Home > About Us > Who we are and what we do > Strategies, policies and procedures > Risk Management Policy

Policy Statement

North Yorkshire Fire and Rescue Service adopts a risk management policy to systematically approach the identification, analysis, evaluation and treatment of risk. The policy is aligned to the industry best practice risk management standard ISO 31000:2018 and provides an organisation-wide approach to risk management.

Definition

ISO 31000:2018 defines risk as “the effect of uncertainty on objectives”. It is the combination of the likelihood and consequences of an event.

Aim

The aim of the risk management policy is to:

  1. Develop a risk conscious culture across the Service, to embed awareness and proportionate management of risks and opportunities at all levels
  2. Protect the organisation from exposure to business risks, by ensuring risks are identified, analysed, reported, and managed in a structured, transparent, and consistent way.
  3. Support informed and effective decision making, by enabling leaders to understand risk impacts and tolerances, and make proportionate choices.
  4. Align risk management with strategic priorities, ensuring risk processes support organisational objectives, including those set out in the Community Risk Management Plan and Fire and Rescue Plan.

Objectives

  1. Enable a consistent approach to the systematic identification, analysis, evaluation and monitoring of risks
  2. Embed risk management in all organisational activity, including planning, change management, governance and decision making
  3. Maintain a clear risk register framework with risk captured and managed at the appropriate level, and escalated for action and decision where needed:
    1. Strategic level
    2. Departmental/ functional level
    3. Project level
  4. Support the proportionate and effective treatment of risk in line with organisational risk appetite, using the four Ts of risk management (treat, tolerate, transfer and terminate).
  5. Define clear governance and accountability, in line with the three lines of defence approach to risk management:
  6. Provide assurance to Chief Fire Officer and the Deputy Mayor, via the Independent Audit Committee, that risks are being properly identified and managed, and that governance and controls are effective.

Risk register framework

The risk register framework will include three levels of risk:

  1. Strategic level – for risks that could have a cross-cutting organisational impact
  2. Departmental/ functional level – for risks that could impact the delivery of departmental objectives
  3. Project level – for risks that could impact the delivery of project objectives

Risks should be owned and managed at the lowest appropriate level, and escalated from functional to strategic level (via governance) if any one of the following thresholds are met:

  1. The risk can no longer be managed within the authority of the relevant department
  2. The risk could impact on the delivery of strategic or statutory objectives, including the delivery of the Community Risk Management Plan (CRMP) or Fire and Rescue Plan (FRP)
  3. Action is required across more than one function to manage the risk
  4. The risk could have Service-wide safety, financial, legal or reputational implications
  5. The risk is graded as ‘highly probable’
  6. The current risk score is 15 or higher

Four Ts of risk management

  1. Treat – take action to reduce the likelihood of the risk occurring and/or the impact if it does occur
  2. Tolerate – make an informed decision to accept the risk without further mitigating action
  3. Transfer – transfer responsibility for managing some or all of the impact of the risk occurring to a third party
  4. Terminate – remove the risk by stopping the associated activity

Three lines of defence model

  1. Management: leaders in functions, departments and projects identify and assess risks aligned to the objectives they are responsible for delivering. They own and maintain risk registers, ensure controls are in place to mitigate the risks, and escalate them for action or decision where needed.
  2. Oversight and support: specialist support is provided by the Service Design and Delivery function to ensure that risks are managed consistently and in line with the Risk Management Policy. Training and guidance are provided, as well as review and challenge on risk management and strategic level reporting.
  3. Independent assurance: NYFRS’ internal audit capability provides independent assurance on the proper identification and management of risks and application of risk controls.

Governance

  1. Functional risks will be reported and escalated via departmental management meetings.
  2. Project risks will be reported and escalated via Fire Change Board.
  3. Strategic risks will be reported and escalated via Risk and Assurance Board, then Strategic Leadership Board, then Strategic Oversight Board. They will also be reported to the Independent Audit Committee.

Roles and responsibilities

DCFO: accountable for the development of risk management capability across the Service.

Director of Service Design and Delivery: responsible for the implementation of this policy.

Head of Delivery, Risk and Assurance: responsible for the maintenance and development of the corporate risk register, in conjunction with individual risk owners. Responsible for the production of strategic risk reports.

Strategic leaders and functional leads: responsible for the maintenance and development of functional risk registers, management of identified risks, and for the escalation of risk in line with the thresholds set out in this policy.

Share: