Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 This procedure has undergone its 2 yearly review. The following changes were made:
2.1 This procedure/SOP describes the processes required to deliver the joint risk management policy (Y 0100). It defines the roles, responsibilities and practices which ensure that risk is managed effectively. It outlines how the Essex and Kent joint risk management IT system, referred to as the Joint Risk Register (JRR), will be operated and managed.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1 Definition of Risk
3.1.1 Her Majesty’s Treasury’s ‘Orange Book’ (2020) outlines the approach that public sector organisations should take towards risk management. It states that:
‘Public sector organisations cannot be risk averse and be successful. Risk is inherent in everything we do to deliver high-quality services. Effective and meaningful risk management in government remains as important as ever in taking a balanced view to managing opportunity and risk. It must be an integral part of informed decision-making; from policy or project inception through implementation to the everyday delivery of public services. At its most effective, risk management is as much about evaluating the uncertainties and implications within options as it is about managing impacts once choices are made. It is about being realistic in the assessment of the risks to projects and programmes and in the consideration of the effectiveness of the actions taken to manage these risks.
This isn’t about adding new processes; it is about ensuring that effective risk management is integrated in the way we lead, direct, manage and operate. As an integrated part of our management systems, and through the normal flow of information, an organisation’s risk management framework harnesses the activities that identify and manage the uncertainties faced and systematically anticipate and prepare successful responses. Its importance and value to success should not be underestimated.
As with all aspects of good governance, the effectiveness of risk management depends on the individuals responsible for operating the systems put in place. Our risk culture must embrace openness, support transparency, welcome constructive challenge and promote collaboration, consultation and co-operation. We must invite scrutiny and embrace expertise to inform decision-making. We must also invest in the necessary capabilities and seek to continually learn from experience (paragraph 2, 3 and 4, page 2)’.
3.2 The Risk Register
3.2.1 The forces will operate a JRR at three levels:
3.2.2 During its lifetime a risk can be escalated to a higher-level register or de-escalated to a lower one. This process is managed through, and requires the consent of, the risk owner.
3.2.3 Risks relating to projects or programmes affecting either or both forces can be recorded on a dedicated register at operational or management level respectively. There is no obligation to record risks on the JRR if the project or programme involves forces other than Kent Police and/or Essex Police. In such circumstances the programme or project should have its own independent risk register or Issues or RAID (Risks, Assumptions, Issues, Dependencies) Log.
3.2.4 Risks initially recorded on programme or project registers can be re-directed to a force level register if the subject matter takes on force-wide significance. Alternatively, a new risk can be opened reflecting the wider nature and scope.
3.2.5 Individual risks, at all levels, will be identified as either joint (affects both forces), Essex or Kent risks. This allows appropriate scrutiny, security, access and reporting procedures to be applied.
3.2.6 Essex Police has a Risk Management Handbook which can be found on the Continuous Improvement intranet pages and within the JRR.
3.3 Risk Management
3.3.1 Risk management is the process of controlling and managing risk by taking appropriate action. To apply the principles outlined in the Orange Book 2020 chief officers and departmental heads should:
3.3.2 It may be beneficial for the forces to develop an opportunity, either individually or in collaboration, if it will:
3.4 Risk Identification
3.4.1 In the context of service delivery and achieving the force objectives, threats can arise from a range of sources. For example:
3.4.2 Regular horizon scanning should be conducted across all aspects of the forces' business in order to facilitate the identification of risks.
3.5 Risk Appetite and Tolerance
3.5.1 ‘Risk appetite’ is a general indicator of how much risk the forces are willing to accept, tolerate or be exposed to at any point in time in the pursuit of their objectives. It is a statement that helps to define the organisational philosophy for managing and taking risk.
3.5.2 ‘Risk tolerance’ is the maximum risk that the force is willing to accept for a specific risk. It is a tactical risk management tool which allows for variations in the amount of risk the forces are prepared to tolerate for a particular part of their business, risk category, activity or special initiative. As such it acknowledges the diverse nature of policing and recognises that a one size fits all approach cannot be taken.
