LG (2011) Paper November 2011 LEADERSHIP GROUP RISK MANAGEMENT ARRANGEMENTS. Executive summary

Transcription

1 LG (2011) Paper November 2011 LEADERSHIP GROUP RISK MANAGEMENT ARRANGEMENTS Executive summary Issues 1. This paper sets out proposals to implement new strategic risk management arrangements for the Scottish Parliamentary Service that meet with recommended best practice and are relevant to, and consistent with, the SPS Strategic Plan The Leadership Group is invited to consider the risk management arrangements proposed, offer comment and feedback and indicate their agreement with the suggested way forward. 3. Following the Central Corporate Support Function Review, Internal Audit was assigned responsibility for risk management arrangements. This role was inherited from the Strategy and Change Management Office (SCMO) and reports to Stewart Gilfillan, Assistant Clerk/Chief Executive, who leads on strategic risk on behalf of LG. 4. On assuming responsibility for risk management, the Head of Internal Audit appointed PricewaterhouseCoopers (PwC) in the summer of 2011 to review the existing risk arrangements and comment on the status of the controls/mitigating actions within the existing SPS Strategic Risk Register. The purpose of the review was to ascertain the extent to which existing risk management arrangements meet with generally accepted good practice and also to determine whether existing risks and control arrangements were valid and relevant. This work was completed (and resourced) as part of the existing contract with PwC to support the Head of Internal Audit. 5. A copy of PwC s report following the review of existing risk management arrangements is attached at Annex A. The recommendations within the report were accepted by Internal Audit and endorsed by the Advisory Audit Board in August Key recommendations include the need to improve arrangements for scoring risks (in terms of likelihood and impact), giving prominence to higher risks, identification and escalation of risks and management review of risks. 6. A copy of the existing risk register, including PwC s assessment of the status of the controls/mitigating actions is attached at Annex B. It was confirmed that the existing risk register is relevant and fit for purpose however it was noted that the risk register had not been subject to detailed review and scrutiny for a number of months due to other commitments, principally the Change Management Programme. Furthermore it was noted that, whilst the review of controls/mitigating 1

2 LG (2011) Paper November 2011 actions found that all but two have been or are being addressed, the existing Strategic Risk Register is not consistent with the SPS Strategic Plan and the organisational structure of the SPS following the Change Management Programme. 7. In order to take forward the recommendations of PwC s report and to ensure that the risk register is relevant to the current strategic plans and structures of the business, the following approach is proposed to enhance risk management arrangements: High level Strategic Risks will be identified both by way of the work currently being led by Stewart Gilfillan, supported by SCMO, to develop Key Performance Indicators which are will be linked to the means, plans and strategies within the current SPS Strategic Plan, and by posing the key big questions which the organisation should be asking itself. Stewart Gilfillan and Andy Munro will facilitate a workshop, involving the strategic planning sub-group of LG, to pose those questions. The outcomes of that exercise will be reported to the wider LG for consideration. Group/Office Plans for 2012/13, the process and format for which is currently being worked up by SCMO, will require each office, as part of the planning process, to identify and record the key operational risks that will act as barriers to the successful delivery of plans and the achievement of objectives. Further reviews of the Strategic Portfolio and the Procurement Office work plan will be undertaken by the Head of Internal Audit to capture strategic and/or operational risks that may not be covered by the Strategic Plan and/or Group and Office plans. A proposal to include risk identification as a standing item in SPCB and Leadership Group papers (as part of the existing Governance section of the existing template) will be prepared for Leadership Group consideration and approval in the first instance. All identified risks (strategic, operational and project risks) will be collated into an organisation risk register. Head of Internal Audit will facilitate a short exercise for leaders to agree the scoring of individual risks (in terms of likelihood and impact) identified. Some assistance may be sought from PwC to facilitate this. This will be funded from the existing internal audit budget for internal audit support. A high level (or corporate) risk register will be prepared which includes those risks within the organisation that with have the highest risk score. A threshold or (cut-off point) for high level risks will be proposed and subject to LG approval. 2

