Risk Management Framework

Overview

Enterprise Risk Management is a cohesive and structured approach that unites our various risk management disciplines under a single framework. Its primary aim is to support senior leaders and decision-makers in making informed, risk-aware choices that enhance service delivery to our communities and help achieve the council’s strategic objectives.

Enterprise Risk Management considers both the internal and external environments in which we operate, ensuring that risk insights are relevant, proportionate, and aligned with our organisational goals. It is a collective responsibility, integrated across all levels of the organisation, from strategic planning to daily operations, and embedded within a culture that promotes risk awareness and emphasises accountability over blame.

Strategic Integration

The Enterprise Risk Management architecture brings together strategic performance, risks and other business intelligence, to support decision makers in driving delivery of our corporate ambitions and Council Plan priorities.

It ensures a clear demarcation between operational/tactical performance and risk (managed by directorates), from strategic performance and risk (overseen by the Senior Leadership Team). This separation ensures that the Senior Leadership Team are appropriately sighted on strategically important data, with directorates responsible for management of their operational and tactical performance and risk. 

When the architecture is utilised in line with Dorset Council's values: Respect, Openness, Together, Accountability and Curiosity, it fosters a culture of continuous improvement and shared ownership of risk.

Governance and Reporting

The architecture ensures transparent reporting of performance and risk across Dorset Council, with each directorate conducting monthly reviews of performance and directorate risks. At a strategic level, Senior Leadership Team review strategic risks, strategic performance and Council Plan delivery on a quarterly basis.  

Following internal review, strategic performance and risk are presented to the relevant Scrutiny Committee, either Place and Resources or People and Health, ensuring public consideration and accountability. 

The Audit and Governance Committee provides oversight of the risk management framework and receives quarterly risk reports. In addition, Cabinet receives a bi-annual Council Plan performance report.

Role and Responsibilities

Enterprise Risk Management at Dorset Council is a shared responsibility, embedded across all levels of the organisation, from individual operational teams to committee structures. This integrated approach ensures that the council’s collective risk management expertise supports both the achievement of Council Plan priorities and the effective delivery of day-to-day services. Below provides an overview of roles and responsibilities within our risk structure.

Audit and Governance Committee

Provides independent assurance on the adequacy of the council’s risk management framework including the internal control environment, integrity of financial reporting and governance arrangements.

Cabinet

Oversees Dorset Council’s approach to Enterprise Risk Management, ensuring it is embedded in strategic decisions and operations. Endorses the organisation’s risk appetite statement, monitors key risks, and promotes a culture of informed risk-taking to support the achievement of the council’s objectives and effective service delivery.

Directorate Leadership

Promotes a risk-aware culture within services, implements risk management actions, identifies and reports changes in risks, and agrees strategic risks aligned with the organisation’s objectives.

Enterprise Risk Management Function (Risk Management & Reporting Officer)

Develops and maintains the council’s risk management policy, fosters a risk-aware culture through training and building organisational understanding, and establishes internal risk frameworks. Coordinates risk management activities and prepares risk reports for senior leaders and committees.

Internal Audit

Internal Audit at Dorset Council provides independent assurance on the effectiveness of the council’s risk management, control, and governance processes. It evaluates how well risks are identified and managed, supports continuous improvement, and ensures risk driven audit planning.

Risk Owners

Understand, and apply Enterprise Risk Management protocols. This includes reporting ineffective or unnecessary controls, loss events, and near misses through the appropriate channels, as well as cooperating with management during incident investigations.

Scrutiny Committees

Examine specific risks that may impact Dorset Council’s services or strategic objectives, by scrutinising decisions, monitoring performance, and holding senior officers to account.

Senior Leadership Team

Takes overall responsibility for coordinating Enterprise Risk Management through an agreed framework and policy, promotes a risk-aware culture, and allocates resources to manage risks effectively.

Specialist Risk Management Functions

Develop and maintain specialist risk policies and contingency plans, monitor emerging risks, assist in incident investigations and produce detailed reports to inform risk control measures.

