We have a range of documents and files available to the public on our website. The file Corporate Risk Policy is below and you can download a copy, see any archive versions or view accessibility information.
It is the strategy of the West Midlands Fire and Rescue Authority (WMFRA) to have in place a structured risk management framework that supports the assessment and treatment of its corporate risks. It is recognised that such a strategy will support the WMFRA in achieving its vision of ‘Making the West Midlands safer, stronger and healthier’.
The purpose of this policy is to outline corporate risk management for the West Midlands Fire Service on behalf of the WMFRA.
Responsibilities are detailed within this document.
4.1 Definition of risk management
Risk management is the process of identifying issues, evaluating their potential outcomes, and then determining the most effective and efficient methods of controlling and/or responding to them.
4.2 The benefits of risk management
An effective risk management framework will enable WMFRA to deliver its core functions of responding, preventing, and protecting, meet its statutory duties and obligations, safeguard its reputation, and demonstrate its ability to deliver value for money. The benefits of an effective risk management framework include improved:
Business Continuity and Preparedness
Data and Digital
Finance and Assets
Community Focus through:
Improved internal and external reputation arising from all the above; and
Reduction in disruption arising from all the above
This is achieved through informed decision making based on risk identification, analysis, control, and monitoring.
4.3 Corporate risk management arrangements
4.3.1 Definition of corporate risk
Corporate risks are those, which if they occurred, would seriously affect WMFRA’s ability to carry out its core functions or deliver the objectives and outcomes set out in ‘The Plan’. This type of risk may be caused by several events or triggers which take place within West Midlands Fire Service or because of external influences.
Within West Midlands Fire Service, corporate risks may be identified in a variety of ways, for example by:
The Strategic Enabling Team (SET), as part of the individual owners of the Corporate Risks, and as part of their collective responsibility in reviewing ‘The Annual Plan’, and the convergent Community Risk Management Plan and Medium-Term Financial Plan
The Strategic Performance Review (SPR) meeting as part of its role in monitoring and managing strategic performance information.
The WMFRA and the Audit & Risk Committee as part of its strategic role in managing risk within the service.
All corporate risks are described clearly so that the nature of the risk is understood for example, ‘Unable to respond to (a certain anticipated event), resulting in (the unplanned or unwanted event occurring)’. Each risk is then considered against one or more of the following categories:-
External (Political and Legislative) Environment:
The Fire Authority is unable to positively position itself within public service reform to sustain and create new services resulting in reduced confidence, credibility and/or reputational damage.
The Fire Authority is unable to maintain positive staff consultation and engagement, resulting in an inability to deliver strategic objectives, outcomes, and continuous improvement.
The Fire Authority is unable to deliver its Service Delivery Model effectively, because of insufficient or ineffective employees, throughout the organisation, resulting in reduced confidence and credibility, and increased reputational damage.
The Fire Authority is unable to meet its statutory duties to provide a safe and healthy workplace and protect the environment, resulting in a significant failure and reduced confidence and credibility, and increased criminal proceedings, litigation, and reputational damage.
The Fire Authority is unable to engage with the most vulnerable members of the community and reduce community risk resulting in increased fire and non-fire related incidents, fatalities, and injuries.
The Fire Authority is unable to establish effective partnership arrangements and deliver community outcomes, resulting in a significant impact upon the organisation’s financial standing, reputation, and ability to deliver key objectives.
The Fire Authority is unable to effectively discharge its duties under the Regulatory Reform (Fire Safety) Order and associated legislation, resulting in a decline in non-domestic fire safety standards; reduced confidence and credibility; and increased litigation and reputational damage.
The Fire Authority is unable to ensure that operational incidents are dealt with safely, assertively, and effectively using appropriate levels of resources and personnel, resulting in increased firefighter and community risk; reduced confidence and credibility; and increased reputational damage.
The Fire Authority is unable to maintain its command and control function, resulting in an inability to receive, process and respond to emergency calls effectively, so increasing community risk; reducing confidence and credibility; and increasing reputational damage.
Business Continuity & Preparedness
The Fire Authority is unable to provide business continuity arrangements, to maintain delivery of core functions, because of extensive disruption to normal working arrangements, including national and international deployments, significant and major events, resulting in increased community risk; reduced confidence; increased reputational damage; and external scrutiny.
Digital and Data
The Fire Authority is unable to provide and maintain an effective digital and data provision to support the delivery of core functions, resulting in significant disruption to the organisation’s functionality, reduced confidence, credibility, reputational damage, and external scrutiny.
The Fire Authority is unable to provide effective management and security of organisational information and documentation including the receipt, storage, sharing and transfer of information and data resulting in reputational damage, litigation, substantial fines, and external scrutiny.
Finance & Assets
The Fire Authority is unable to deliver its statutory responsibilities, predominantly through the Service Delivery Model, due to insufficient funds, resulting in external scrutiny and intervention; reduced confidence and credibility; and increased reputational damage.
The Fire Authority is unable to deliver effective financial management arrangements, due to misuse of funds, resulting in external scrutiny, intervention, and litigation.
Or any other category considered appropriate to adequately assess a given risk.
There are certain roles within the service to which specific responsibilities are assigned in relation to Corporate Risk. These roles include:
Strategic Enabling Team (SET):
SET members are the owners of the individual Corporate Risks. They will show a commitment to the ownership of the risk management framework; agreeing and supporting the risk management strategy; identifying corporate risks and determining the effectiveness of associated control measures, demonstrating a willingness to accept risk in a managed way and within agreed tolerance levels.
