Institute welcome | Anne Keim, CEO, Chartered IIA UK and Ireland If we are serious about meeting objectives successfully, improving service delivery and achieving value for money, risk management must be an essential and integral part of planning and decision‑making. While risk practices have improved over time across government, the volatility, complexity and ambiguity of our operating environment has increased, as have demands for greater transparency and accountability for managing the impact of risks. Integrated Risk Management is a framework for ensuring that the key risks facing the organisation have been clearly understood and that they have been considered in conjunction with other key risks, rather than in a silo. The key objective of IRM is to deliver improved outcomes for the authority in relation to the risks that may prevent it achieving its objectives. No matter the size, industry, or location, every business looks to achieve four IRM objectives — better performance, stronger resilience, greater assurance, and cost-effective compliance. Today we explore these objectives. |
Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member It seems an age since we went from systems based to risk based internal auditing. Our councils have also evolved and embraced risk management. Risk is inherent in everything that we do and against a backdrop of austerity and crises has often involved novel approaches. Our speaker today is Adam Lickorish, RSM will share thoughts on integrated risk management. |
Integrated Risk Management - click here for presentation slides
Integrated risk management (IRM) is broader than a system.
Benefits of integrated risk management
The first presentation slide outlines good IRM to enable us to think about internal audit’s role.
Four key messages from today
Chair closing comments There is a clear desire for change from internal auditors for a more flexible way of working as seen in new proposed Standards. A big barrier is moving on from the comfortable, dealing with inertia and the capacity of teams. It’s all too easy to get caught up in defining and measuring days rather than the value of the work undertaken. |
Institute close | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA It’s essential to have the right risk owners for the right risks. It drives accountability and risk management. Our next session is 21 June 2023 where we will hear from Richard Chambers about being a trusted advisor. A spin-off Data Analytics for Local Authorities forum is being set up to address the specific needs of your sector. If you are interested in joining, please email mandy.coleman@iia.org.uk Dates for your diary
|
Chat Questions and Comments
Answers from speaker, anonymised comments from attendees
Question | Here is an early challenge. How much are risk registers and other risk artefacts just tokenistic rather than a means of actively managing risk?
Response | A risk register is a repository of risk information, it’s not what you use and report. Are you creating risk information for risk information’s sake? It needs to be a management tool.
Comment | It can be seen as a chore/task to be done periodically rather than being embedded in everything the Leadership Team do/consider. Risk management implications in Committee reports are often a token attempt and not really any use for decision makers.
Question | Supply chain issues are pertinent for councils - perhaps not directly - but our suppliers and contractors may face more acute issues – obtaining raw materials/labour - which can affect our service delivery.
Response | Hasn’t always been seen as a local authority issue but increasingly supply chain management is a key part of resilience. It’s also not just about an individual authority’s reliance or concerns regarding a supplier – they can be contracted across multiple authorities which leaves a huge impact in the market if they have operational or financial issues impacting their service delivery.
Question | I would be interested in your thoughts on what effective risk escalation looks like. There have been a few instances recently where risks at a project level have been considered in isolation without thinking of the impact on other parts of the organisation.
Response | Often logging urgent or high severity risks on a risk register is not effective as the process is too slow. The culture at meetings needs to allow for risk conversations.
Comment | I have seen a guiding principle being applied that "good news must travel as quickly as bad news." What has followed has been a clearer identification of escalation points and a much clearer understanding that escalation must happen against the revised thresholds.
Question | Thinking about the linkages between risks. How do you think these should be recognised and documented?
Response | Can be difficult to administrate in Word and Excel – a reference can work well between strategic and operational risks for example.
Comment | Sharing operational/departmental risks can give visibility to risks that aggregate to being material at an organisation level. It’s possible to then differentiate between risks that people have ownership of day to day and the few that need to be escalated to the board.