Management of Risk within the Criminal Records Bureau Case Study

The Criminal Records Bureau (CRB) is an executive agency of the Home Office (HO), which provides wide access to criminal record information through its checking service. This service enables organizations in the public, private and voluntary sectors to make safer recruitment decisions by identifying candidates who may be unsuitable for certain work – particularly work that involves children or vulnerable adults. The CRB was established under Part V of the Police Act 1997 and was launched in March 2002.

The CRB works in partnership with an external supplier, Capita, and currently employs 650 people. The CRB wants to ensure that the risks it faces (especially those relating to public protection) are clearly identified and effectively managed. This case study looks at how the CRB is achieving this with the help of OGC’s M_o_R® guidance. Highlights so far include a fully defined set of corporate- and team-level risks, the control of which includes regular discussions at board and team management meetings.

In November 2007 the executive team (ET) and management board (MB) agreed to fully align the CRB’s risk management regime with that used across the HO. This alignment was designed to assist the integration of the CRB’s risk management within the Home Office (as defined in the HO Risk Policy), whilst improving the CRB’s day-to-day risk management. Although the CRB’s existing risk management was based on best practice, it lacked ‘champions’ to ensure that the policy and procedures were fully deployed. As a result, it was not being applied in all areas of the organization.

The overall aim of the initiative was to ensure, and where necessary give assurance to the MB and others including the HO and Internal Audit, that risks within the CRB were being identified and managed effectively throughout the organization. The achievement of the HO Risk Management Maturity Model (HO RMMM) at Level 3 by the end of the financial year 2009/10 was the initial target. Ultimately, however, the CRB wanted to develop a culture of ‘no surprises’, where risks were managed, and the organization was aware of risks and had the necessary contingencies in place should they occur. Effective risk management was to become part of everyday working practices, and a valuable management tool to assist in the delivery of the organization’s objectives.

The approach can be split into two phases:

• Phase 1 – Process
• Phase 2 – Cultural

The first phase is the easier to implement. It encompasses the development of a risk strategy and subsequent risk management arrangements within the organization. It includes items such as risk registers, guidance, advice, tools and general information on how risk is managed effectively. The first phase defines areas such as who the risk owner is, who the action owner is, at what levels it is most appropriate to have risk registers, how risk registers are used, and the processes/procedures for escalating risks.

The second phase is more difficult, as it deals with people’s attitudes and behaviours towards risk management. This is compounded by three factors:

• Most middle and senior managers have had experience (not always positive) of risk management and have pre-set ideas and opinions about the topic (again not always positive).
• Risk management does not have a good press. It has attracted a reputation in some areas for being a bureaucratic, tick-boxing, centrally driven initiative which is perceived as adding little, if any, value.
• Managing risk attracts a very low rating in some managers’ priorities and those managers remain unconvinced of its usefulness and may perceive it as an overhead.

PHASE 1

Phase 1 was managed with a RADAR/PRINCE2® methodology. The initiative started from the top with the ET and MB commission. An external M_o_R practitioner and consultant helped with the delivery. A corporate risk management strategy was drafted and buy-in sought and obtained from the ET and MB to ensure senior management commitment and re-energize the corporate risk arrangements. The strategy defined not only the scope of the initiative but also detailed roles and responsibilities, the risk process, risk escalation, scales for likelihood and impact, risk appetite, tools and techniques, and templates etc

The members of the ET and MB were asked what corporate risks kept them awake at night. This identified the 10 most significant risks and formed the basis of the corporate risk register. Ten risks are considered at the maximum end for the number of risks which can be managed effectively – between 6 and 10 is considered optimum. Each of the corporate risks has a designated risk owner, who is a member of the ET, and one or more action owners who are responsible for progressing the mitigating actions to manage the risk.

A corporate risk coordinator was appointed to deliver the agreed strategy. His first job was to develop project plan for phase 1, to include:

• implementing, maintaining and maturing the use of the corporate risk register
• developing and delivering the tools to manage risk effectively
• one-to-ones with senior managers
• workshops with teams to deploy the tools and help with the development of the risk arrangements for individual teams.

This was to be delivered in the first four months. Risk management guidance, adapted from the HO but specific to the CRB, was drafted within the first six weeks. Input to the formulation of the guidance was actively sought and obtained from key stakeholders such as the HO and Internal Audit.

PHASE 2

From the outset it was decided to promote the management benefits of having effective risk management arrangements in place. It is, after all, something we all do naturally – we manage risk in our heads all the time, either at work or at home. The objective was to transfer and record that thinking so that those who need to have confidence in the systems can.

The personal information the CRB holds for individuals is especially sensitive and has to be kept secure at all times. Risk management is one of a variety of tools that enables it to do this. However, it can be difficult actually identifying and describing the risks people face. Generic risks (such as ‘not enough resources’) are common and require a detailed description if they are to be meaningful. In addition to describing the risks in cause, effect and impact terms, the CRB links risk management to objectives. It has found that this helps to focus people and enables them to see immediately how risks can adversely affect the achievement of their objectives.

Risk registers are used in the same way as other management tools. They are reviewed at management meetings to ensure that they are relevant and updated when necessary, and that they target those areas that require improvement. Previous iterations of risk management had been delivered as an offshoot of other work, and detailed instructions and guidance were issued centrally. Although this was initially successful, it was not implemented as widely as planned. This time, the CRB introduced a dedicated resource – a corporate risk coordinator. The corporate risk coordinator is responsible for managing the corporate risk arrangements and providing the necessary guidance, tools and impetus for effective risk arrangements throughout the organization.

