Get documents about "Risk Management Strategy
Document Sample
Risk Management Strategy
2007/08 Onwards
One NorthEast Governance Section
Risk Management Strategy 2007/08 Onwards
Contents
Foreword by Chair and CEO ........................................................... 2
Executive Summary ....................................................................... 3
1. What is Risk and Risk Management? ....................................... 4
2. Why do we need to consider Risk Management? ..................... 5
3. What does this mean in practice? ............................................ 5
4. Who is responsible for risk management? ............................... 6
5. What could go wrong?............................................................. 6
6. What are the Risk Management processes in the Agency? ...... 7
6.1 Overview ........................................................................... 7
6.2 The Hierarchy of Risk Management ........................................ 7
6.3 Risk Appetite ...................................................................... 9
6.4 Board Level Risk Management..............................................10
6.5 Director Level Risk Management...........................................10
6.6 Head of Team Level Risk Management...................................10
6.7 Programme Level Risk Management......................................10
6.8 Corporate Risks / Common Risk Framework ...........................11
7. Reporting Arrangements ....................................................... 13
7.1 Directors ...........................................................................13
7.2 Heads of Team...................................................................13
7.3 Governance Section............................................................14
7.4 Review and Reporting Risks .................................................15
7.5 Quality Review of Risk Registers ...........................................15
7.6 Communication and Learning ...............................................16
7.7 Risk Management Cycle ......................................................16
8. Risk Mechanics ..................................................................... 18
8.1 Identifying Risks ................................................................18
8.2 Assessing Risks..................................................................18
8.3 Mitigating Risks..................................................................19
9. Partner Organisations ........................................................... 22
10. A Risk Management Strategy suitable for the Agency?.......... 23
11. Project Risk Management ...................................................... 24
Appendix 1 Risk Management – Roles and Responsibilities ......... 25
Page 1
Risk Management Strategy 2007/08 Onwards
Foreword by Chair and CEO
The achievement of our vision “to be the best economic regeneration
Agency in the UK” and meeting the economic challenges faced by the
North East region inevitably means that the Agency will need to take risks.
We are fully committed to ensuring that these risks are fully understood
and carefully managed.
We are now beginning to drive forward the delivery of the new Regional
Economic Strategy. This will require our partnerships to move to new
levels of collaboration, building on existing signs of economic
improvement in the region, to allow us to realise our full potential. In
order to do this successfully it is important that we are risk aware rather
than risk averse. Our risk appetite reflects this approach and
demonstrates that we will not shy away from potentially risky ventures
but rather identify and manage risks to minimise the possibility of failure.
We are focused on the need to take a holistic approach to the
management of risk and address it throughout the Agency’s operations,
including planning, decision making and in day-to-day operations.
We believe that management of risk is the responsibility of all staff
throughout the Agency. Within this revised strategy, we will have a
dynamic process that allows risks to be addressed continuously, with early
identification and management at the appropriate level. In promoting this
risk aware culture, we believe that we will be better positioned to achieve
our objectives.
Margaret Fay Alan Clarke
Chairman Chief Executive
Page 2
Risk Management Strategy 2007/08 Onwards
Executive Summary
Risk management includes identifying, assessing and judging risks, taking
actions to mitigate them, and monitoring and reviewing progress.
We are no strangers to risk management. The Agency has adopted a risk
management process for many years now and we should all feel proud of
the way in which we have established processes to help identify and
manage risk. However, we must recognise that risk management is not
static, risks change with time. For the year 2007/08 and onwards, we
want the Agency to further raise the bar in respect of the quality of the
risk management process and ensure that it remains fit for purpose,
whilst addressing all of the Agency’s requirements from a system of risk
management.
We all have a role to play in improving our risk management. This is not
just introducing processes and systems. We must develop a culture and a
set of behaviours which are conducive to the demands of risk
management. This strategy outlines the requirements we need to meet to
evidence embedded risk management and to underpin the assurances
provided each year in the Agency’s Statement of Internal Control.
The main changes to the Strategy for 2007/08 and beyond include:
• reinforcing the need to be risk aware and not risk averse (section 2)
• encouraging the linking of risks to the achievement of team
objectives (section 6.2)
• reporting of Sub Regional Partnership significant risks (section 9)
• use of the common risk framework to highlight key risk areas for
the Agency (section 6.8)
• an independent in-depth rolling review of risk registers (section 7.5)
The Strategy will continue be reviewed annually to ensure it remains a
useful tool to help mitigate the changing risks facing the Agency.
A Risk Management Guidance document is available separately which
provides the technical detail in relation to the completion of risk registers.
Page 3
Risk Management Strategy 2007/08 Onwards
Risk Management Strategy
1. What is Risk and Risk Management?
HM Treasury defines risk as “the uncertainty of outcome, whether positive
opportunity or negative threat, of actions and events.” This definition is
contained within the publication “Management of Risk – Principles and
Concepts, October 2004” commonly referred to as “The Orange Book.”
