Risk Management Strategy 2011-14 Executive Summary

This risk management strategy is part of a suite of performance management documents which show how we intend to shape the work we do and join our activities together to achieve our aims and objectives within the London Safety Plan. This document sets out the priorities for continuing to improve in the way we manage risk. Its purpose is to clearly show how we will deal with uncertainty to ensure continuity of service, support effective decision making, improve resource efficiency and deliver value for money. London Fire Brigade (LFB) is committed to the provision of services that contribute to making London a safer city and this commitment will be supported through the system of risk management outlined in this document. Our plans for making London a safer city are set out in our London Safety Plan and we have six main aims. These are; 1. Prevention: Engaging with Londons communities to inform and educate people in how to reduce the risk of fires and other emergencies; 2. Protection: Influencing and regulating the built environment to protect people, property and the environment from harm; 3. Response: Planning and preparing for emergencies that may happen, and making a high quality, effective and resilient response to them; 4. Resources: Managing risk by using our resources flexibly, efficiently and effectively, continuously improving the way we use public money;

5. People: Working together to deliver the highest quality services within a safe and positive environment for everyone in the organisation; 6. Principles: Operating in accordance with our values, and ensuring that safety, sustainability, partnership and diversity run through all our activities. The risk management strategy directly supports strategic aim number four: Resources. However, the strategy underpins all our aims by making sure that our strategic objectives are met by addressing any risks that may prevent the successful delivery of those objectives.

Risk Management History

The first risk management strategy set out a 3 year plan as to how the risk management framework was to be applied within the organisation, the areas that needed to be progressed and the responsibility for making it happen. The new strategy builds on the foundation of the earlier approach, setting new 3 year targets and milestones for achievement in order to secure continual improvement and delivery of our objectives

Risk Management Framework

By nature, fire and rescue services are underpinned by risk based activities. We remain a unique service dedicated to drilling and training our staff to deal with risk, enabling them to make sound risk based decisions on the incident ground. However, to assume that all risk is the same; that risk only threatens the organisation; and that risk is to be eliminated at all costs will result in less innovation to develop the performance of LFB both internally and externally. It is clear to us now that management decisions need to be made on the basis of good consistent risk information risk management is a part of good management overall and that a sound understanding of the possible consequences (both positive and negative) combined with a forecast of the likely outcomes of taking action should be undertaken.

A wide range of risks occur by accident, mishap or mistake rather than by design. Many mistakes are not caused by individual error but as a result of an underlying system failure. Most worrying are those untoward events that result from a lack of clear policy, deficient working practices, poorly defined responsibilities, inadequate communications or staff working beyond their competence. The challenge is to reduce, as far as is practicable, the potential for such events, by being proactive in the management of risk. Our risk management framework is based on the following key principles: There is CMB and management commitment to, and leadership of, the total risk management function. The Brigade will continue to develop its risk management framework to include the formal application of the risk management process to all areas of its business. There is widespread employee participation and consultation in the risk management process. Risk management will support the organisation in achieving its aims and objectives. The risk management priorities and activities must be undertaken within an appropriate timeframe to help the organisation achieve its objectives. There are appropriate resources available, including people, knowledge and budget. Progress against this strategy is monitored, reviewed and reported. The strategy is reviewed annually to ensure it is aligned with the objectives and challenges facing the organisation and reflects relevant changes in the internal and external contexts.

Where We Are Now

The organisation has made significant strides in its understanding and application of strategic risk management. There is now a wide range of risk information available, helping to inform decisions about where the organisation needs to place resources, manage expectations and likely sources of uncertainty in the future. Risk information has been integrated into performance reporting so that it is considered in the round against indicators, targets, projects, budgets and local departmental performance.

Culture
The organisation is no newcomer to dealing with risk. Long before the risk management system existed, the organisation was well versed in risk assessment, particularly in the area of dynamic risk decision making on the incident ground. However, there is now a real commitment and language of risk within the Authority. Very few discussions now take place without consideration of risk and what measures there are/need to be in order to manage the area of uncertainty in the best possible way.

Going Forward
The major challenge for strategic risk management for the future is to make sure that it remains relevant and continues to add value to the organisation. In acknowledging how far we have come, we must be careful not to stagnate and we must keep pushing the sophistication and application of risk management. It should always be remembered that risk management is another tool in the good management skill set, and is in place to support the achievement of our objectives.