To further embed effective risk management within the organization, an HO practice has been adopted in the form of a Risk Improvement Forum (RIF). Personally endorsed by the CEO and the change and business integrity director, it is a forum for risk practitioners including, but not limited to, risk owners and risk action owners. It had its inaugural meeting in December 2009 and currently meets once a month. Its remit is to promote and enable the realization of effective risk management within the whole of the CRB. This will be achieved, in part, by developing processes to ensure the successful transfer or escalation of risks, to address issues which are already beginning to arise from the increased use of risk registers (e.g. risk ownership and responsibility), and to share good risk management and practice. The timings of its meetings have been scheduled to ensure that any information raised at a meeting is captured in time for that month’s executive team meeting, thereby ensuring the provision of real-time data. This phase was subjected to a health check at the end of March 2010, resulting in the attainment of Level 3 of the HO RMMM. As with all culture change, work continues to fully embed these practices.

The biggest challenge is getting people on side. Whilst most people agree that managing risk is an important issue, it isn’t always seen as a high priority in the CRB and many other organizations. There is always something more pressing to be done. There was, and in some areas there remains, reluctance. Typical pre-conceptions of risk management include:

• it adds little or no value
• it is something extra to do
• it is unnecessarily bureaucratic
• it is inspired by bean counters from the centre

An earlier initiative hadn’t become as embedded as expected and, as a result, it was particularly challenging to motivate people. They were reluctant to realise the benefits of the current initiative and several techniques were used in an attempt to overcome these concerns and objections. The full backing of the ET, especially by the CEO and the change and business integrity director, was, and remains, critical to its success. The ET’s commitment was visibly demonstrated by it taking the lead in developing, implementing and discussing the progress of corporate risks at its team meetings.

Rather than issue guidance and instructions, face-to-face meetings were held with managers and their teams, and a series of presentations and workshops was scheduled. This achieved two things: it allowed people to express their reservations about risk in general and, secondly, it enabled the message to be delivered and understood. Risk management has been promoted as one of a range of tools that managers can use to organize their workload. Risk registers, in general, and mitigating actions, in particular, are used to gauge progress against objectives. In an attempt to keep as many pieces of information in the same place, recommendations from internal audit reviews were included in the risk register template from the outset. These are controlled either by linking them directly to an existing risk or by defining a risk specifically to manage outstanding audit recommendations.

Continuous support from the ET, particularly the CEO and the change and business integrity director, has ensured that the initiative has the backing it needs to continue to make progress. In addition to overcoming the challenges listed above, there have been other significant early successes:

• The ET has developed and deployed the corporate risk register, which is updated monthly and use to inform ET meetings. It is currently being reviewed by the ET to ensure it continues to reflect the major risks facing the organization.
• Team-level registers have been developed and are being used to help manage the achievement of team objectives through review at regular team meetings.
• A corporate risk appetite strategy has been developed, with a risk appetite defined and implemented at all levels in the organization where risk registers have been introduced. Although a practical aid to risk management and common sense in theory, the corporate risk strategy was not easy to introduce until the appetite was based against each individual risk by deciding to what blue, red, amber, green (BRAG) level each risk was managed down to.
• Receiving unsolicited and positive feedback from the Audit Committee on the progress which this initiative has made so far.
• The Risk Improvement Forum (RIF) and the active participation of the membership is a real success and a major step forward to help enable a culture of effective risk management.
• The CRB has achieved its objective of attaining Level 3 of the Home Office’s Risk Management Maturity Model. This provides a strong basis from which to begin to fully embed the culture of effective risk management.
• And, finally, the look on someone’s face when the light bulb goes on and they get it!

In the twelve months since the initiative began, the CRB has made significant progress. The corporate risk register is regularly maintained and updated, and used to inform discussions on risk at the monthly ET meeting. All areas of the organization have attended one-to-one presentations and workshops, which offered guidance and provided appropriate tools.

Risk arrangements, including risk registers, are subsequently being developed throughout the organization. By designing simple processes, which are easy to describe, define and deploy, the CRB has ensured that take-up is maximized. Appropriate stakeholders were, and continue to be, engaged in the production of the tools and have the opportunity to contribute and feedback on changes needed to improve the processes.

Throughout the process, CRB has used the 12 M_o_R principles to guide its risk management practices. In addition, its senior team has shown its investment in this initiative by ensuring at least two people have had the opportunity to train to become M_o_R Practitioners and are consequently fully equipped to deliver effective risk management throughout the organization.

As expected, the most difficult part of the initiative has been to change people’s attitudes and behaviours, especially given the degree of cynicism towards it. Active support and engagement from the most senior levels of management has been crucial to the success of this initiative. A senior risk champion has been essential in driving forward implementation and leading from the top.

The Chair (a non-executive director) of the CRB Audit Committee commented at the last meeting that he has found the overall approach to embedding risk management encouraging.

The CEO has written to each member of the RIF to thank them for their contribution and progress so far, and to offer his continued support for the work being done on risk within the agency.

During a workshop, a G7 manager declared, ‘Ah, I see how it all works together now. This can be a useful tool for me,’ as the mechanics and benefits of the risk arrangements were demonstrated.

Published on |www.Axelos.com

Our Case Study series should not be taken as constituting advice of any sort and no liability is accepted for any loss resulting from use of or reliance on its content. While every effort is made to ensure the accuracy and reliability of the information, TSO cannot accept responsibility for errors, omissions or inaccuracies. Content, diagrams, logos and jackets are correct at time of going to press but may be subject to change without notice.

Reuse of this Case Study is permitted solely in accordance with the permission terms at www.Axelos.com/Knowledge-Centre/Best-Practice-Users-Case-Studies-and-Testimonials/

A copy of these terms can be provided on application to Axelos at Licensing@Axelos.com