News & Blog


Following risk management procedures not only ensures parish and town councils fulfil key statutory requirements. It helps the authority to deliver better public services.

If you are a member of a local parish or town council, you will be very familiar with the Annual Governance and Accountability Return that is completed each year. Most councils are required to publish the document and send it, together with supporting documentation, to their external auditor for a limited assurance review to be completed.

One of the key assertions within Section 1 of the Annual Governance Statement relates to the management of risk. Councillors of an authority (be it a local parish or town council) must be able to state: “We carried out an assessment of the risks facing this authority and took appropriate steps to manage those risks, including the introduction of internal controls and/or external insurance cover where required.”

Procedures for managing risks in a local authority

To warrant a positive response to this assertion made on the statement, the authority needs to have the following arrangements in place: 

1. Identifying and assessing risks

The authority needs to identify, assess and record risks associated with actions and decisions it has taken or considered taking during the year that could have financial or reputational consequences. 

2. Addressing risks 

Having identified, assessed and recorded the risks, the authority needs to address them. This means ensuring that appropriate measures are in place to mitigate and manage risk. This might include the introduction of internal controls and/or appropriate use of insurance cover. 

3. Reviewing and reporting risks 

Risk management is an ongoing activity and works best when a risk register is kept and regularly reviewed.

The role of the internal auditor

Part of the internal auditor’s job will be to ascertain whether the authority assessed the significant risks to achieving its objectives. The auditor will also assess whether the authority reviewed the adequacy of arrangements to manage these risks during the year is question.

To prove that an adequate assessment was carried out, local authorities must keep detailed records. This includes accurately recording minutes of the full council meeting in which the assessment took place. Your internal auditor may need to rely on this evidence to corroborate your claims.

It is important to note that this process must be done at least annually. Should the date of the risk assessment change from year to year, there is a danger that the authority may not have complied with their responsibilities in a particular financial year. This means that two risk reviews could then fall into one financial year and none in the following year.

Ongoing risk management

All councillors should be aware of these important responsibilities. Risk management is not something that can be delegated to another councillor or a sub-committee. It is important that the risk assessment is undertaken at a full council meeting. 

Councils that undertake the risk management process effectively will realise the process is far more than a box ticking exercise. It provides an opportunity for the authority to reflect on what it wants to achieve and address the possible risks that it might face. Ultimately, it enables councillors to ensure their authority provides quality public services to the electors that they represent.

How Thomas Westcott can help

Thomas Westcott offers specialist internal audit services for a significant number of local authorities. We have gained a wealth of knowledge and experience over the years in this specialist field of work. If you would like to explore how Thomas Westcott can help you protect your council please contact me on 01297 33388 or email me here.

By Tom Stuckey, Manager