Agenda item

The Director of Corporate Services presented the report to Members. Members were provided with a copy of the Corporate Risk Matrix as a supplement to the report.

Improvements to Lancashire Fire and Rescue’s (LFRS) organisational risk management were identified to bolster its robustness. A proposal was presented to the Corporate Programme Board (CPB) in August 2023 which outlined a new LFRS risk management policy and procedure aligned with ISO 31000:2018 standards. This introduced a tiered approach to organisational risk and enhanced monitoring and management, as well as the adoption of a new corporate risk register, in line with the National Fire Chiefs Council (NFCC) template. Upon adoption, effective risk management practices were now integrated into quarterly CPB meeting agendas, strategic oversight was provided, legislative compliance was ensured, resource allocation was optimised, and risk reporting to the Combined Fire Authority was facilitated.

The Audit Committee was a cornerstone of the Authority’s governance framework, tasked with providing independent assurance to governance stakeholders regarding the adequacy of LFRS’s risk management framework, annual governance processes, and internal control environment. Its primary function included evaluating the effectiveness of the Authority’s risk management arrangements. Accordingly, the report outlined recent enhancements to the LFRS risk management framework for consideration.

The Civil Contingencies Act (CCA 2004) set out the legal framework for contingency arrangements to assess, plan and advise against LFRS organisational risks, be it departmental or corporate, however, there was no prescriptive way within the framework of doing that. Therefore, the Service had the freedom to manage risk using a method that ensured a clear governance structure that best met the needs of the business.

This moral and statutory duty not only required LFRS to take all reasonable actions to safeguard its employees, assets, and the public, but also ensured that it was not financially or operationally disrupted. It could meet this duty by ensuring that risk management played an integral part in the governance of the Service at a strategic, tactical, and operational level.

A comprehensive review of the corporate risk profile revealed adherence to fundamental aspects of risk management at LFRS. However, to ensure compliance with legislative requirements and bolster the robustness of the risk management framework, several proposed changes were identified. In parallel, the NFCC’s Business Continuity group broadened its scope to include risk within its Terms of Reference (ToR) and developed a corporate risk register template to be used across the fire sector.

A proposal was presented to the Corporate Programme Board in August 2023, which outlined a new risk management policy, procedure, and alignment of the LFRS Corporate Risk Register with the NFCC template. This policy and procedure aligned with ISO 31000:2018, which ensured an accurate description and appropriate monitoring and management of LFRS risks. Additionally, a tiered approach to risk was introduced, which allowed for escalation or de-escalation as needed.

Effective risk management practices aligned with ISO 31000:2018 yielded numerous benefits for LFRS that included proactive risk mitigation, enhanced decision-making, clear accountability, and improved financial control. By integrating risk management into quarterly CPB meetings as a standing agenda item, LFRS aimed to provide strategic oversight of the risk management process. Overall, these measures enabled LFRS to fulfil its legislative duties and optimise resource allocation while providing a structured mechanism for reporting on risk to the Audit Committee.

A recent external audit, conducted by Grant Thornton, assessed the changes introduced to the LFRS organisational risk management framework and concluded that significant progress had been achieved. Since its establishment, the new Corporate Risk Register had undergone quarterly review and updates by all pertinent risk managers and owners.

In conclusion, recent enhancements to the LFRS risk management framework, aimed to ensure compliance with legislative requirements, bolster the robustness of risk management practices, and provide a structured mechanism for reporting to the Audit Committee, which further optimised resource allocation and strategic oversight.

Members noted that the top three risks identified in the risk register were:

-        Loss of Funding (the Service had not received a long-term settlement over the last few years, however, the Service was working with the NFCC to lobby the government for a multiyear financial settlement that ensured financial sustainability);

-        Cyber Security (actions were noted on page 233 of the agenda pack); and

-        Retention and Recruitment of on-call Staff (actions were noted on page 239 of the agenda pack).

The Chair commented that the Service was transparent with information relating to any risks.

County Councillor Salter highlighted that on page 231 of the agenda pack, for the Risk of ‘Inability to recruit or retain key staff’, the current controls/mitigations were incorrect as they related to the risk of ‘water’ on page 233. The Director of Corporate Service confirmed that it would be amended.

In response to a question from County Councillor Singleton regarding the audit of Cyber Security, Laura Rix, Senior Auditor, explained that the Internal Auditors audited Resilience Contingences as it was administrative, however, once that was completed, it would then be decided whether external IT auditors would be required for the technical aspect of the audit.

In response to a question from County Councillor Hennessy in relation to the key recommendation of financial resilience and sustainability, the Director of Corporate Services advised that it was covered and cross referenced in the risk register under ‘Loss of Funding’ which impacted on the Service’s financial sustainability.

Resolved: - That the Committee: -

i)    Approved the new risk management policy, procedure, and the associated organisational risk register layout;

ii)   Endorsed the up-to-date Corporate Risk Register and its content.