Partnership risk management
Risk is the chance of something happening that will have an impact on a partnership achieving it's objectives. It needs to be identified and carefully managed.
There are 6 steps in "PRAM" that take you through the key stages of the Risk Management Cycle: Identifying, Analysing, Prioritising and Monitoring. Step 1 looks at the requirements for risk management within the partnership and what needs to be thought out and agreed at the outset before any formal risk assessment begins.
Step 1: Identify the resource - Risk Management Plan
Risk Management will not happen unless it is properly resourced. This includes the provision of people, time and in some cases finance to make it happen. Depending on the partnership type, some kind of agreed plan for managing, monitoring and reporting risk will need to be agreed on from the start between the partners involved.
Your partnership plan will need to describe:
- What resources are available - these should be agreed from the outset, based on the scale of the partnership and re-affirmed throughout
- Management and administrative arrangements - how risks will be managed effectively by the partnership and by each partner, this will include how often the risks will be reviewed.
The idea is to ensure that risk is being considered as an integral part of the partnerships strategic and operational planning from the outset.
Step 2: Partnership Risk Assessment checklist
"PRAM" provides partnerships with a comprehensive checklist of potential risks to cover both "Partnership Strategic Risks" and "Partnership Operational Risks". Please access and use these checklists to help identify potential weaknesses within your partnership that may be at risk. Please remember that these checklists are only a guide to help your partnership risk assess against some of the more common strategic and operational risks that have been found within weak partnerships.
The Category List provides more strategic areas that may be affected by risk. Please give serious consideration to each of these areas when making your assessment.
Recording and Management of Risk
Once you have identified and agreed as partners what the main strategic and operational risks are you will need to record and manage them accordingly. To help with this PRAM provides you with a downloadable Partnership Risk Assessment Action Plan Register. The Partnership RAAP as it is known has been specifically developed as both a risk register and action plan to help you record and manage your risks effectively.
When entering information onto the RAAP please ensure that each risk is recorded separately, that they have allocated a unique reference number that can clearly show the number of risks within each objective. Also that all fields have been completed. You may end up with a number of objectives that hold multiple risks. These should all be contained and managed within one comprehensive risk register.
It is important that the partnership follows one risk management approach and methodology for assessing risk, also that one comprehensive risk register is operating i.e. that contains a number of objectives and their risks. Allowing each partner to operate and apply their own risk assessment methods and hold different risk registers will cause confusion, make it difficult to manage and defeats the objective and ethos of partnership working.
The RAAP enables the mapping of objectives and their risks to "Team Bury's" Ambitions. This provides an opportunity for the Public Service Board and Executive of "Team Bury" to better understand the type and degree of risk being managed across the various strategic partnerships.
Step 3: Making the assessment
Once the partnership has agreed on the risks it faces, there will be a need to assess the level of threat that is presented by each risk in turn. By assessing the threat level will help you to prioritise and identify those that pose the greatest threat to the partnership in achieving it's objectives.
Risks should be assessed in terms of their:
- Likelihood - how likely is the risk to occur?
- Impact - what would the impact be if it did occur?
Within PRAM both these elements are provided with a score of between 1 - 5 using the definitions provided in the Likelihood and Impact definition tables.
Please remember that the Impact of a risk should be considered using the various categories as provided for you in the Category List.
The impact can affect one or many of these categories. In assessing impact it is important to understand what your risk appetite is i.e. the level of risk impact you are willing to accept as a partnership. In addition, it is important to understand who the risk affects most. Does it affect the entire partnership or is it a risk to one or two of the partners involved. Within the RAAP there is an area to record your risk appetite or tolerance level, this is your target risk score!
Remember the Impact table will assist in determining what level of impact a particular risk will present across these categories. The definitions provided are examples only, you are free to adapt them to suit your partnership in order that you reach a consensus on the impact score for each risk .
Step 4: Determining high, medium and low risk - Using PRAM's 5x5 scoring matrix
The agreed scores should then be combined (Likelihood x Impact) to provide an overall risk score. This risk score should be recorded onto the correct RAAP Register being updated for that risk. The risk score should also be plotted onto the PRAM Grading Matrix with scores. The risk matrix indicates whether it is a high (red), medium (amber) or low risk (green). A high, medium and low guide has been provided to help you agree on what actions/decisions your partnership or partners will now need to take. Again, the RAAP allows you to record both what further control measures you are going to take and the strategic decisions being made.
Step 5: Making the decision - What is your risk appetite?
"PRAM" offers a number of options (decisions) that will need to be made following each risk assessment and resulting score. These include:
To accept the risk - Acceptance
A conscious decision can be made to accept the consequences should a risk occur. Some amount of risk acceptance always occurs within partnerships since risks exist that will have to be accepted without any special effort to treat them. It is for the partners to determine the appropriate level of risk that can be accepted/tolerated. Does the risk fall within acceptable/tolerance levels - check your risk appetite levels/target risk score?
To manage the risk - Control
Treat the risk - take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact to an acceptable level. The technique involves the use of reviews, inspections, risk reduction milestones and the development of a fallback position. The RAAP Register provides you with further fields to record what additional control measures are being planned or introduced, and fields to include a further residual risk score following assessment of these new control measures. Does the risk score now fall within acceptable/tolerable levels and does it meet with your target risk score?
Moving the risk - Transfer
It may be appropriate to be able to transfer ownership and responsibility for the risk to another party outside of the partnership. However this may not be possible if for example there is a statutory duty on a partner organisation to deliver within the partnership such as an authority.
Methods of transfer can include:
- Insurance, performance bonds, warranties or guarantees
- Renegotiations of contract's - conditions for the risk to be retained by the other party
- Sub-contracting risks to consultants or suppliers
Remove the risk altogether - Eliminate
Where feasible do things differently and remove the risk altogether. Put measures in place to stop the threat occurring or prevent it having an impact.
The outcome of the assessment and the selection of the most appropriate option/decision for control must be recorded within the RAAP against the correct risk.
Step 6: Monitoring risk
Risk monitoring is a systematic process for tracking and evaluating how well the controls are doing.
The Risk Management Plan for the partnership (Step 1) should identify clearly how the monitoring process should operate within the partnership. For example it should identify the frequency of reporting by risk owners (those partners affected or have responsibility for the risk), back to the partnership and if applicable each of the partners own organisations. It is important that you plan in a regular review period that meets with the requirement or degree of risk being managed and ensure you carry this through.
Remember! If you don't have effective risk management then you don't have effective management - Solace/Zurich Municipal.