3.5.3 When establishing the acceptable level of risk, owners should first consider the risk in the light of the risk appetite and then determine whether in the circumstances they can accept a higher or lower level, thereby being either more ‘risk aggressive’ or more ‘risk averse’.
3.6 Governance and Reporting
3.6.1 Reporting on the risk profile is a key element of the risk management process. It allows for the effectiveness of the risk management framework and the content of the risk portfolio to be reviewed. It also provides reassurance that the forces have robust risk management arrangements in place. Bespoke risk management reports are available from the Continuous Improvement Manager (Essex) and the Force Risk Co-ordinator (Kent).
3.6.2 Risk management and the relevant risk portfolio must be a standing agenda item at Chief Officer/Command/Senior Leadership Team Meetings (SLTs) ACC led Governance, Development & Oversight Boards. Programme and project risks will be considered at dedicated programme and project boards. Matters for discussion under this agenda item may include:
3.7 Risk Star Chamber (Kent)
3.7.1 A one-day Risk Star Chamber will be convened three times each year. This will allow the force to ensure that it is managing risk effectively and support the methodology that the internal auditors have indicated they will employ.
3.7.2 Risk owners are mandated to attend the Risk Star Chamber to present their risk. If they are unable to attend a deputy must be appointed to attend on their behalf. Commonly, this will be the Principal Lead but where necessary, a suitably briefed and informed deputy must attend.
3.7.3 Risk owners / leads are required to complete the annual assurance assessment of their risks using the three lines of defence model prior to attending the Star Chamber. The panel are required to consider the grading allocated and either ratify it or challenge it and require it to be re-considered.
3.7.4 The risk owner or deputy is expected to present the risk and discuss its progress or lack of progress including the mitigating actions identified. Any factors hampering progress must be highlighted.
3.7.5 The aims of the review are to:
3.7.6 The Star Chamber panel will comprise the Director of Corporate Services, the Police and Crime Commissioner's Chief Finance Officer and a member of the Joint Audit Committee nominated by its Chair. The Risk Co-ordinator will attend to address administrative matters and to offer specialist advice.
3.7.7 The Risk Co-ordinator will produce an actions and decisions document and circulate it to risk owners as appropriate.
3.7.8 The Risk Co-ordinator will monitor the progress of actions and record the outcomes. A progress report will be provided to the Director of Corporate Services six months after the Star Chamber has taken place.
3.7.9 The risk register will be updated with the outcomes of the process for each risk by the Risk Co-ordinator.
3.8 Risk Star Chamber (Essex)
3.8.1 The Risk Star Chamber meeting will be held quarterly and chaired by the Deputy Chief Constable. These quarterly meetings will be held prior to COG Strategic Risk Oversight and the Joint Audit Committee. This will allow the force to ensure that it is managing risk effectively and support the methodology that the internal auditors have indicated they will employ.
3.8.2 Risk owners are required to attend on a mandatory basis. If they are unable to do so they must ensure that the principal lead or another suitable deputy is required to attend on their behalf.
3.8.3 The risk owner or deputy is expected to present the risk and discuss its progress or lack of progress including the mitigating actions and controls identified. Any factors hampering progress must be highlighted.
3.8.4 The aims of the review are to:
3.8.5 The Risk Star Chamber panel will comprise the Deputy Chief Constable, Director of Strategic Change, the Head of Continuous Improvement and / or Risk & Planning Manager and a member of the PFCC’s office. A member of the Continuous Improvement Team will also attend to address administrative matters and to offer specialist advice.
3.8.6 The Continuous Improvement Team representative will produce an actions and decisions document and circulate it to risk owners as appropriate.
3.8.7 The Continuous Improvement Team representative will monitor the progress of actions and record the outcomes.
3.8.8 The risk register will be updated with the outcomes of the process for each risk by the Continuous Improvement Team representative.