Each risk has to be assessed in respect of the combination of the
probability of something happening, and the impact which arises if it
actually does happen.
Risk Management includes identifying, assessing and judging risks, taking
actions to mitigate them, and monitoring and reviewing progress.
There are a wide range of risk management techniques, but they share a
basic generic risk management process which is illustrated below.
Fig 1.1: The Risk Management Process
There is a danger that risk management will be seen as a mechanical
process, to address this, all contributors must use judgement in every
aspect of the way risks are managed.
Page 4
Risk Management Strategy 2007/08 Onwards
2. Why do we need to consider Risk Management?
The Agency has a good track record in delivering its objectives and
targets, and risk management has played a key role in this – whether we
recognise it at the time or not. But the challenge we face, and the rate of
change, puts us under increasing pressure to continually improve the
quality of our management. This means that we need to make sure that
our risk management processes are structured, as well as being instinctive
and intuitive. If we are to meet these challenges, high quality risk
management needs to be at the core of our decision making at all levels
of the Agency.
Risk management should not be a process that stifles innovation and
prevents opportunism but rather one in which risks can, and should, be
taken, providing they are actively managed and justified. The nature of
the Agency’s remit means that it must remain at the forefront of
developing pioneering schemes and so we must ensure that as an
organisation we are risk aware rather than risk averse. It is acceptable to
have a high risk initiative providing it is administered appropriately. The
focus should be on the action taken to manage the risk and not simply on
reducing the risk status.
We can expect the focus on risk management to intensify. The Public
Accounts Committee Chairman has welcomed HM Treasury initiatives to
improve risk management “but they need to monitor how plans are
implemented to ensure that they are underpinned by effective action to
manage risks.”
There is an ongoing requirement from HM Treasury that a Statement of
Internal Control (SIC) is attached to our annual accounts, setting out the
processes we have in place for managing the most significant risks to the
achievement of our objectives.
The Agency is increasingly being held to account for the way we have
implemented risk management. We need to continue to demonstrate that
we have a structured approach, which is embedded into the planning and
reporting cycles.
3. What does this mean in practice?
We want to be recognised as an organisation that effectively identifies and
manages the most significant risks to the delivery of our business
direction and targets, and is willing to take appropriate risks to enable us
to deliver an innovative public service.
Page 5
Risk Management Strategy 2007/08 Onwards
We will do this by:
• making risk management an integral part of the day to day decision
making processes in the Agency
• developing our skills in anticipating and capitalising on opportunities
to improve our performance and the services we provide
• making risk management visible, proportionate, responsive, co-
ordinated and collaborative
• knowing which risks can be managed locally, and which need to be
escalated to the next level of management
This strategy outlines our processes for managing risks, and defines the
roles and responsibilities of those who have the task of ensuring that
effective risk management processes are in place. A Risk Management
Guidance document will be issued to teams to supplement the information
provided in this Strategy.
4. Who is responsible for risk management?
All of us have a key role to play in improving the way in which we manage
risks. In addition, there are certain specific Agency responsibilities:
• The Chief Executive Officer (CEO), as Accounting Officer, has
overall responsibility for ensuring that the Agency has effective risk
management processes in place. In common with other NDPB’s
and Government Departments, we are required to detail progress in
implementing risk management in the SIC, which is signed by our
CEO and attached to our annual accounts
• The Director of Corporate Resources, has day to day responsibility
for governance issues which include coordinating and improving the
Agency’s risk management processes. He is supported by the
Governance Section in the Performance Management team
Other responsibilities are outlined in Appendix 1.
5. What could go wrong?
As risk management is relevant to all staff in the Agency, they need to be
aware of the key risks which affect the delivery of their work. Knowing
what could prevent achievement of objectives means that plans can be
made to lessen the likelihood of the potential problem materialising i.e.
mitigating the risk. The risk management process must be sufficiently
thorough to ensure that all known risks, opportunities or potential threats
are identified.
Page 6
Risk Management Strategy 2007/08 Onwards
Further in depth explanation of risk management is contained at Section 8
of this document.
6. What are the Risk Management processes in the Agency?
6.1 Overview
The overall aim of risk management is that all teams, and all Agency
employees from Board level right down to individuals, should have a clear
understanding of the biggest risks to the achievement of their objectives,
and the measures which need to be taken to manage these risks
effectively. As well as identifying risks to business as usual, we also need
to be alert to opportunities for taking well managed risks to improve the
services we provide.
The Agency has well established risk management processes in place for
many of our business processes. The challenge now is to develop and
improve these, and draw the risk information together to provide a
structured comprehensive picture of the main risks to our business.
6.2 The Hierarchy of Risk Management
There are many sources of risk – one of which is the failure to achieve
specific objectives in business plans. It is neither feasible, nor desirable,
to attempt to draw into a single risk register all of the risks identified at
different levels within the Agency. Our approach is to have a hierarchy of
risk management and associated risk registers, which mirrors the
hierarchy of team objectives in the Agency. This enables us to assess the
wider impact of specific risks on the Agency’s business, and to pull
together generic risks from a variety of sources.
The close link between risks and the achievement of objectives will be
reinforced by including details of key risks in regular performance reports.
In this way, lower level risks will inform the consideration of risks at the
next level. This “bottom up” aspect of risk management will provide
confidence that the risk identification process is comprehensive.
Teams will be encouraged to link risk management to the objectives and
key processes of the team. This will assist with ensuring that risks take a
more strategic view of the team’s and Agency’s activities and priorities.
Although the requirement to manage risks applies to all teams throughout
the Agency, the way which this is implemented will vary. In general, at
senior levels the process will need to be more structured and formal than
will be necessary for local teams.
Page 7
Risk Management Strategy 2007/08 Onwards
Fig 6.2: Diagram of Risk Management Hierarchy
Risk Pyramid Significant Directorate/Agency Risks
Board Responsibility.
Linked to corporate objectives and corporate
plan.
Reviewed quarterly by Directors.
Directorate Risks
Directors responsibility.
Linked to Directors own objectives, Directorate plan and Agency
Information programmes. Information
Reviewed quarterly by Head of Team.
Operational/Team Risks
Head of Team responsibility.
Linked to team objectives and team plan.
Reviewed monthly by Team.
Individual Risks
Linked to individual objectives and individuals job outcomes.
Reviewed regularly against outcomes by individual.
Page 8
Risk Management Strategy 2007/08 Onwards
6.3 Risk Appetite
Risk management is not about completely eliminating risks. Rather, it
involves making judgements in setting the Agency’s risk appetite at the
point beyond which a risk is deemed unacceptable.
Exposure to risk can be shown on a risk profile matrix. This matrix is
used to:
• Plot the relative position of an individual risk
• Prioritise the significance of all risks
• Establish the Agency’s overall risk profile, in relation to risk
appetite, above which exposure to risk is deemed unacceptable
Within the Agency we use a 3x3 matrix, as illustrated below. Risks which
are deemed to fall into the High Probability/High Impact or High
Probability/Medium Impact are judged to be over the Agency’s risk
appetite. These are designated as significant risks and effective
mitigating action must be taken as a priority.
Fig 6.3: 3x3 Risk Matrix
HIGH
H/L H/M H/H
(Above Risk (Above Risk
Appetite) Appetite)
PROBABILITY M/L M/M M/H
L/L L/M L/H
LOW
IMPACT
LOW HIGH
When completing the risk profile matrix, risk owners must analyse the
potential impact and likelihood of each risk and plot these on the
probability versus impact grid as appropriate. The position of a risk on
the matrix determines the degree of attention it requires to reduce it to an
acceptable level. If the threat of a risk being realised is deemed too high,
additional or more effective controls should be introduced to further
mitigate the risk to reduce its potential likelihood or impact.
Page 9
Risk Management Strategy 2007/08 Onwards
To ensure that the Agency embeds risk management, each team, Head of
Team and Directorate needs to understand the accumulation of risks
facing them in order to determine which risks require priority treatment.
The following sections outline our general approach to risk management at
Board, Director and Head of Team levels.
6.4 Board Level Risk Management
The Board has responsibility to oversee the significant Directorate risks
which are managed by the Directors of the Agency. They will examine
these risks and seek assurance via the Audit Committee that they are
being managed effectively.
6.5 Director Level Risk Management
Directors have a pivotal role to play in encouraging their teams to make
risk management an integral part of their planning and reporting
processes. This will ensure that the Directors have a flow of good quality
risk information to inform decision making, which will complement
management information. It will also ensure that the significant
Directorate risks which Directors report to the Audit Committee and the
Board are soundly based.
6.6 Head of Team Level Risk Management
All teams, at any level, have an important part to play in ensuring that
there is a clear understanding throughout the Agency of the main risks to
the achievement of objectives – the quality of risk management at the top
of the Agency is only as good as the quality of the risk information which
is feeding up from each of the different areas. It is important that the
Head of Team ensures that their area of responsibility is feeding the right
information into the process and in turn is receiving feedback from their
respective Director. The process needs engagement from senior
management, ultimate responsibility for any team risks lie with the Head
of Team.
Teams should undertake a thorough evaluation of risks as part of their
annual planning process, and at least a quarterly review of progress in
managing these.
6.7 Programme Level Risk Management
The Agency has identified eight externally reported Programmes of
activity under the revised Programme/Activity Structure, together with
three internally reported Programmes, as outlined overleaf. These
programmes cut across various teams and directorates of the Agency. To
ensure that we are managing risks to the Programmes effectively, each
Page 10
Risk Management Strategy 2007/08 Onwards
Head of Team will be asked to identify which Programme their risk
elements are pertinent to.
Fig 6.7: Revised Programme/Activity Structure
By collating these risks, we are able to establish the risk position of
individual Programmes, reporting the status to Directors, as well as
Delivery and Development Heads of Team.
6.8 Corporate Risks / Common Risk Framework
Our bottom up approach to risk management ensures that risks identified
have a recognised owner responsible for mitigation. However there may
be a number of risks that transcend Directorate or Team boundaries for
example non-significant individual risks which together form an underlying
risk. Some organisations have “corporate risks” but this may leave them
without an owner. The Agency’s approach is to categorise risks against a
“Common Risk Framework”. By collating these risks, we are able to
report on high level risk areas facing the Agency.
All risks identified should fit within one of eleven common risk categories,
developed especially for the Agency and taking into account the categories
identified by the Treasury’s Orange Book. These eleven categories have
been sub-divided into various elements. The categories are subject to
periodic review but will not change until the Strategy is reviewed again.
Page 11
Risk Management Strategy 2007/08 Onwards
Fig 6.8: The Agency’s Common Risk Framework
Category of Risk Common Risk No
Strategy/Policy The Agency is not aligned with or does not 1.1
contribute to Government policy
The Agency does not contribute to the 1.2
strategic direction of the Region
Working with Partners do not work effectively/efficiently 2.1
Partners with the Agency
Third Party Suppliers fail to deliver or support the Agency 3.1
Programme/Project The programmes/projects of the Agency do 4.1
Management not deliver
The Agency lacks management information 4.2
(financial and non financial) to allow effective
management of the business
Communications The visibility or reputation of the Agency or 5.1
/ Marketing Region deteriorates
Finance The Agency’s accounts are qualified 6.1
The Agency fails to secure sufficient funding 6.2
to meet its requirements
Financial planning is not aligned with Agency 6.3
strategic direction
The Agency fails to achieve the required 6.4
efficiencies
The Agency is liable to fraudulent misuse of 6.5
resources
Performance The Agency fails to achieve its corporate plan 7.1
targets both financial and non financial
IT The Agency is susceptible to internal or 8.1
external IT system abuse
The Agency’s IT systems fail to support the 8.2
business
HR/Legal The Agency fails to recruit, retain and develop 9.1
appropriate numbers/quality of staff to deliver
its business
The Agency fails to meet its legal obligations 9.2
Governance The Agency or its partners do not have 10.1
effective/efficient governance arrangements
The Agency’s processes fail to support the 10.2
business
Business Continuity The Agency is unable to deliver its business 11.1
due to the failure of one or more systems
The Agency cannot deliver due to the failure 11.2
of a partner
Page 12
Risk Management Strategy 2007/08 Onwards
7. Reporting Arrangements
7.1 Directors
The Directors will review the overall management of risks within their
Directorate, paying particular attention to those significant Directorate
risks which will also be reported to the Audit Committee and the Board.
Every quarter the Director will assess their Directorate risks for relevance
using information provided by the Head of Team’s and collated by the
Governance Section. They will hold discussions with relevant Head of
Team’s about the management of their risks. This review will encompass
consideration of promotion or demotion of certain risks or removal of risks
where they are no longer considered a threat. It will also cover the
inclusion of new risks that are materialising. The Director will sign a
quarterly Statement of Endorsement to confirm their contentment with
the way in which their Directorate risks are being managed.
The overall position of risks will also be discussed with the CEO on a
quarterly basis and he will be presented with a copy of all those risks
identified above the Agency’s risk appetite.
A report of the significant Directorate risks will be made to the Directors’
Team meetings on a quarterly basis. This will allow an overarching view
of Agency risks to be taken. Directors can challenge and discuss risks at
this meeting. These risks will also be reported to Audit Committee for
them to give assurance to the Board.
7.2 Heads of Team
Prior to the commencement of the financial year 2007/08, the Heads of
Team’s will determine the risks relevant to their teams. This will most
likely be the risks identified from the previous quarter together with any
new risks identified and minus any risks no longer applicable. These risks
should once again be reviewed in light of the Agency’s Common Risk
categories, as identified earlier, their overall team objectives and
alignment to the correct programme. Each Head of Team will monitor
these risks at least every quarter and report to the Director, via the
Governance Section, the status of their risks. Where a risk is above the
Agency’s risk appetite, this will be designated as a significant risk, and is
to be brought to the attention of, and managed by the relevant Director.
The Head of Team will also consider the promotion, demotion of risks or
the inclusion of new risks.
Page 13
Risk Management Strategy 2007/08 Onwards
7.3 Governance Section
Every quarter the Governance Section will circulate prepared templates to
teams for completion. Within this template, the Head of Team will record
the current status of their risks. They should also record the mitigating
action that the team is taking, the date by which action is planned, and
the early warning indicators that would highlight that the risk was
germinating. They will also record the risk against which Agency Common
Risk category and Agency Programme the risk is aligned to. An example
of this template is shown below:
Fig 7.3: Risk register template
Risk Risk Mitigating By Early Owner Programme Common Previous Status 1 Jan 1 Jan Current 1 Apr 1 Apr
No. Action When Warning Risk No. 07 07 Status 07 07
(Date) Indicator Prob Impact Prob Impact
OD01 Management Work group 1-Apr-07 Project plan Organisation N/A 9.1 Pilot programme
1 development training is established to review review. Development completed. Second
not delivered resulting content. Specialist cohort part way
in a lack of ability. Advisor through and 3rd
cohort commencing
Jan 07. Scheduled L M
regularly throughout
2007.
OD01 New IPR system is not PIR at intervals 1-Apr-07 PIR's. Organisation Improving the 9.1 PIR completed. Key
2 fully adopted. August 05, October Development Agency learning points from
05, April 06 to Specialist review shared and to
evaluate Advisor/ be actioned in Q4 for
effectiveness. workstream 2007 IPRS process. M M
manager
OD01 Project management Stakeholder 1-Jan-07 Project board Organisation Improving the 9.1 Pilot activities review
3 disciplines from the engagement reviews. Development Agency undertaken.
workstream activity throughout process Manager/ Feedback to project
are not fully adopted. development. workstream board in Jan 07.
Effective training and manager Implementation plan
developed on the to be reviewed in H H
new process. relation to
Monitoring of training/roll out and
adoption. adoption activities.
Once completed and returned, the Governance Section will collate and
quality check the information. This process will include a detailed critical
appraisal on a cyclical basis of each team’s register (see Section 7.5).
Reports will then be provided to the Directors on the status of their
Directorate risks, highlighting areas of concern. They will seek and
receive confirmation from the Director of their contentment with the
management of their Directorate risks.
Reports are presented to Directors based upon the registers submitted by
HoTs, it is therefore vital that a thorough quality review has been
undertaken by the HoT. The Head of Performance Management will meet
with each Director to discuss the report and raise any quality issues
identified.
Where the Director believes that the Directorate risk wording should be
revised, or a risk should be promoted or demoted, or a new risk
Page 14
Risk Management Strategy 2007/08 Onwards
introduced, the Governance Section will ensure that this is communicated
to the relevant Head of Team and appropriate amendments made.
7.4 Review and Reporting Risks
The management of risk has to be reviewed and reported on for two
reasons
• To monitor whether or not the risk profile is changing
• To gain assurance that risk management is effective, and to identify
when further action is necessary
Processes should be put in place to review whether risks still exist,
whether new risks have arisen, whether the probability and impact of risks
has changed, report significant changes which adjust risk priorities, and
deliver assurance on the effectiveness of control. A review of risks and a
review of the risk management process are distinct from each other and
neither is a substitute for the other.
The Agency will adopt the “Stewardship Reporting” technique to assist in
the review process. This requires designated managers in the Agency to
report upwards on a quarterly basis on the work they have done to keep
risk and control procedures up to date and appropriate to circumstances
within their particular area of responsibility.
The Governance Section will prepare regular reports to the Directors’
Team, the Audit Committee and the Board on the overall status of risk
management within the Agency. Programme risk reports will also be
circulated to the applicable Delivery and Development Heads of Team.
Risks will also be reported in the Agency’s Quarterly Performance Report
which is made publicly available; hence the quality of our risk
management processes should reflect the importance placed on risk
reporting within the Agency.
7.5 Quality Review of Risk Registers
An independent challenge and in-depth review of team registers will be
made by the Governance Section on a cyclical basis to raise the quality of
the risk information within the register. On a monthly basis, two registers
will be selected ensuring that all teams will be covered at least once
during the year. Feedback will be provided to specific teams once the
review has been performed and any generic issues will be widely
circulated. Key lines of review will include challenging the assumptions
made, ensuring that sufficient action is being taken to mitigate the risk,
and appraising the information for accuracy and sufficiency. Cross team
and directorate analysis will also take place.
Page 15
Risk Management Strategy 2007/08 Onwards
7.6 Communication and Learning
Communication and learning is not a distinct stage in the management of
risk, it is something which runs through the whole risk management
process. The identification of new risks or changes in existing risks is
dependant on communication. Horizon scanning depends on maintaining
a good network of communications with relevant contacts and sources of
information.
Communication within the Agency about risk issues is important for
various reasons. It ensures that:
• Everybody understands, in a way appropriate to their role, what the
Agency’s risk strategy is, what the risk priorities are, and how their
responsibilities fit into that framework
• Transferable lessons are learned and communicated to those who
can benefit from them
• Each level of management, including the Board, receives
appropriate and regular assurance about the management of risk
within their span of control. They need to be provided with
sufficient information to allow them to plan action in respect of risks
which are unacceptable as well as assurance about risks which are
deemed to be under control
As ever, training is a vital element in the successful implementation of a
risk management process. Where a training need is identified, suitable
assistance and support will be provided. Risk management does not come
naturally to many people, and so improvements in the standards of
education on risk issues provided must continually be high on the agenda.
Along with education, feedback is an essential characteristic of training.
Communication with partner organisations about risk issues is also
important. A misunderstanding of respective risk priorities can cause
serious problems – in particular leading to inappropriate levels of control
being applied to specific risks, and failure to gain assurance about whether
or not a partner organisation has implemented risk management for itself
can lead to dependence on a third party which may fail to deliver in an
acceptable way.
7.7 Risk Management Cycle
The diagram overleaf illustrates the Agency’s risk management cycle.
Page 16
Risk Management Strategy 2007/08 Onwards
Fig 7.7: Agency Risk Management
Board Audit Committee
Give assurance
Review & Report progress on managing
Monitor Agency’s risk
Review
Identify
Significant Directors
Directorate Risks
Accept
Ownership
Address Assess
Report Significant
Directorate Risks
Discuss and
Governance Section consider
Reporting
Review Identify
R
Team HoT’s
Risks
Address Assess
Page 17
Risk Management Strategy 2007/08 Onwards
8. Risk Mechanics
8.1 Identifying Risks
In order to manage risk, the Agency needs to know what risks it faces and
to evaluate them. Identification of risks is the first step. The Agency will
use continuous risk identification – which enables us to identify new risks
which did not previously arise, changes to existing risks, or risks which did
exist ceasing to be relevant to the Agency.
Risks should be related to objectives. Risks can only be assessed and
prioritised in relation to objectives, and this can be done at any level of
objective, from personal to organisational. A statement of a risk should
encompass the cause of the impact, and the impact to the objective
(cause and consequence) that might arise. Within this Strategy we would
like to emphasis the benefits of linking risks to team objectives.
Risks should be identified at a level where a specific impact can be
identified and a specific action or actions to address the risk can be put in
place. All risks should be assigned to an owner who has responsibility for
ensuring that the risk is managed and monitored over time. A risk owner,
in line with the accountability for managing the risk, should have sufficient
authority to ensure that the risk is effectively managed.
8.2 Assessing Risks
It is important that the assessment of the risk is completed using a
structured process in which both the probability and impact are considered
for each risk and which records the assessment of the risk in a way which
facilitates monitoring and the identification of risk priorities.
Some types of risk lend themselves to numerical diagnosis – particularly
financial risk. Others, such as reputational risk are much more subjective,
and only an observation is possible. In this sense, risk assessment is
more of an art than a science but a framework for assessing risks should
be developed.
The assessment needs to be done by evaluating both the probability of
the risk being realised and the impact if the risk is realised. A
categorisation of high/medium/low in respect of each should be given.
The highest priority risks should be given regular attention at the highest
level of the Agency and should be considered regularly by the Board. The
specific risk priorities will change over time as specific risks are addressed
and prioritisation consequently changes.
The following definitions of high/medium/low for both probability and
impact should be applied:
Page 18
Risk Management Strategy 2007/08 Onwards
Probability Impact
High Very likely to happen (50% plus). Immediate Critical threat to the achievement of
action required. objectives. Risk of a significant impact.
Medium Quite likely to happen (5% to 50%). The Moderate threat to the achievement of
situation should be closely monitored. objectives. Risk of a substantial impact.
Low Unlikely that risk will happen (less than 5%). Little threat posed to the achievement of
objectives.
8.3 Mitigating Risks
The purpose of addressing risks is to turn uncertainty to the Agency’s
benefit by constraining threats and taking advantage of opportunities.
There are five key aspects to this:
• Terminate – some risks will only be treatable, or containable to
acceptable levels, by terminating the activity. The option of
termination will, more often than not, be unsuitable in terms of the
Agency’s risks. This option can be particularly important in project
management if it becomes clear that the projected cost/benefit
relationship is in jeopardy.
• Transfer – for some risks the best response may be to transfer
them. This may be done by conventional insurance or by paying a
third party to take responsibility for the risk. This option is
particularly good for mitigating financial risks or risks to assets. It
is important to note that some risks are not fully transferable – in
particular, it is generally not possible to transfer reputational risk
even if the delivery of the service is contracted out. Third party
relationships need to be carefully managed to ensure the successful
transfer of the risk if this option is to be taken.
• Treat – by far the greatest number of risks will be addressed in this
way. The purpose of treatment is that whilst continuing with the
activity giving rise to the risk, action (control) is taken to constrain
the risk to an acceptable level.
• Tolerate – the exposure may be tolerable without any further
action being taken. Even if it is not tolerable, ability to do anything
about some risks may be limited, or the cost of taking action may
be disproportional to the potential benefit gained. In these cases
the response may be to tolerate the existing level of risk.
Contingency planning for handling the impacts that will arise if the
risk is realised could supplement this option.
• Take the opportunity – this option is not an alternative to those
above; rather it is an option which should be considered whenever
tolerating, transferring or treating a risk. There are two aspects to
this. The first is whether or not at the same time as mitigating
Page 19
Risk Management Strategy 2007/08 Onwards
threats, an opportunity arises to exploit positive impact. For
example, if a large sum of capital funding is to be put at risk in a
major project, are the relevant controls judged to be good enough
to justify increasing the sum of money at stake to gain even greater
advantages? The second is whether or not circumstances arise
which, whilst not generating threats, offer positive opportunities.
For example, a drop in the cost of goods or services frees up
resources which can be redeployed.
The option of “treat” in addressing risk can be further analysed into four
different types of control:
• Preventive controls – these controls are designed to limit the
possibility of an undesirable outcome being realised. The majority
of controls implemented in organisations tend to belong to this
category. Examples include the segregation of duties and limitation
of action to authorised persons (such as only those suitably trained
and authorised being permitted to handle media enquiries prevents
inappropriate comment being made to the press).
• Corrective controls – these controls are designed to correct
undesirable outcomes which have been realised. They provide a
route of recourse to achieve some recovery against loss or damage.
An example of this would be the design of contract terms to allow
for recovery of overpayment. Insurance can also be regarded as a
form of corrective control as it facilitates financial recovery against
the realisation of risks. Contingency planning is an important
element of corrective control as it is the means by which
organisations plan for business continuity/recovery after events
which they could not consol.
• Directive controls – these controls are designed to ensure that a
specific outcome is achieved. They are particularly important when
it is critical that an undesirable event is to be avoided – typically
associated with Health and Safety or security. An example of this
type of control would be a requirement that protective clothing be
worn when performing of dangerous duties.
• Detective controls – these controls are designed to identify
occasions of undesirable outcomes having been realised. Their
effect is, by definition, “after the event” so they are only
appropriate when it is possible to accept the loss or damage
incurred. Examples include stock/asset checks or transaction
reconciliations.
In designing controls, it is important that the control put in place is
proportional to the risk. Apart from the most extreme undesirable
outcome (such as loss of human life) it is normally sufficient to design
Page 20
Risk Management Strategy 2007/08 Onwards
control to give a reasonable assurance of confining likely loss. Every
control action has an associated cost and it is important that the control
action offers value for money in relation to the risk that it is addressing.
Generally speaking the purpose of control is to constrain risk rather than
to eliminate it.
Page 21
Risk Management Strategy 2007/08 Onwards
9. Partner Organisations
Whatever the detailed nature of the risk relationships the Agency has with
other organisations, each relationship will also give rise to a need for
assurance to be provided that risk is being managed in that relationship
both appropriately and as planned. Provision for obtaining that assurance
is an integral part of the relationship.
It is therefore important that the Agency communicates with partners
about the way in which they are managing risk and our own approach.
This responsibility lies with all areas of the Agency. In particular, the
Governance Section provides support to our partners in areas of risk
management.
Risk registers are submitted by each of the Sub Regional Partnerships to
provide management information to their nominated Director. Support
will be provided to further enhance the quality of the registers submitted
and ensure that a complete picture is presented of the issues affecting the
organisation on a quarterly basis.
The Agency has a number of dependencies on partners and third parties,
and the extent of these dependencies vary. A particular potential problem
is in relation to high dependency relationships e.g. the purchase of
bespoke software or the relationship with the SRPs. It is important that
the Agency ensures that appropriate communication of respective risk
priorities is achieved.
The sponsoring department for the Agency is the DTi. The risk priorities
of the DTi will impact on the priorities of the Agency. Regular and open
discussion of risk issues is critical to the overall effective delivery of
service.
Page 22
Risk Management Strategy 2007/08 Onwards
10. A Risk Management Strategy suitable for the Agency?
We need to be sure that our risk management processes are effective,
continue to reflect best practice and meet the standards which are set by
H M Treasury. The Chief Executive Officer, is also required to review the
effectiveness of risk management annually in the form of the Statement of
Internal Control, so we need to have processes in place which enable him
to do this.
Primary responsibility for reviewing the effectiveness of our risk
management process rests with the Governance Section in the
Performance Management Team. They monitor progress that teams are
making in developing risk management, and benchmark them against
best practice within the Agency and elsewhere. They will also look at
other ways of assessing our performance including completing an annual
review of the strategy to assess it for effectiveness and completeness. As
part of this review, a consultation exercise with key people involved in the
risk process will be performed and has been in the production of this
Strategy.
Internal Audit (currently KPMG) have a key role to play in defining the
effectiveness of risk management. This is reflected in the standards for
Internal Audit laid down by HM Treasury, which state that “the work of
Internal Audit primarily provides an independent and objective opinion to
the Accounting Officer on risk management, control and governance.”