Dorset Council Three Lines Model

Dorset Council’s approach to risk management is further supported by alignment with the Three Lines Model. This model builds on the roles and responsibilities overview to ensure effective governance, risk management, and assurance.

The following description outlines how the model works in practice:

First Line: Business and Operational Management

The first line is responsible for delivering services and achieving objectives. Key responsibilities include:
•    identifying risks and opportunities for improvement
•    implementing controls
•    reporting on progress
•    ensuring compliance
•    providing management assurance

Roles in the first line include:
•    operational managers and staff
•    colleagues responsible for performance and data quality
•    programme and project managers
•    service plan delivery teams

Second Line: Oversight and Support

The second line provides support and oversight to the first line. Key responsibilities include:
•    setting strategy, policy, and direction
•    making decisions
•    provide assurance oversight

Roles in the second line include:
•    senior management
•    risk management and compliance functions 
•    quality control teams
•    committee and scrutiny functions

Third Line: Independent Assurance

The third line offers independent assurance by validating the effectiveness of the first and second lines. Key responsibilities include:
•    providing challenge and audit
•    reporting on assurance levels
•    conducting independent reviews

Roles in the third line include:
•    internal audit
•    external audit
•    regulatory inspections
•    independent agency reviews

Governance and Escalation

All three lines escalate matters to the Senior Leadership Team and Cabinet, forming a key strand of Dorset Council’s corporate governance framework.

Principal Risks

Principal Risks provide the structure under which all organisational risks are categorised within Dorset Council’s risk management framework, as illustrated in the Dorset Council Risk and Performance Architecture. All risks identified across the organisation will align with one or more of these Principal Risks. This alignment helps to demonstrate the potential breadth and impact of individual risks, highlighting how they may contribute to wider strategic concerns. The council’s current Principal Risks are outlined below.

Commercial

Commercial risks are those that could result in the council losing a commercial partnership or failure of a supply chain.

Data and information management

Risks of this nature are centred around failures to prevent unauthorised or inappropriate access, as well as failures to enable legitimate use of our data, systems, and assets.

Finance

Our financial stability is driven by increased budgetary pressures in an increasingly challenging financial environment.

Legal

These are risks concerned with non-compliance of regulations, laws or statutory obligations that may result in penalties, fines or other legal consequences.

Operations

Operational risks are associated with the uncertainties that we face during our day-to-day activities delivering services.

People

We are faced with a challenging environment in recruiting and retaining the necessary people to deliver our objectives.

Project/programme

Project and programme risks are centred around projects not aligning with our strategic priorities as well as projects being unable to deliver the intended benefits, on time and within budget.

Property

We have a large portfolio of properties and as such associated risks ranging from property defects to ineffective or inefficient safety management protocols.

Reputation

Reputational risks are those that could be uncovered through adverse events in the form of ethical infringements, failure to meet objectives or lack of innovation.

Security

Our security risks include unauthorised and / or in appropriate use of our systems and assets including cyber security, digital and physical access to our assets.

Technology

Technology risks are such risks that arise from technology not delivering services as expected because of deficient systems or processes.

Strategic Risks

Strategic risks represent the second tier of risk reporting at Dorset Council and sit underneath the organisations Principal Risks as demonstrated in the Risk and Performance Architecture. These risks are aligned with either:

• Council Plan priorities
• Key Organisational Deliverables which include two strands:
  • risks related to overall organisational health
  • risks concerning compliance with statutory obligations

Strategic risks are identified collaboratively with senior leaders and are reported to SLT, Cabinet and the Scrutiny and Audit & Governance Committees.

Subject matter experts may be invited to provide additional context and insight, to support informed decision making when strategic risks are discussed.

Criteria for Strategic Risk Classification 

A risk may be classified as strategic if it meets one or more of the following criteria:

• it will have a noticeable impact on achieving strategic priorities as documented in the council plan or key organisational deliverables
• it is rated 20 or more according to the Council’s risk scoring matrix based on the existing controls that are in place
• it has a noticeable impact upon the use of the Council’s key resources (finance, people etc)
• it may result in significant attention from external stakeholders with the potential to cause significant reputational and or political damage

Our strategic risks are monitored quarterly and reviewed at least annually to ensure they remain proportionate, relevant, and aligned with the organisation’s objectives. This ongoing review process supports the Council’s commitment to delivering effective outcomes for the residents of Dorset and maintaining a robust approach to risk management.

Dorset Council’s Risk Strategy outlines its overarching approach to risk management. It is comprised of two key components:

1. Risk Management Policy Statement: this statement defines the Council’s overall approach to managing risk. It sets out the objectives of risk management and explains how it supports the achievement of Dorset Council’s strategic aims
2. Risk Appetite Statement: this statement provides a high-level strategic direction on the amount of risk the Council is willing to accept in pursuit of its objectives. It defines the optimal level of risk and establishes the guiding principles for operational teams when making decisions
3. The following pages provide detailed information on both the Risk Management Policy Statement and the Risk Appetite Statement, both of which are kept under regular review to ensure they are appropriate.

Risk Management Policy Statement

Dorset Council is committed to managing risk across all levels of the organisation, adopting a proportionate approach to identifying, analysing, evaluating, and treating risks. This approach underpins the achievement of our strategic objectives and strengthens the quality and resilience of the services we deliver to our communities.

We foster a culture that prioritises accountability over blame, ensuring that risks are actively managed rather than avoided.

Our Risk and Performance Architecture reflects Dorset Council’s commitment to being a risk-informed organisation, where decisions are guided by a balanced understanding of risk, and where it is recognised that not all risks can be controlled to the same extent.

This policy statement forms part of our Risk Management Strategy with the following subset of objectives:

• ensure compliance with legal, regulatory and statutory obligations
• provide assurance that risk management activities are proportionate, aligned with our enterprise, comprehensive in scope, embedded in organisational processes, and responsive to emerging challenges
• deliver relevant, risk-based information to support effective decision-making
• enable the efficient and effective delivery of our strategic, tactical, operational and compliance goal

Risk Appetite 

Our risk appetite statement provides a high-level strategic direction on the amount of risk the Council is willing to accept in the pursuit of its objectives. It has been developed using our Risk Appetite Framework which is informed by the Orange Book, a recognised risk management standard for the public sector. 

The statement reflects the outcomes of consultation with Senior Leadership Team and Cabinet and has been formally approved by the Leader of the Council under delegated authority. 

The following sections outlines our risk appetite statement, as adopted on 21 August 2025, followed by an overview of the Risk Appetite Framework that underpins its development.  

Once adopted, the risk appetite will be actively monitored to ensure it remains appropriate. It will be reviewed by each new administration, to maintain alignment with the Council’s strategic priorities and governance arrangements. 

Risk Appetite Statement

Dorset Council is committed to building a secure, resilient, and forward-looking organisation, where risk is not only managed but also embraced as a catalyst for innovation and improvement. We are shaping a future where thoughtfully considered opportunities for change drive better outcomes for our communities, services and workforce.

We maintain strong safeguards to protect our people, property, assets and information, from harm or unauthorised use.

We accept that some financial uncertainty may be necessary to unlock significant improvements in service delivery and operate within a robust legal and regulatory framework, preparing for a future where adaptability and resilience are key to success.

Our open approach to commercial and procurement activity demonstrates a willingness to pursue innovation, with some non-critical decisions being made via devolved authority. We actively promote the legitimate transparency, openness, and information sharing to support effective decision-making and collaboration in providing better services to our communities. Our Operational stance empowers local managers to make non-critical decisions and encourages evidence-based experimentation, fostering a culture of responsible innovation.

Our people policies provide a strong and stable foundation, while remaining open to flexible, people-centred approaches that foster innovation, adaptability, and growth. We are committed to investing in our workforce, developing a diverse range of skills to meet evolving needs and challenges. We ensure that all projects and programmes display demonstrable benefits, so that every initiative actively contributes to building a thriving, future-ready council. 

In property and asset management, we are exploring diverse, adaptive solutions to meet evolving organisational needs in delivering services to our communities. We are eager to develop new models, partnerships, and technologies that can enhance our impact and outcomes for communities.

We are preparing for the future with a clear focus on resilience, adaptability and continuous improvement. By taking a thoughtful and balanced approach to risk, and aligning our efforts with long-term priorities, we aim to build a council that is responsive to change and committed to delivering the best outcomes for our communities.”

Risk Appetite Framework

Our Risk Appetite Framework outlines the agreed risk appetite levels for each Principal Risk, following consultation with Cabinet and Senior Leadership Team. These determinations directly inform the overarching Risk Appetite Statement and establish the context for risk-taking across defined parameters. The Framework, along with the corresponding appetite selections, is presented on the following pages, with the highlighted cells representing the risk appetite level. 

Risk Appetite Level Definitions

The below provides a summary of Dorset Council's Risk Appetite Levels for each Principal Risk. 

Commercial

Averse (1): Dorset Council has a strong preference for engaging in tested and established commercial agreements with close management controls and oversight.

Minimal (2): Dorset Council accepts low-scale commercial/procurement activity via devolved authority, with medium and high-level activity validated by senior management.

Cautious (3): Dorset Council tends to stick to the status quo. Commercial innovations are avoided unless necessary, with decisions generally held by senior management.

Open (4): Dorset Council has a willingness to pursue innovation, which has previously showed benefit. Its non-critical decisions may be devolved to local managers.

Eager (5): Dorset Council has a desire to innovate and break the mould. Commercial initiatives are pursued in improving services with high levels of devolved authority to increase business agility.

Data and Information Management

Averse (1): Dorset Council‘s data and information are secured through strict access controls and extensive monitoring.

Minimal (2): Dorset Council ensures minimal distribution of data and information to reduce risks and damages because of disclosure.

Cautious (3): Dorset Council’s data is distributed cautiously, and only when required to maintain operational effectiveness.

Open (4): Dorset Council accepts that openness and information sharing is needed for effective operations in a controlled environment.

Eager (5): Dorset Council’s data and information is subject to minimal controls. Its data is open and easily accessible in the pursuit of operational effectiveness.

Finance

Averse (1): Dorset Council safeguards its financial resources as a priority and avoids any activities that could lead to financial loss or impact.

Minimal (2): Dorset Council considers financial impacts and risk are only acceptable when related to the essential delivery of services.

Cautious (3): Dorset Council’s financial decisions accept some uncertainty related to loss or impact, only if they yield upside opportunities in service delivery.

Open (4): Dorset Council is willing to invest and take on higher financial risks to support the business where they have been appropriately managed with controls.

Eager (5): Dorset Council seeks to invest for the best possible benefit in opportunities, acknowledging that there may be significant financial loss or impact.

Legal

Averse (1): Dorset Council avoids areas that could be potentially challenged legally, even if the chances of winning any case are high.

Minimal (2): Dorset Council operates on a basis that ensures it would be successful in any legal challenge.

Cautious (3): Dorset Council takes decisions where it must be reasonably certain that it would be able to win any legal challenge.

Open (4): Dorset Council takes tough decisions and accepts that any legal challenge is likely to be difficult, but the potential benefits outweigh the downsides.

Eager (5): Dorset Council accepts the possibility of losing any legal case is high, but the potential benefits that could be realised in the event of success are exceptional.

Operations

Averse (1): Dorset Council adopts a “tried and tested” approach to operational delivery, with close management control. 

Minimal (2): Dorset Council pursues innovations only in the instance that it is deemed essential for operational delivery and validated by senior management.

Cautious (3): Dorset Council tends to stick to the status quo. Operational innovations are carefully selected where necessary, and decisions are generally held by senior management.

Open (4): Dorset Council pursues innovation that has evidence of previous benefits. There is a willingness to innovate and responsibility for non-critical decisions may be devolved to local managers.

Eager (5): Dorset Council seeks innovative approaches to operational delivery by constantly challenging current practices. This is supported by high levels of devolved authority.

People

Averse (1): Dorset Council maintains close management control, with little devolved authority. There is limited flexibility in working practices and development of staff is limited to “essential” services only.

Minimal (2): Dorset Council’s Senior Leadership hold decision-making authority. The organisation adopts strict recruitment and retention strategies to minimise disruption and development is limited to being role specific.

Cautious (3): Dorset Council’s decision-making is generally controlled by senior management. There is acceptance of safe and standard people / working policies.

Open (4): Dorset Council adopts devolution of certain work-related decision-making responsibilities. The organisation is willing to invest in its people to create a variety of skills in its workforce.

Eager (5): Dorset Council adopts high levels of devolved authority. The organisation constantly challenges working practices to pursue innovation and invests significantly in staff development to create a broad skillset.

Project/Programme

Averse (1): Dorset Council prioritises projects / programmes with almost certain outcomes that are supported by close management control and oversight. There is a preference for maintaining and protecting rather than creating or innovating. 

Minimal (2): Dorset Council prioritises only the most essential innovations. Decision making is held by senior management with projects / programmes needing to demonstrate clear links to the organisation’s strategic priorities. 

Cautious (3): Dorset Council tends to stick to the status quo and innovations are generally avoided unless necessary. Decision making is typically made by senior management with projects and programmes aligned to strategic priorities.

Open (4): Dorset Council pursues innovation when projects / programmes display demonstrable benefits. Decision making may be devolved to local managers, with plans aligned to functional standards.

Eager (5): Dorset Council constantly pursues innovation to achieve the best working practices and “break the mould”. There are high levels of devolved authority with plans largely aligned to organisational governance.

Property

Averse (1): Dorset Council complies with strict policies for purchase, rental, disposal, construction, and refurbishment of property, that ensures it is producing good value for money.

Minimal (2): Dorset Council is recommended to follow strict policies for purchase, rental, disposal, construction, and refurbishment of property that ensures it is producing good value for money.

Cautious (3): Dorset Council can adopt a range of agreed solutions for purchase, rental, disposal, construction and refurbishment of property that ensures it is producing good value for money.

Open (4): Dorset Council can adopt a range of agreed solutions for purchase, rental, disposal, construction and refurbishment of property that ensures it meets organisational needs.

Eager (5): Dorset Council applies dynamic solutions for the purchase, rental, disposal, construction and refurbishment of property that ensures it meets organisational needs.

Reputation

Averse (1): Dorset Council has no appetite for any decisions with a high chance of repercussion to the organisation’s reputation.

Minimal (2): Dorset Council’s appetite for risk taking is limited to those events where there is no chance of any significant repercussion to the organisation’s reputation.

Cautious (3): Dorset Council’s appetite for risk taking is limited to those events where there is little chance of any significant repercussion to the organisation’s reputation.

Open (4): Dorset Council has appetite to take decisions with the potential to expose the organisation to additional scrutiny, but only where appropriate steps are taken to control the risk.

Eager (5): Dorset Council has an appetite to take decisions which are likely to bring 
additional Governmental/organisational scrutiny, only where potential benefits outweigh the risks. 

Security

Averse (1): Dorset Council has no tolerance for security risks causing loss or damage to its property, assets, information or people with stringent control measures in place.

Minimal (2): Dorset Council aims to minimise loss or damage to property, assets, information or people with significant control measures in place.

Cautious (3): Dorset Council accepts limited security risks to support business need, with industry standard controls in place to protect its property, assets, information or people.

Open (4): Dorset Council accepts some security risks to support business need with tailored controls in place to protect its property, assets, information or people.

Eager (5): Dorset Council accepts security risks to support business need with the minimum level of controls in place to support agile use of its property, assets, information or people.

Technology

Averse (1): Dorset Council generally avoids developments in systems and technology.

Minimal (2): Dorset Council considers development in systems and technology that is deemed vital to protect current operations.

Cautious (3): Dorset Council implements the use of established / mature systems and technology to enhance the organisations performance.

Open (4): Dorset Council welcomes new systems and technologies in the pursuit of improved service delivery and organisational performance.

Eager (5): Dorset Council views new systems and technology as essential for organisational development and service delivery.

Applying Dorset Council’s Risk Appetite Framework

To implement Dorset Council’s Risk Appetite Statement effectively, each Principal Risk area must include clear parameters. These metrics should distinguish between acceptable and unacceptable levels of risk-taking. They must also identify when escalation is needed, in line with the Council’s existing governance structures.

Dorset Council’s Risk Management Protocols comprise the tools, templates and guidance that support the practical implementation of risk management across the organisation. They ensure consistency, transparency and accountability in how risks are identified, assessed and managed.  

The Risk Dashboard

Dorset Council’s Risk Dashboard serves as the central internal platform for recording, updating, and reporting on organisational risks and their corresponding control measures. It captures risks with broad, authority-wide impact, particularly those that could affect the achievement of the council’s strategic objectives or key organisational deliverables. This includes high-level risks associated with strategic implementation, tactics such as portfolios, programmes, and major projects, as well as risks related to legal compliance and statutory obligations. 

While operational risks specific to individual business units are typically managed at the local level, they may be escalated to the Risk Dashboard if they become relevant to strategic, tactical, or compliance-related concerns. 

The Risk Dashboard supports informed, risk-aware decision-making by providing senior leaders and decision-makers with key insights. Via the Dashboard risks can be organised into groups including Principal Risk and Council Plan priority, enabling proportionate and objective-aligned analysis. Additionally, the Risk Dashboard serves as a dynamic record of Dorset Council’s risk landscape, requiring regular updates from designated risk owners. This process not only ensures accountability in risk management but also maintains an accurate and fit-for-purpose organisational risk register.

The Risk Dashboard is a tool that is accessible to all internal Dorset Council colleagues and elected members. While the platform itself is internal, the information it contains is used to populate risk data in report format for public consumption via Committees and other public briefings as required. 

Dorset Council’s Risk Scoring Matrix

Dorset Council’s Risk Scoring Matrix guides risk owners to assess each risk using two key dimensions: 

• impact: which refers to the consequences if the risk materialises
• likelihood: which refers to the probability of the risk occurring

When entering a risk into the Risk Dashboard, unless otherwise stated, assessments should be made based on the impact and likelihood in relation to the existing controls that are currently in place to manage the risk. This ensures that senior leaders and decision-makers receive information that reflects the council’s actual operating environment.

Impact

Scored on a scale from 1 to 5. Each score is supported by descriptors that explain the type and severity of impact. If a risk spans multiple impact levels, best practice is to select the highest applicable score.

Likelihood

Also scored on a scale from 1 to 5. The descriptors for likelihood are more subjective and rely on the judgement of subject matter experts. These experts assess how likely the risk is to occur, using the descriptors as guidance.

The overall risk score is calculated by multiplying the impact and likelihood scores. This score determines the risk’s position on the Risk Scoring Matrix:

• a score of 1 to 4 indicates a low risk
• a score of 5 to 10 indicates a medium risk
• a score of 12 to 16 indicates a high risk
• a score of 20 to 25 indicates a very high risk

The vertical axis of the matrix represents impact, and the horizontal axis represents likelihood.

The assigned risk rating not only highlights the significance of the risk to Dorset Council but also determines its review cycle by risk owners:

• risks rated low or medium must be reviewed every 180 days from the last review date
• risks rated high or very high must be reviewed every 90 days

The following presents Dorset Council’s Impact Matrix, Likelihood Matrix, and the overall Risk Scoring Matrix. These should be used when scoring risks within the Risk Dashboard.

Assessing Impact

In assessing impact, the following 1 to 5 scoring system is to be followed.

Catastrophic (Score 5)

• multiple deaths of employees or those in the council’s care
• inability to function effectively, Council-wide
• will lead to resignation of Chief Executive and/or Leader
• Corporate Manslaughter charges
• service delivery must be taken over by Central Government
• front page news story in National Press
• financial loss over £10m

Major (Score 4)

• suspicious death in Council's care
• major disruption to Council's critical services for more than 48 hours
• noticeable impact achieving strategic objectives
• will lead to resignation of Senior Officers and/or Cabinet Member
• adverse coverage in National press/Front Page news locally
• financial loss £5m-£10m

Moderate (Score 3)

• serious injury to employees or those in the council's care
• disruption to one critical Council service for more than 48 hours
• will lead to resignation of Head of Service / Project Manager
• adverse Coverage in local press
• financial loss £1m-£5m

Slight (Score 2)

• minor injury to employees or those in the council's care
• manageable disruption to services
• disciplinary action against employees
• financial loss £100k-£1m

Limited (Score 1)

• day-to-day operational problems
• financial loss less than £100k

Assessing Likelihood

In assessing likelihood, the following 1 to 5 scoring system is to be followed.

Almost Certain (Score 5)

Reasonable to expect that the event will happen, reoccur, possibly or frequently.

Likely (Score 4)

Event is more than likely to occur. Will probably happen or reoccur but is not a persisting issue.

Possible (Score 3)

Little likelihood of event occurring. It might happen or reoccur occasionally.

Unlikely (Score 2)

Event not expected. Do not expect it to happen or reoccur, but it is possible that it might do so.

Very Unlikely (Score 1)

Exceptional event. This will probably never happen or reoccur.

Dorset Council risk scoring matrix

Impact	Likelihood - Very Unlikely	Likelihood - Unlikely	Likelihood - Possible	Likelihood - Likely	Likelihood - Almost certain
Catastrophic	5	10	15	20	25
Major	4	8	12	16	20
Moderate	3	6	9	12	15
Slight	2	4	6	8	10
Limited	1	2	3	4	5

For further information on Enterprise Risk Management at Dorset Council, the following sources provide further details:

• the internal Strategic Performance, Intelligence & Risk Hub
• email: performanceandresearch@dorsetcouncil.gov.uk  

Version History

Version v0.1

Date: 30 June 2025

Status: Draft

Author: Chris Swain

Change description: New framework in line with SWAP audit

Version v0.2

Date: 01 July 2025

Status: Draft

Author: Chris Swain

Change description: Addition of the revised Policy Statement

Version v0.3

Date: 04 July 2025

Status: Draft

Author: Chris Swain

Change description: Updated to ERM Framework document

Version v0.4

Date: 19 September 2025

Status: Draft

Author: Chris Swain

Change description: Final draft for presentation to Audit and Governance Committee

Version v1.0

Date: 13 October 2025

Status: Final

Author: Chris Swain

Change description: Endorsed by Audit and Governance Committee for publication

Glossary To support consistency and clarity in the application of our Risk Management Protocols, the following glossary provides definitions of key terms. Establishing a shared understanding of language is essential to ensure that risk is communicated effectively across all levels of the organisation. Control Actions or measures designed to reduce the impact or likelihood of a risk. Corporate Governance The rules and practices that control the way an organisation is directed. Enterprise Risk Management (ERM) A cohesive and structured approach that unites Dorset Council’s various risk management disciplines under a single framework. Impact Something that has a marked influence on an objective, individual, community or organisation if a risk materialises. Likelihood A judgement on the chance a risk may materialise. Operations Organised activities to deliver objectives or services. Principal Risk A risk classification system that all other risks align under one or more as subsets. Risk The effect of uncertainty on objectives. Risk Analysis The scoring and assessment of the significance of a risk. Risk Appetite The level of risk Dorset Council is willing to accept in pursuit of its objectives. Risk Evaluation The assessment of the controls in place to manage a risk. Risk Identification The recognition and initial documentation of a risk. Risk Treatment The actions to be taken to control or maintain the risk. Specialist Risk Management Function Areas within the organisation that possess dedicated expertise in managing specific risks. Examples include cyber security, emergency planning, health and safety, insurance and project and programme risk management.  Strategic Risk Specific risks that may be most consequential in achieving the organisations Strategic Priorities or Key Organisational Deliverables if they materialise.