3.9 Assurance
3.9.1 The assurance process should provide evidence to risk owners, development boards and oversight committees that the forces’ risks are being managed effectively. This includes the ability to demonstrate that critical controls are in place, that they are working and that they are being, or have been, appropriately implemented.
3.9.2 The Risk and Planning Manager (Essex) and the Force Risk Co-ordinator (Kent) will be responsible for carrying out an assurance mapping exercise in relation to strategic and management level risks recorded on the JRR using the Treasury’s three lines of defence model. This will be informed by information recorded in the JRR and consultation with the risk owners.
3.9.3 The findings of the assurance mapping process will be reported to Chief Officers at COG (Essex) and COMB (Kent). At the discretion of the individual force they can then subsequently be presented to their Police and Crime Commissioner’s and Chief Constable’s Joint Audit Committee (Joint Audit Committee).
3.10 Roles and Responsibilities (within each force, including collaborative departments)
3.10.1 The Chief Constable is accountable for the overall implementation of the risk management policy and compliance with the procedure.
3.10.2 The Deputy Chief Constable (DCC) in Essex, and the Deputy Chief Officer in Kent, have delegated authority to:
3.10.3 The Director of Strategic Change in Essex and the Deputy Chief Officer in Kent act as system owner for the joint risk management system and will:
3.10.4 In practice the day-to-day application of these functions may be undertaken by the Risk & Planning Manager (Essex) and the Force Risk Co-ordinator (Kent).
3.10.5 Chief Officers and Directors will:
3.10.6 Departmental Heads and Operational Commanders will:
3.10.7 All officers and staff are responsible for:
3.11 Risk Register Ownership
3.11.1 The risk register owner has ultimate responsibility for the risks recorded upon the JRR. This includes the implementation of plans and actions to mitigate risk. Risks will be owned and managed by the area of business best able to control them. Risk owners will be command or departmental heads for ‘Operational’ risks and Chief Officers for ‘Strategic’ or ‘Management’ risks.
3.11.2 At their discretion, a risk owner may delegate the day to day management of a risk to a principal lead. This must be a suitably qualified person who has expertise in that particular area of the business.
3.11.3 Where the ownership of a risk is unclear, initial guidance should be sought from the Continuous Improvement Manager / Risk & Planning Manager (Essex) / the Force Risk Co-ordinator (Kent). Should ownership still be unclear the Director of Strategic Change (Essex) or the Deputy Chief Officer (Kent) will adjudicate. If necessary, the matter can be referred to the DCC (Essex) for a decision. Ownership of risks that affect both forces will be resolved jointly by the DCC (Essex) and the DCO (Kent).
3.11.4 The Risk Co-ordinator (Kent) produces a monthly report for Chief Officers and meets with them on a quarterly basis to discuss their risk portfolios
3.12 The Joint Risk Management System
3.12.1 Overview
3.12.1.1 Essex Police and Kent Police will use a shared database, the JRR, to help manage risk. The following sections explain how the technology will be used.
3.12.1.2 The system is accessed through the respective force intranets.
3.12.2 Risk Owners and Principal Leads
3.12.2.1 Risks owners must use the JRR to record their risk management activities. They may appoint a principal lead with specialist knowledge to carry out the day-to-day management of a risk where this is appropriate. This will include the ability to accept, reject or re-direct risks on their behalf and to make recommendations in relation to the re-scoring, escalation or de-escalation and closure of a risk. However, the risk owner will remain accountable for the management of the risks within their portfolio.
3.12.3 System Access – Point of Contact Groups (POCs)
3.12.3.1 Access to registers within the risk management system is controlled through the use of Point of Contact (POC) groups. These are managed by the Continuous Improvement Manager (Essex) and the Force risk Co-ordinator (Kent) using the ‘Sub Register Members’ option within the Maintenance menu in the JRR. Access rights cannot be viewed or amended by users. The authorisation of the risk owner is required for a person to be added to a POC group.