SET members will have the overall responsibility for monitoring the progress being made in managing a given corporate risk. This includes providing an overall confidence opinion as to the effectiveness of the control environment.
SET members are responsible for implementing the agreed control measures to manage the risk. This includes providing an assurance opinion to the effectiveness of the control measures for which they are responsible.
Strategic Performance Review (SPR) Meeting:
A quarterly meeting of SET, that includes a formal review of the Corporate Risk Assurance Map evaluated as an outcome of other strategic performance reporting systems. The dependencies of all performance reporting systems advise the deletion or addition of corporate risks
The Risk Owner will be supported by the Strategic Hub to support the process and present the relevant information to the Strategic Enabling Team (SET) on a quarterly basis. This information will be presented in the form of a Corporate Risk Assurance Map which will include:
A description of the risk to the organisation
Any links between the risk and organisational objectives
A summary of those events which may cause the risk to occur (triggers)
A summary of the likely impacts if the risk does occur
Details of any existing or proposed control measures designed to reduce the likelihood or impact associated with the risk
Details of the assurance provided for control measures designed to reduce the likelihood or impact associated with the risk
An estimation of the level of the risk
An overall confidence opinion as to the quality of the risk control environment, including any elements of risk arising from 3PT projects
The Strategic Hub will prepare the report to be presented to the Audit & Risk Committee on a six-monthly basis.
WMFRA and the Audit & Risk Committee:
The Corporate Risk Assurance Summary and a detailed report will be submitted twice a year to the Audit & Risk Committee and at least annually to the Fire Authority (via the Audit & Risk Committee minutes). This is to enable Members to understand the strategic risks faced by the service and to participate in their ownership through analysis and questioning and promoting a positive attitude towards the management of risk.
The estimation of corporate risk combines the two elements of LIKELIHOOD and IMPACT, that is:
Risk estimation = likelihood x impact (Image below)
The likelihood is a measure of the probability of a given risk occurring, using a scale of 1 (LOW) to 4 (HIGH).
The impact is a measure of the severity or loss of opportunity should that risk occur, again using a scale of 1 (LOW) to 4 (HIGH).
The risk estimation is informed by using the relevant descriptors of likelihood and impact with the overall score being the highest value obtained. The descriptors will be reviewed periodically as part of the review of the risk management strategy and presented to the Audit & Risk Committee for approval.
The purpose of risk management is not to eliminate all risk, but to reduce it to a level that is considered acceptable within an organisation, or to society.
Evaluation is undertaken to make informed decisions as to the significance of the risks to the Authority and to determine whether they will be accepted and what level of monitoring will be required.
As part of the evaluation process, a target score will be established for each risk by the relevant owner. This target score provides an indication of the Authority’s risk appetite and acts as a guide for the allocation of time, effort and resources when managing a specific risk.
4.3.7 Reporting and Corporate Risk Assurance Summary
The Corporate Risk Assurance Summary is designed to provide an overview of the service’s corporate risks, the risk owners, the risk rating, and a direction in travel judgement based upon comparison with the previous review.
Each Corporate Risk Assurance Summary will be supported by a detailed report, designed to provide an update of the effectiveness of the control environment including confirmation of the overall risk rating, significant changes, amendments or additions to risk control measures and the identification of any assurances provided to risk controls. Both the summary and the report will be reported to the SPR meeting on a quarterly basis.
The Audit & Risk Committee will be presented with the summary and a detailed report twice yearly. If there is any significant change to the corporate risk environment, the Audit & Risk Committee will be informed of this at the next available Audit & Risk Committee meeting. To build and maintain the Audit & Risk Committee Members capability and to ensure their continued engagement in corporate risk issues, timely and relevant reports on specific corporate risk topics will be presented by Officers to the Audit & Risk Committee.
Both the summary and report will be available to the public via the Committee Management Information System (CMIS).
4.4 Review and Audit
The management of risk within the organisation and the effectiveness of the risk management strategy will be subject to an ongoing review process. Risk Management is a core component of the services internal audit plan and strategy and aspects of it are reviewed annually. This review is conducted by the Internal Audit Section at Sandwell Metropolitan Borough Council.
5.0 DOCUMENT CONTROL AND AUDIT
Responsible SET Member Accountable
Direct enquiries to
EIA (Date Completed & Name)
PIA (Date Completed & Name)
Reason for change
This policy has been updated to reflect current work practices. The process for reporting of Corporate Risk was reviewed during Business Continuity (June 2020) and the updated policy reflects this. Terminology has been changed to SET rather than Corporate Board amongst other changes. The policy is concise, and duplication has been removed.
The Corporate Risk Policy was out of date. The process for reporting of Corporate Risk has changed, the policy had not. It has been brought up to date to reflect how the business operates its Corporate Risk.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Cookies for analytics
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website and user experience.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
What Are Cookies
You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this site.
The Cookies We Set
Forms related cookies - When you submit data to through a form such as those found on contact pages or comment forms cookies may be set to remember your user details for future correspondence.
Site preferences cookies - In order to provide you with a great experience on this site, we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page that is affected by your preferences.
This site uses Google Analytics which is one of the most widespread and trusted analytics solutions on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content. For more information on Google Analytics cookies, see the official Google Analytics page.
From time to time we test new features and make subtle changes to the way that the site is delivered. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site whilst ensuring we understand which optimisations our users appreciate the most.