In gathering our risk information, we must be sure that we concentrate on the clear priorities for the organisation and that risk management does not become confused by the inclusion of peripheral matters. As some of the information has existed for a long time, we will revisit these risks to ensure that the most important triggers, impacts and controls are reflected.

strategic risk management can be made more applicable at the operational level. Some of this work has been started through the partnership risk toolkit and the introduction of the Performance Management Framework (PMF) System which supports risk management. Borough risk registers are developing and this will help to shape the organisations risk view through the inclusion of local operational issues and concerns. However, further work is needed to continue the growth of strategic risk management in this operational area. We will endeavour to provide continuing support to borough commanders (in particular) through programmes such as the middle managers development programme, attendance at borough commander meetings and specialised training courses (such as Embedding Enterprise Risk Management) We will formulate a strategy for providing awareness of strategic risk management and development opportunities as appropriate for Station, Watch and Crew Managers We will continue to enhance the PMF risk module so that it meets the needs of our operational users and encourages use of the system

Leadership
Risk management is as much about empowerment, supporting innovation and seizing opportunities through informed decision making as it is about defending against negative threats and preventing adverse things from happening. This strategy follows on from the intention of the previous strategy: to continue to help the organisation broaden its understanding of risk, from one that has naturally needed to focus on incident based operational risk, to one that considers all risks to the brigade as a whole, both corporate and operational, especially those that may affect its strategic objectives. Corporate risks are owned by the Commissioner, Deputy Commissioner and Directors and this clearly demonstrates top-down commitment and support from the Executive. This leadership continues to demonstrate the importance of risk management throughout the organisation and communicates that it is the role of all employees to contribute to the effective management of our risks. Leadership will also be provided by the Head of Strategy and Performance, and the strategic risk team to promote and deliver the risk management framework and business processes that support its delivery.

Risk and Performance

Risk management is a critical strand of good performance management. Over the past 3 years, risk information has been integrated into the performance management reporting suite so that risk information can be considered in the round against other performance indicators. Risk management needs to show how it contributes to good performance and to this end, we will; Enable the production of local risk and performance reports to aid management

Operational Relevance
Risk information at the corporate and departmental levels is well maintained and understood. One of the remaining challenges is to understand how

Promote understanding of how risk management is linked to performance against targets and indicators Work with Human Resources and Development to explore how risk management responsibilities and actions could be evaluated as part of staff appraisals (PRDS)

performance as a whole exceeds the risk tolerance limit, consideration will be given to providing a full stop on further change activity which may introduce more risk into the organisation. Both the risk appetite and risk profile of the organisation will be continuously monitored by the Corporate Management Board and formally reviewed at least annually to check that the risk appetite remains appropriate to deliver the organisations objectives in light of internal and external drivers and constraints.

Risk Appetite
The organisation made progress with the concept and application of risk appetite in 2010 setting out its first risk appetite statement. Although risk management remains a largely subjective judgement (this judgement is tempered by experience, expert opinion and wider consensus), risk appetite provides the means to assess whether the organisation (and component parts) are operating within acceptable limits. In line with other public sector organisations, the risk appetite of the Brigade can be summarised as being low to low-medium. The full details relating to risk appetite can be found within the risk appetite statement published with the Annual Governance Statement, however, a standard risk tolerance threshold has been set for corporate risks and the majority of departments and boroughs (with some departments selecting a higher or lower risk tolerance limit depending upon their unique risk exposure). This has enabled the organisation to produce risk profiles of the corporate and departmental areas to assess the risk management priorities for the Brigade. Where performance is said to be within limits, a business case for taking on more risk (through assessment of desirable outcomes) can be made. Where performance is said to be over limits, risk management prioritisation measures can be taken (e.g. relocation of resource (staff, funding, expertise)) to manage the risk back to within acceptable limits or options can be considered as to whether the risk can be transferred, terminated or tolerated at its current rating. Where organisational

Risk Training
In order to continue the development and application of risk management, staff need to have access to relevant training to encourage application of best practice methods. We will review risk management training to ensure; All staff have guidance in learning to manage risk That risk management and business continuity is embedded proportionately at every level of the organisation Senior managers are able to make risk based decisions using the information available from the organisations risk management system and tools All staff know how to identify risk and how to escalate concerns or issues so that they are captured within the risk management framework

Over the past 3 years we have run 12 Management of Risk and Uncertainty/Embedding Enterprise Risk Management Courses for middle and senior managers. We will review the appropriateness of this course and source others (funding permitting) for the next 3 years so that managers have a relevant training/refresher course to hone skills and continue to develop their risk management competence.

Full details of the risk training strategy can be found in the Risk Management Training and Communications Strategy. Levels of competence by staff grade are included in this strategy as well as the Risk Policy.