3.12.3.2 When authorising access to their risk register, risk owners can set limits on what a person can do. For example, they may stipulate that access is only permitted to view and print risks. Alternatively, they may direct that a user can perform all necessary tasks to manage the risk on their behalf. Risk owners can also specify that user access is only permitted to certain risks on their register. These will usually be those most relevant to the user’s departmental remit or area of expertise.
3.12.3.3 Subject to the agreement of the risk owner, users in Essex can be granted access to registers which are designated in the JRR as ‘Essex only’ or collaborative. Users in Kent can be granted access to registers which are designated as ‘Kent only’ or collaborative.
3.12.4 Administration
3.12.4.1 The JRR will be administered by the Continuous Improvement Team in Essex and the Force Risk Co-ordinator in Kent. This will include the maintenance of access rights.
3.12.5 Maintenance of System
3.12.5.1 Any IT related problems with the risk system should be reported to IT Services using the Hornbill Service Manager portal.
3.13 New Risks
3.13.1 Creating
3.13.1.1 (Essex) When a potential risk is identified staff should discuss the risk with a command team member, If the command team member confirms that the risk should be recorded, a risk proforma must be completed and sent to the Risk and Planning team for review at their weekly review panel. If accepted it will be added onto the JRR with the relevant information by the Risk and Planning officers.
3.13 1.2 (Kent) When a potential risk is identified staff should discuss the risk with a command team member. If the command team member confirms that the risk should be recorded, it must be entered onto the JRR using the ‘create risk’ function. Details required include a brief description of the risk and the potential owner (e.g., for ‘Operational’ risks the command or department best able to mitigate the risk).
3.13.2.1 Where a risk or risks are of a particularly sensitive nature, for example those relating to a contract which is subject to legal privilege, steps must be taken to ensure that access to it is restricted. This can be achieved by creating a discrete register on which the risk(s) can be recorded. Access to the register can then be restricted via the POC group, which should only include those people designated by the risk owner to view or manage the risk(s).
3.13.3 Accepting a Submitted Risk
3.13.3.1 (Essex) Risks are accepted by the Risk and Planning team only when a Risk proforma has been received and meets the required standard and has been agreed with the relevant Chief officer / Department Lead
3.13.3.2 (Kent) The ‘accept’ function should be used to accept a submitted risk onto the JRR. This function is only available to those authorised via the POC group to view the relevant register. It is accessed by clicking on the link to the risk in the submitted risks table.
3.13.4 Re-directing a Submitted Risk
3.13.4.1 Where a submitted risk has been directed to the wrong risk register an authorised member of the POC group has the option to re-direct it to another register. The owner or authorised member of the POC group for that register must then decide if they will accept the transfer.
3.13.5 Rejecting a Submitted Risk
3.13.5.1 The reject function should be used where a submitted risk is considered, and it is felt that it is not appropriate for it to be recorded on the JRR. This may be because the risk already exists, or it has occurred and is now an issue.
3.14 Risk Management
3.14.1 Initial assessment (including scoring)
3.14.1.1 A risk must be assessed to determine the likelihood of it happening and the potential impact should it occur. The 5 x 5 scoring matrix adopted by both forces in June 2019 will be used to carry out this assessment. The risk management system requires 3 scores to be recorded as follows:
3.14.2 Creating Mitigation
3.14.2.1 The risk owner, supported by any designated principal lead and other members of the command/management team, as appropriate, must consider the risk and determine what measures are required to reduce it to the target score. Once agreed these measures must be recorded on the JRR using the ‘create mitigating action’ function. Each action should be concisely written and framed so that it is specific, measurable, achievable, relevant and time bound (SMART). An owner must be assigned and an initial timeframe set for its completion. Each action should have a status of ‘not started’, ‘on-going’ or ‘discharged’.
3.14.2.2 The JRR generates an automatic email to a mitigating action owner when it is allocated to them. It remains the responsibility of the risk owner or principal lead to discuss with action owners the task(s) assigned to them and to ensure that they are regularly appraised of the progress or otherwise of the action(s). This is particularly important when assigning actions outside of the owning portfolio or department.