3 LG (2011) Paper November 2011 All risks will be reviewed quarterly by way of discussion between risk facilitators (Head of Internal Audit, supported by SPCB Secretariat and BCM Manager where appropriate) and those officers with designated responsibility for managing the risks identified. Any changes to the risk scores that result from this review will be subject to approval by the Leadership Group. Particular attention will be drawn to risks that, as a result of a high assessed score, appear on the high level corporate risk register or, as a result of a lower score, are removed from the high level corporate risk register. Resource Implications 8. Resource implications for groups and offices will include identifying and recording risks and mitigating actions whilst preparing office plans and strategic KPI s and participating in quarterly meetings to assess review risks. The preparation and review of the risk register will be managed by the Head of Internal Audit supported by the SPCB Secretariat and the Business Continuity Manager where relevant and required. The exercise to score individual risks, if facilitated by PwC, will be funded from the existing internal audit contractor budget. Dependencies 9. This proposal is dependent on all leaders, groups and offices. Risks should be identified by each individual business area whilst considering the barriers and obstacles that will deter the achievement of strategies, objectives and plans. The role of internal audit in respect of risk is to: Facilitate risk management arrangements by the preparation and quarterly review of the risk register (using risks identified by business areas); Scrutinise and challenge risks, risk scores and controls/mitigating actions as part of the quarterly review; Ensure that new risks are considered as part of key SPCB and SPS decisions; and Act as an independent challenge function to the controls proposed by leaders to mitigate risks by way of detailed internal audit reviews as part of the annual internal audit plan. 10. Much of the work to identify risks will be done as part of group and office planning exercises and it is likely that this is currently being done albeit is not specifically recorded as risk. Governance issues 11. The identification and management of risk is widely recognised as a cornerstone of good governance and contributes significantly to strategic planning and the achievement of strategic objectives. To 3

4 LG (2011) Paper November 2011 enable this, Stewart Gilfillan will take a lead at a strategic level, supported by the Head of Internal Audit. Leadership Group will have overall responsibility for the effective management of risk. An Equalities Impact Assessment has not been considered necessary at this stage. Health and Safety, environmental and legal issues risks will be considered in risk registers. Publication Scheme 12. This paper may be published in line with existing policy. Next steps 13. To take forward the proposed enhanced arrangements for 2012/13, the following actions are required: Decision Head of Internal Audit to liaise with Stewart Gilfillan and SCMO to assist in the development of strategic risks identified by the current exercise to prepare the key performance indicators which flow from the SPS Strategic Plan ; The process and format of Group/Office Plans for 2012/13 to be agreed (paper to LG on 19 December to seek approval on proposals) and expected to include a section which identifies operational risks, linked to objectives and strategies within the plans; and Head of Internal Audit to propose a methodology for incorporating the identification of risk within future SPCB and LG papers. 14. The Leadership Group is invited to comment and provide feedback on the proposals for new risk management arrangements for the SPS. Andrew Munro HEAD OF INTERNAL AUDIT November

5 LG (2011) Paper November 2011 ANNEX A SCOTTISH PARLIAMENTARY CORPORATE BODY ADVISORY AUDIT BOARD 18 AUGUST 2011 AAB(AUG11)08 FOR APPROVAL SCOTTISH PARLIAMENTARY CORPORATE BODY INTERNAL AUDIT 2010/2011 Review of the Strategic Risk Register Draft Report August 2011 Distribution (in draft): Andy Munro Tommy Lynch Final Distribution Advisory Audit Board Leadership Group SPCB Internal Audit

6 LG (2011) Paper November 2011 ANNEX A CONTENTS Page Number Section 1 Executive Summary 1.1 Introduction Scope and Objectives of the Audit Audit Approach Conclusion Action Plan Summary Grading of Report 3 Section 2 Detailed Findings and Recommendations 2.1 Risk Appetite Risk Identification Links with Strategy Managing risks Monitoring risks 7 Section 3 Management Action Plan 8-11 SPCB Internal Audit

7 LG (2011) Paper November 2011 ANNEX A Section 1 Executive Summary 1.1 Introduction In accordance with the SPCB s Internal Audit Plan for 2010/2011, a review of the Strategic Risk Register has been performed. The overall aim of the review is to provide assurance to the Principal Accountable Officer and the SPCB, via the Advisory Audit Board, that controls are in place for the management of the Strategic Risk Register and that these are operating effectively; thereby ensuring risk is maintained at an acceptable level Responsibility for promoting and facilitating risk management across the Scottish Parliamentary Service has recently transferred from the Strategy and Change Management Office to the Head of Internal Audit In order to ascertain the status of exiting arrangements and to establish a baseline for the development of risk management going forward, this review has been prepared independently by PricewaterhouseCoopers at the request of the SPCB s Head of Internal Audit. This review has been undertaken using a variety of best practice guidelines, including HM Treasury s The Orange Book, Management of Risk - Principles and Concepts. 1.2 Scope and Objectives of the Audit The overall scope of this audit is to review and assess the risk management arrangements in place for the SPCB, specifically the role and effectiveness of the strategic risk register which was prepared to complement the Strategic Plan. Five key areas have been considered in assessing the effectiveness of risk management arrangements: 1. Risk Appetite clearly defined risk tolerance level and the level of acceptable risk within the organisation; 2. Risk Identification a clear framework is in place to identify potential risks both at strategic and operational levels; 3. Links with Strategy risk management arrangements should be embedded in the organisation and reflected in the organisation s overall strategy; 4. Managing risks once risks are identified a clear process for managing these risks should be identified; and 5. Monitoring risks risks and actions designed to mitigate risks should be monitored and reported on a regular basis In addition to the five key areas identified above, this review also sought assurance that the mitigating actions currently in place remain relevant, valid and effective. SPCB Internal Audit 1

