Risk Management

1. This section gives guidance on risk management and the steps that need to be followed in order to identify and manage key business risks. The guidance is aimed specifically at Departments of the Scottish Executive. However, Scottish Executive Agencies, associated Departments and other bodies subject to the requirements of the Scottish Public Finance Manual (SPFM), including bodies sponsored by the Scottish Executive, should ensure that procedures consistent with the guidance are put in place.

Key Points

2. Risk management should be closely linked to the business planning process. There should also be a link between risk management, business planning and plans for business continuity.

3. A risk needs to threaten the achievement of the Department's business plan to justify inclusion in the departmental risk register.

4. One of the key elements of internal control will be ensuring that Ministers have adequate advice on risk when reaching policy decisions.

5. With a constantly changing business environment and evolving ministerial priorities, the risks the Executive faces change over time and need to be reviewed regularly.

6. Departmental risk registers should only contain risks that the Department is in a position to manage and control or to minimise the impact on the Department should the risks materialise. Any risks of a corporate nature identified by Departmental Management Boards should be notified to Finance: Standards and Guidance.

7. Departmental Management Boards should ensure that risk assessment is embedded into the corporate and performance management, business planning and financial reporting processes and not carried out as an isolated exercise. In order to fully embed risk management risk registers should be prepared at least down to division level and in many cases branch and project level depending on the nature of the business and the risks involved.

Background

8. In September 1999 the Institute of Chartered Accountants in England and Wales published the report of the Turnbull Committee " Internal Control: Guidance for Directors on the Combined Code ". This extended the requirement to provide a statement in respect of financial controls to cover all controls, including financial, operational, compliance and the management of risk. In line with the principle that best practice in the private sector should be reflected in the public sector consideration was given to how the provisions of the Turnbull report should be implemented. This guidance concerns the steps that need to be followed in order to identify and manage key risks to the achievement of the Scottish Executive's business objectives. Risk management should therefore be closely linked to the business planning process. There should also be a link between risk management, business planning and plans for business continuity.

9. Further guidance can be found on the Risk Management Site on the Intranet which provides access to all the relevant up-to-date information on risk management in the Scottish Executive and links to other useful internal and external sites.

Role of the Departmental Management Boards

10. Annex 1 sets out the roles and responsibilities with regard to risk management in Scottish Executive Departments and the timetable for the management of risk by DMBs / Management Group. As part of their responsibility for internal control and as part of an effective business planning process Departmental Management Boards (DMBs) should meet at least quarterly to review the key business risks associated with achievement of the Departments' strategic objectives. It is for DMBs to judge the impact of all potential key risks (not only financial risks) and to consider how they should be managed. Due to the diversity of the Scottish Executive DMBs have adopted their own approaches, but to assist in the process and bring together developing good practice, a Self-Assessment Guide is provided at Annex 2.

11. Prior to the risk meetings, each DMB member should, after appropriate consultation with their senior staff, submit a list of the key risks which threaten achievement of their Department's strategic objectives. For that purpose, reference to the different categories of risk listed in paragraph 13 below may be helpful. These are further broken down in Annex 3, which may help in the identification of key risks. Through a process of corporate evaluation of the listed risks, each DMB should aim to arrive at an overall list (grouped as appropriate) of the key risks confronting their Department. If possible this should be restricted to no more than about 10-15 risks. A risk needs to threaten the achievement of the Department's business plan to justify inclusion in the departmental risk register.

12. The 5 main objectives of the risk meeting should be to:

discuss, evaluate and agree the list of key business risks which might affect the ability to deliver departmental objectives and targets;
assess existing controls (these are the measures in place to reduce or limit risk);
determine the appropriate response to each risk;
allocate responsibility for managing each risk; and
agree future review procedures

Classification of Risks

13. Risks arise from possible threats to the Department's ability to achieve its objectives, and failure to take advantage of opportunities. Risk can be either external (e.g. changes in economic or political circumstances or the actions of organisations which the Department sponsors) or internal (e.g. failure of systems or the actions of staff). Management must also remain continually watchful for new or developing risks. There are various ways to categorise risk and some may well fall into more than one category but the following might serve as a guide

External risks	-	events or actions which could interfere with the Executive meeting its objectives.
Operational / organisational risks	-	events or actions which could disrupt our ability to provide a service or which could result in the Executive acting in a way contrary to its objectives.
Financial risks	-	events and actions which lead to increased expenditure (e.g. claims for compensation), nugatory spending (e.g. the cost of a failed project), or a failure to maximise income.
Reputational risks	-	events or actions which could cause embarrassment to Ministers, senior management or the Executive in general.

Risk Evaluation

14. Taking each of the risks in turn DMBs should discuss and rate them high/medium/low in terms of likelihood and impact. DMBs might find the table below helpful for the purposes of quantifying the likelihood of occurrence and impact of each risk which should then be placed in an appropriate cell:

	LIKELIHOOD
I M P A C T		Low1	2	3	4	High5
	High5
	4				High
	3			Medium
	2	Low
	Low1

Risk Toleration Level

15. The response to each risk will determine the amount of risk the DMB is prepared to accept before action (or further action) is deemed necessary to manage the risk. The framework is designed to encourage the identification and management of key risks through a systematic approach.

Response to Risk

16. Once the key risks have been identified and assessed, DMBs should consider how to manage them to complete this aspect of internal control. Consideration should be given to new risks resulting from changed business objectives. Response to risk can be to:

tolerate it - because there is no cost effective control and the risk can be adequately monitored;
transfer it - to another party, e.g. by contracting out;
terminate it - by closing down the activity; or
treat it - by taking appropriate action to manage the risk through the introduction of appropriate controls.