Areas for Improvement

Since the original risk strategy, the organisation has undertaken a number of benchmark assessments both internally and externally to assess the effectiveness of the risk management framework. The most recent of these has been the Alarm (the public sector risk management association) /CIPFA benchmarking model which compares the relative maturity of risk management in public sector organisations. The 2011 benchmarking exercise revealed that the organisation has reached the highest level of the assessment (Driving) in both Risk Management Enablers and Risk Management Results (Outcomes). In terms of improvement, there were two areas which need further action to bring them in line with the other aspects of the risk management system. These were: Escalation and Reporting Systems Skills and guidance (capability)

Governance
Governance and risk management are becoming more and more intertwined as both disciplines develop. The risk management framework identifies the key controls that are integral to our governance processes and this in turn contributes towards the evidence collation for the Statements of Assurance and the Annual Governance Statement. To this end, the Head of Strategy and Performance will work with other departmental heads to clearly and consistently identify governance controls and effective reporting mechanisms to make sure risk management actions are assessed for their effectiveness. Governance of risk management is another matter. The Authority, Audit Committee and Corporate Management Board (CMB) will receive timely and regular reports, as appropriate, to monitor the progress of the risk management strategy and the effectiveness of the system of risk management so that assurance is given regarding the identification of the most prominent risks and associated status (and progress) of control measures. Where necessary, departmental risk information will be escalated to CMB for decision as to whether the status of a risk needs to be elevated to a strategic one. The strategic risk team will also continue to review risk information to ensure it is relevant and is useful to meet the needs of the organisation.

Interaction and involvement with elected members is a key component of performance in these areas. We will review how and what members receive in terms of risk information so that the escalation and reporting systems are more visible at this level. In addition, we will also examine how best to induct new starters in the specifics of the risk management framework in order to improve the overall skills and guidance capability of the organisation.

Quantitative Risk Assessment

One of the biggest objections that risk management comes up against is challenge over its subjectivity. Many business factors can be measured, counted and valued. Risk management can also meet these requirements but as it is a judgement, it is always open to interpretation and differences of opinion. The level of subjectivity can be reduced by gaining a consensus from a wider assessment panel, using historical data and trend analysis.

However, the element of uncertainty remains if and when a risk occurs and the exact level of impact it will have, will always be unknown until after the event. To tackle this perception, and consolidating on the level of sophistication now apparent in the organisation, we will explore the use of quantitative techniques for the assessment of certain key risks. This will provide a different and more detailed analysis of their likelihood and impact. A more statistical approach will provide greater credibility to the information already gathered in relation to the strategic risks. Using a combination of both scientific methodology and data derived from expert judgement will give greater assurance as to the level of confidence we can put in our controls. This in turn, will help inform risk appetite and risk resource allocation.

Positive Risk
Positive or upside risk is a difficult concept and hard to apply as it seems to contradict traditional risk management and its focus on threats. Risk management experts still havent arrived at a clear way to turn this into a practical concept especially where the outcome relates to more than just a monetary return on investment. However, we still believe that there is value in exploring the concept especially where a decision is needed as to whether to proceed with an activity and for assessing the balance between positive outcomes and negative threats. We will continue to work on acquiring a practical application for positive risk and introduce this as appropriate to the organisation. It is likely that the concept will merge with risk appetite as that particular methodology becomes more readily understood throughout the Brigade.

Risk management and business continuity and other frameworks

A key mechanism for improving risk management awareness, knowledge, capability and future performance is to ensure that the Brigade learns from risk events. Much of this will be achieved by the adoption of an active approach to the review of all risk occurrences, and these are adequately reported and recorded. One of the most visible forums for this will be the business continuity debrief meetings and the learning points from these meetings. To this end, the strategic risk team will continue to formally communicate items of interest between the risk management and business continuity frameworks as well as ensuring that reports between the two disciplines are consistent. Delivery of the risk management framework will also be undertaken with consideration to other strategies and frameworks in the organisation, especially the planning and project frameworks which draw significantly upon risk information.

External links
We will continue to work with others to develop our own thinking and application behind risk management. Where it is deemed beneficial for the profile of the London Fire Brigade then we will seek to network and obtain membership of relevant professional bodies to further understanding of risk management in the fire service and across the public sector. We will continue to work with Alarm and the Fire Special Interest Group in particular to help raise the standard of risk management in our own sector. We will also contribute to the GLA Risk Forum and the CIPFA Risk Advisory Panel as appropriate.