KPMG’s annual review of the Agency’s risk management arrangements in
2006/2007 found that the Agency has a well developed and embedded
risk management process. The Agency also performed well against other
Government Departments and RDAs in a benchmarking exercise using the
Treasury’s Risk Management Framework.
As part of their annual audit of the accounts, National Audit Office will be
specifically reviewing our risk management arrangements to check if they
are effective, and meet the standard laid down by the Treasury.
Page 23
Risk Management Strategy 2007/08 Onwards
11. Project Risk Management
The Agency currently appraises and assesses the risks to projects. The
aims are to eliminate the unexpected, by thinking about all the things that
might happen to deflect a project from its aims and objectives. Risks are
not only considered during initial appraisal but also as part of the ongoing
project life cycle. The Agency continues to build upon its past experiences
to refine and improve the identification of project risks.
Risk management should also be built into the overall project
management process. It is a key project management tool that the
Project Manager or Delivery Manager can employ. A risk register should
be included as part of the project management documentation and be
updated on a regular basis. This would include updating upon receipt of a
claim or after a verification visit has been carried out. Risk registers for
projects are recorded and visible on the Programme Management System
(PMS).
It is common in project management to have both a risk register and an
issues log. Issues are not the same as risks. An issue is something that
is happening now and is jeopardising the delivery of one or more of a
projects objectives. It may stem from a risk that has already been
identified but not sufficiently mitigated or it may be as a result of
something totally unforeseen. Risks may become issues if they are not
addressed soon enough.
Risks are potential events that you can try and manage in order to
prevent it happening or to reduce the effect if they do happen.
Issues need managing in the same way as risks - projects should have a
Risk Register and an Issues Log.
The guidance in this risk strategy also applies to the management of
issues. The one significant difference is that issues do not have to be
assessed for probability – they are already happening!
There is further guidance on Project Risk Management in the Project
Handling Framework and the Business Case Completion Guidance. The
Thematic Expertise Directory (TED), a directory of contacts within the
Agency who can offer specialist advice, also contains details of contacts
who will assist with risk management and recording.
Page 24
Risk Management Strategy 2007/08 Onwards
Appendix 1 Risk Management – Roles and Responsibilities
Chief Executive Has formal responsibility (evidenced in the Statement
Officer of Internal Control) for maintaining a sound system of
internal control which manages the key risks to the
achievement of the Agency’s policies, aims and
objectives. He also is responsible for reviewing the
effectiveness of internal control and risk management.
As Head of the Agency the CEO has a key role to play
in promoting and supporting the risk management
strategy.
Chairman Involved in the periodic review of the effectiveness of
the measures taken to manage the significant
directorate risks.
The Board Board members support the Chair in reviewing risk
management effectiveness.
Audit Committee The Audit Committee will examine the evidence
provided to it by the Directors, NAO, Internal Audit
and Governance Section and ensure that it is
sufficient to demonstrate that the Agency is actively
managing its risk. It will provide this independent
assurance to the Board. It will provide feedback to
the Directors on progress.
Directors’ Team The Directors’ Team is the main forum for reviewing
the strategic directorate risks. Team members will
take personal responsibility for these risks and
collectively will review the effectiveness of the counter
measures at the quarterly risk stock takes.
Heads of Team The support and co-ordination of Heads of Team is
crucial to the successful implementation of risk
management across the Agency. They are
responsible for ensuring the risk management
arrangements within their area meet the required
standard.
HoTs are responsible for ensuring that risks to the
achievement of their objectives are identified,
managed and included in performance reports.
HoTs are responsible for reporting the Directorate
risks to the Governance Section so that they can be
reflected in the Significant Directorate Risk report to
the Directors.
Teams across the Identification of the key risks facing the Agency
Agency hinges on teams across the Agency regularly taking
stock of the risks which they face, and including
details of their significant risks in regular performance
reports.
Page 25
Risk Management Strategy 2007/08 Onwards
Internal Audit Play a key role in providing the CEO with an
independent assessment of the effectiveness of the
Agency’s risk management and control framework.
This source of independent assurance is a
fundamental part of the evidence which the CEO uses
to discharge his accountability for reviewing the
effectiveness of internal control and risk management.
Project/Delivery Play a role in ensuring that the risks and issues faced
Managers by their project are being actively managed and are
reported through the correct channels. Any
significant risk or issue should be highlighted with the
relevant authority immediately.
Partners Have a responsibility to ensure that they manage
risks in an appropriate manner and where there is a
direct impact on the Agency, must be reported to the
relevant Agency personnel. Similarly, if the Agency
identifies a risk to a partner or third party, this should
be communicated and managed through the relevant
Agency channels.
Individuals All Agency staff members are responsible for bringing
to the attention of the relevant person key areas of
concern. All individuals should be involved in the risk
identification and management process. Risk
management is a collective effort.
Page 26