17. The response in any particular case will depend on the nature and impact of the risk and the extent to which the risk can be managed.

Ownership of Risk

18. Once the key risks and responses have been identified, it is important that the DMB agrees where the responsibility lies for managing each risk. In most cases, it will be readily apparent which business area is responsible for a particular risk but it is essential that an individual at an appropriate level is designated as being the owner of the risk. Some risks, however, especially those that cut across organisational boundaries, will need particular consideration and agreement with the relevant parties. (Risks of a corporate nature identified by the DMB should be notified to Finance: Accountability Policy and Guidance.) DMBs should also seek to promote a management environment in which all staff participate in the identification, notification and management of business risks. Risk management should be embedded throughout Departments at all appropriate levels.

Controls

19. Controls relate to procedures that help to ensure management objectives and policies are carried out. They ensure that risks, which may inhibit the achievement of objectives, are kept to a minimum. Controls include measures, which can range from approval and authorisation procedures to performance reviews, to segregation of duties.

20. Controls fall into 4 categories and can be defined as follows:

Directive	designed to ensure that a particular outcome is achieved.
Preventive	designed to limit the possibility of an undesirable outcome being realised.
Detective	designed to identify occasions when undesirable outcomes are realised.
Corrective	designed to correct undesirable outcomes, which have been realised.

21. One of the key elements of internal control will be ensuring that Ministers have adequate advice on risk when reaching policy decisions. In some instances, where risk is highly relevant to a decision, this will include the Accountable Officer being in a position to personally advise Ministers as to how risk impacts on the responsibilities of the Accountable Officer. Detailed guidance is available within Tools for Policy Making on the Intranet under "Risk Identification".

22. DMBs should ensure that controls are proportional to the risk. For the most part, they should, for example, be designed to give a reasonable assurance of confining likely loss to the toleration levels agreed by the DMB. Control actions have associated costs and it is important that they offer value for money in relation to the risks being controlled and are mainly designed to contain risk rather than obviate it.

Risk Assessment / Control Evaluation Exercise

23. DMBs may find it helpful to use the pro forma risk register at Annex 4. This would enable the DMB (or its Secretariat) to record its consideration of each risk, the agreed response and would also serve as an action plan to be reviewed and updated at regular intervals.

Review and Assurance

24. Departmental Audit Committees (DACs) have a responsibility for monitoring risk management arrangements in Departments - see the section of the SPFM on Audit Committees. Amongst other functions, they monitor the work of Audit Services (internal audit), which provides independent assurance to senior management about the adequacy of the Department's internal control systems. This is achieved through a programme of audit assignments and regular reports to management.

25. DMBs will wish to bear in mind these responsibilities in determining the risk management arrangements that should be adopted for their Department. With a constantly changing business environment and evolving ministerial priorities, the risks the Executive faces change over time and need to be reviewed regularly. A regular review of risks and controls carried out by the DMB in a structured fashion should therefore avoid critical comment from Audit Scotland as part of their annual review.

Corporate Risks

26. The corporate objectives sit alongside the Executive's priorities and the Scottish Executive's corporate risks are identified through discussion with and between Management Group (MG). The process is facilitated by the Corporate Issues Sub-Group. Risks are assessed in terms of their impact and likelihood and then evaluated in terms of the adequacy of the current mitigating control arrangements and are owned corporately by MG. Departmental risk registers are the appropriate place for listing and analysing operational risks therefore the Corporate Risk Register does not drill down to Departmental business. Likewise Departmental risk registers should only contain risks that the Department is in a position to manage and control or to minimise the impact on the Department should the risks materialise. MG receive assurance that processes are in place to enable Departments to deliver their objectives via regular reports. Any risks of a corporate nature identified by DMBs should be notified to Finance: Accountability Policy and Guidance.

Risk Register

27. Following the risk meeting, the risk register should be completed. At this point, it may be sensible to circulate it to other relevant members of the DMB who did not attend the meeting. They should be able to provide further confirmation that the understanding of the risks and controls within the Department is accurate.

28. A final version of the register should be circulated to all members of the DMB so that they are aware of the risk management policy and the controls in place to limit exposure to risk.

Embedding the Process

29. DMBs should ensure that risk assessment is embedded into the corporate and performance management, business planning and financial reporting processes and not carried out as an isolated exercise. DMBs approach to internal control should be based on the underlying principle of line management's accountability for risk management and internal control. Risk registers should also support the assurances given by/to Accountable Officers in relation to the signing of Statements on Internal Control.

30. DMBs and DACs should agree a timetable for continuing review of the risk register, and other sources of assurance, bearing in mind that the key risks faced by the Scottish Executive may change and that the adequacy of the internal control system requires regular re-assessment.

31. The "top down" approach to risk management in the Scottish Executive acknowledges that day to day control rests with Management Group and the Departmental Management Boards. However, in order to fully embed risk management risk registers should be prepared at least down to division level and in many cases branch and project level depending on the nature of the business and the risks involved. That should result in risk management becoming a two-way process with views on risk from the lower levels being communicated up the line.

Assurance for the DMBs

32. The possible sources of assurance that DMBs might use are:

Board / Committee review of the risk management process;

review of the risk register;

performance and risk indicators;

views of line management and key staff;

independent monitoring activities; and

audit.

Page Published/ Updated on: October 2004

The Scottish Government

Public Sector

On this page:

HMICS

Risk Management