3.15 The Review Process
3.15.1 All reviews must be recorded on the JRR using the ‘start review’ function.
3.15.2 Risk owners are responsible for carrying out regular reviews of their risks. This task can be delegated to an authorised member of the POC group, typically the principal lead as the subject expert. However, the risk owner retains overall responsibility for the risk and should ensure that they are regularly sighted on the progress of the risk and ratify any significant decisions, such as changes to the score or a recommendation to close.
3.15.3 The JRR will automatically provide the POC with an email reminder to complete a review of an individual risk. Once the review has been completed and saved the risk system will re-calculate the next review date as follows:
3.15.4 The monthly review period designated for risks recorded on the strategic and management registers cannot be changed or overridden in the JRR and automatic review reminders will be issued on a monthly basis. Based upon their knowledge and understanding of the risks in their portfolio owners have the discretion to vary the review period. For Kent and Collaborative risks this may be bi-monthly or quarterly. In relation to Essex only risks the review period may be extended to annually. However, owners must ensure that risks are reviewed before they are formally presented to Chief Officers for oversight at COMB (Kent) or the Kent or Essex Risk Star Chambers. Any change to the review frequency should be recorded in the relevant departmental or development board minutes and upon the JRR as an ‘update’ or ‘review’.
3.15.5 Reviews may be more frequent at the risk owner’s discretion. In order that the system can calculate the direction of travel (DoT) for reporting and management information purposes, the risk score can only be changed during a formal review. Unless it is imperative to do so, the current score should only be amended on the designated review date. Multiple changes to the score between the review dates will distort the DoT.
3.15.6 When reviewing a risk, all surrounding circumstances should be considered. This may include:
3.16 Updating Risks
3.16.1 Between the formal review periods set for the risk the ‘update’ function can be used to refresh risk information. The function does not permit the current or target scores to be changed and will not re-calculate the review date.
3.17 Re-directing, Escalating and De-escalating
3.17.1 By using the ‘re-direct’ function risks can be escalated and de-escalated within the strategic, management and operational register structure and moved from one owner to another. This allows changes to risks and their context, and alterations to the structure of the forces to be addressed without the requirement to close the risk and open a new one.
3.17.2 Consideration should be given to escalating a risk to a higher-level register in the following circumstances:
3.17.3 A risk should be de-escalated to a lower register when the level of risk has been reduced to a level that can be managed using the resources of the new owner.
3.17.4 A re-directed risk will appear in the ‘Move register’ table on the Home page of the JRR for consideration by the new owner or a member of their POC group. The re-direction request should be considered and one of the following actions taken:
3.18 Closing
3.18.1 A recommendation to close a risk should be made to the risk owner when it has been successfully treated or the circumstances surrounding it have improved. Typically, the risk will be within the agreed tolerance having achieved its target score, and any residual risk can be accepted without further action. Once closed a risk cannot be re-opened. If the risk becomes active again it must be recorded as a new risk. The levels of approval are:
3.18.2 Risks in significant areas of the business can be retained on the risk register even though they have achieved their target score and the mitigation forms business as usual. The agreement of chief officers should be sought and once obtained the ‘Do Chief Officers accept this level of risk without further action?’ marker on the JRR should be set to “yes”.
3.19 Oversight Process
3.19.1 External oversight of the forces’ risk management system is provided by:
• EIA – July 2022
5.1 This procedure/SOP and supporting policy sets out the forces’ approach to risk management.
6.1 The following were included in the consultation for this procedure/SOP:
7.1 This procedure/SOP will be monitored by the Director of Strategic Change (Essex) and the Head of Corporate Services (Kent) and will be reviewed every two years.
Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
• Y 0100 Policy – Risk Management
8.1 Data Security
8.1.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.2 Retention & Disposal of Records
8.2.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.2.2 We will only hold data for as long as necessary for the purposes for which we collected.
Policy reference: Risk policy
Contact point: Force Risk Co-ordinator
Date last reviewed: September 2022
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.