because of insufficient or ineffective employees, throughout the organisation, resulting in reduced confidence and credibility, and increased reputational damage. 
    • The Fire Authority is unable to meet its statutory duties to provide a safe and healthy workplace and protect the environment, resulting in a significant failure and reduced confidence and credibility, and increased criminal proceedings, litigation, and reputational damage.
  • Prevention:
    • The Fire Authority is unable to engage with the most vulnerable members of the community and reduce community risk resulting in increased fire and non-fire related incidents, fatalities, and injuries.
    • The Fire Authority is unable to establish effective partnership arrangements and deliver community outcomes, resulting in a significant impact upon the organisation’s financial standing, reputation, and ability to deliver key objectives.
  • Protection:
    • The Fire Authority is unable to effectively discharge its duties under the Regulatory Reform (Fire Safety) Order and associated legislation, resulting in a decline in non-domestic fire safety standards; reduced confidence and credibility; and increased litigation and reputational damage.
  • Response:
    • The Fire Authority is unable to ensure that operational incidents are dealt with safely, assertively, and effectively using appropriate levels of resources and personnel, resulting in increased firefighter and community risk; reduced confidence and credibility; and increased reputational damage.
    • The Fire Authority is unable to maintain its command and control function, resulting in an inability to receive, process and respond to emergency calls effectively, so increasing community risk; reducing confidence and credibility; and increasing reputational damage.
  • Business Continuity & Preparedness
    • The Fire Authority is unable to provide business continuity arrangements, to maintain delivery of core functions, because of extensive disruption to normal working arrangements, including national and international deployments, significant and major events, resulting in increased community risk; reduced confidence; increased reputational damage; and external scrutiny.
  • Digital and Data
    • The Fire Authority is unable to provide and maintain an effective digital and data provision to support the delivery of core functions, resulting in significant disruption to the organisation’s functionality, reduced confidence, credibility, reputational damage, and external scrutiny.
    • The Fire Authority is unable to provide effective management and security of organisational information and documentation including the receipt, storage, sharing and transfer of information and data resulting in reputational damage, litigation, substantial fines, and external scrutiny.
  • Finance & Assets
    • The Fire Authority is unable to deliver its statutory responsibilities, predominantly through the Service Delivery Model, due to insufficient funds, resulting in external scrutiny and intervention; reduced confidence and credibility; and increased reputational damage.
    • The Fire Authority is unable to deliver effective financial management arrangements, due to misuse of funds, resulting in external scrutiny, intervention, and litigation.

Or any other category considered appropriate to adequately assess a given risk.

4.3.4 Ownership

There are certain roles within the service to which specific responsibilities are assigned in relation to Corporate Risk.  These roles include:

  • Strategic Enabling Team (SET):
    • SET members are the owners of the individual Corporate Risks.  They will show a commitment to the ownership of the risk management framework; agreeing and supporting the risk management strategy; identifying corporate risks and determining the effectiveness of associated control measures, demonstrating a willingness to accept risk in a managed way and within agreed tolerance levels.
    • SET members will have the overall responsibility for monitoring the progress being made in managing a given corporate risk.  This includes providing an overall confidence opinion as to the effectiveness of the control environment.
    • SET members are responsible for implementing the agreed control measures to manage the risk.  This includes providing an assurance opinion to the effectiveness of the control measures for which they are responsible.
  • Strategic Performance Review (SPR) Meeting:
    • A quarterly meeting of SET, that includes a formal review of the Corporate Risk Assurance Map evaluated as an outcome of other strategic performance reporting systems. The dependencies of all performance reporting systems advise the deletion or addition of corporate risks
  • Strategic Hub
  • The Risk Owner will be supported by the Strategic Hub to support the process and present the relevant information to the Strategic Enabling Team (SET) on a quarterly basis.  This information will be presented in the form of a Corporate Risk Assurance Map which will include:
  • A description of the risk to the organisation
  • Any links between the risk and organisational objectives
  • A summary of those events which may cause the risk to occur (triggers)
  • A summary of the likely impacts if the risk does occur
  • Details of any existing or proposed control measures designed to reduce the likelihood or impact associated with the risk
  • Details of the assurance provided for control measures designed to reduce the likelihood or impact associated with the risk
  • An estimation of the level of the risk
  • An overall confidence opinion as to the quality of the risk control environment, including any elements of risk arising from 3PT projects
  • The Strategic Hub will prepare the report to be presented to the Audit & Risk Committee on a six-monthly basis.
  • WMFRA and the Audit & Risk Committee:
    • The Corporate Risk Assurance Summary and a detailed report will be submitted twice a year to the Audit & Risk Committee and at least annually to the Fire Authority (via the Audit & Risk Committee minutes).  This is to enable Members to understand the strategic risks faced by the service and to participate in their ownership through analysis and questioning and promoting a positive attitude towards the management of risk.

4.3.5 Estimation 

The estimation of corporate risk combines the two elements of LIKELIHOOD and IMPACT, that is:

Risk estimation = likelihood x impact (Image below)

The likelihood is a measure of the probability of a given risk occurring, using a scale of 1 (LOW) to 4 (HIGH). 

The impact is a measure of the severity or loss of opportunity should that risk occur, again using a scale of 1 (LOW) to 4 (HIGH). 

The risk estimation is informed by using the relevant descriptors of likelihood and impact with the overall score being the highest value obtained.  The descriptors will be reviewed periodically as part of the review of the risk management strategy and presented to the Audit & Risk Committee for approval.

4.3.6 Evaluation

The purpose of risk management is not to eliminate all risk, but to reduce it to a level that is considered acceptable within an organisation, or to society.

Evaluation is undertaken to make informed decisions as to the significance of the risks to the Authority and to determine whether they will be accepted and what level of monitoring will be required.

As part of the evaluation process, a target score will be established for each risk by the relevant owner.  This target score provides an indication of the Authority’s risk appetite and acts as a guide for the allocation of time, effort and resources when managing a specific risk.

4.3.7 Reporting and Corporate Risk Assurance Summary

The Corporate Risk Assurance Summary is designed to provide an overview of the service’s corporate risks, the risk owners, the risk rating, and a direction in travel judgement based upon comparison with the previous review. 

Each Corporate Risk Assurance Summary will be supported by a detailed report, designed to provide an update of the effectiveness of the control environment including confirmation of the overall risk rating, significant changes, amendments or additions to risk control measures and the identification of any assurances provided to risk controls. Both the summary and the report will be reported to the SPR meeting on a quarterly basis.

The Audit & Risk Committee will be presented with the summary and a detailed report twice yearly.  If there is any significant change to the corporate risk environment, the Audit & Risk Committee will be informed of this at the next available Audit & Risk Committee meeting.  To build and maintain the Audit & Risk Committee Members capability and to ensure their continued engagement in corporate risk issues, timely and relevant reports on specific corporate risk topics will be presented by Officers to the Audit & Risk Committee.   

Both the summary and report will be available to the public via the Committee Management Information System (CMIS).  

4.4 Review and Audit

The management of risk within the organisation and the effectiveness of the risk management strategy will be subject to an ongoing review process.  Risk Management is a core component of the services internal audit plan and strategy and aspects of it are reviewed annually.     ​This review is conducted by the Internal Audit Section at Sandwell Metropolitan Borough Council.

5.0 DOCUMENT CONTROL AND AUDIT

Audit 
Responsible SET Member Accountable  Portfolio
Authorised byRich Stanton
Direct enquiries toPolicyofficers@wmfs.net
EIA (Date Completed & Name)Complete. TBC
PIA (Date Completed & Name)Complete TBC
Review History 
Version #DateReviewed By
1.01/3/2016Strategic Hub
2.01/7/2021Michele Pym
Amendment History 
Version #DateAmended BySection AmendedAmendmentReason for change
2.001.08.21.Michele PymAll Sections  This policy has been updated to reflect current work practices.  The process for reporting of Corporate Risk was reviewed during Business Continuity (June 2020) and the updated policy reflects this.  Terminology has been changed to SET rather than Corporate Board amongst other changes.  The policy is concise, and duplication has been removed.The Corporate Risk Policy was out of date.  The process for reporting of Corporate Risk has changed, the policy had not.  It has been brought up to date to reflect how the business operates its Corporate Risk.