8 LG (2011) Paper November 2011 ANNEX A Section 1 Executive Summary (Continued) 1.3 Audit Approach The October 2010 and the (updated) May 2011 strategic risk registers were obtained and reviewed. The approach to risk management and the creation and the role of the risk register was discussed in detail with the Strategy and Change Management Office. Each of the specific objectives noted in was reviewed within testing. A number of mitigating actions were also selected and evidence was sought from relevant offices for assurance that the actions remained relevant, valid and effective. 1.4 Conclusion This review has highlighted a number of areas for developing of risk management arrangements and the strategic risk register. These are detailed in Section 2 of this report. The conclusions in respect of the specific objectives of this review are as follows: Risk Appetite The existing strategic risk register does not clearly define risk tolerance and the level of acceptable risk. Good practice recommends that risk appetite is defined to ensure a consistent approach across the organisation Within the Strategic Risk Register, risks are scored from 1 to 5 for likelihood and impact to give an overall score out of 25. However each score, or combination of scores, has not been clearly defined It was noted that identified risks are not prioritised on a consistent basis. Higher scoring risks should be given clearer prominence and priority than lower scoring risks. Risk Identification Business continuity arrangements and the awareness of risk in the organisation were found to be strong in a number of offices. However, in other areas there is uncertainty over the purpose of the risk register and responsibility for identifying risk and associated mitigating actions. In future, it is recommended that the Leadership Group review strategic risk register on a regular (quarterly) basis to ensure new risks are added, that existing risks are considered and managed and that actions required to mitigate risks are assigned and taken appropriately. Links with Strategy There were clear linkages to the Strategic Risk Register and it was advised that these will be maintained following the publication of the new Strategic Plan. SPCB Internal Audit 2

9 LG (2011) Paper November 2011 ANNEX A Managing Risks Following recent organisational changes, the owners of a number of mitigating actions are no longer relevant. The Leadership Group will be required to consider these risks and to reassign responsibility for mitigating actions where appropriate. Monitoring risks The Strategic Risk Register has not been reviewed on a quarterly basis. Reviewing risks on a regular basis ensures that risk management remains a key focus for leaders A number of recommendations to address the matters arising from these conclusions have been made in section 2 of this report and are summarised in the management action plan at section Action Plan Summary The action plan detailed in Section 3 provides recommendations and actions agreed by management. Each action has been allocated a Risk Priority to determine the level of risk attached to the findings and the date for the action to be taken by has been agreed. The Risk Priorities are as follows: A B C Significant control weaknesses which may lead to major financial, reputational, or operational risk to the organisation. This weakness should be resolved as a matter of priority. Control weakness may lead to moderate financial, reputational or operational risk to the organisation. This weakness should be resolved as a matter of course. The action point will resolve a minor control weakness and reduce risk to the organisation. 1.6 Grading of Report Internal Audit reports are presented to the Audit Advisory Board and are graded 1 to 5, with 1 being low priority for attention and 5 being high priority for attention. The grading is the view of the Head of Internal Audit and records the overall opinion of the findings The grading for the review of the reimbursement of the Strategic Risk Register is grade 3. SPCB Internal Audit 3

10 LG (2011) Paper November 2011 ANNEX A Section 2 Detailed Findings and Recommendations 2.1 Risk Appetite Risk appetite can be defined as, the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time 1. Good practice suggests that a well developed risk management framework will include a defined risk tolerance level and the associated level of risk deemed acceptable by an organisation Organisations with insufficient guidance on the levels of risk that are legitimate for them to take, or not seizing important opportunities due to a perception that taking on additional risk is discouraged, may not maximise performance and business opportunities may not be taken. At the other end of the scale, an organisation constantly erring on the side of caution (or one that has a risk averse culture) is one that is likely to stifle creativity and is not necessarily encouraging innovation, nor seeking or exploiting opportunities The Scottish Parliamentary Service s Strategic Risk Register currently does not define the organisation s risk appetite, its tolerance or its associated level of acceptable risk. Recommendation An overall risk tolerance should be identified along with specific reference to likelihood and impact on a risk by risk basis Recommended practice requires that: risk registers define strategic risk in comparison with operational or programme risks; and risks are measured on 5x5 scale for likelihood and impact of the risk being realised. The combined score should then be used to prioritise risks The SPS Strategic Risk Register scores risks from 1 to 5 for likelihood and impact to give an overall score out of 25. However, there are no clear definitions of each score (or combination of scores) and no definition of how these are addressed and considered by the SPS. Recommendation 11 The Orange Book Management of Risk - Principles and Concepts HM Treasury October 2004 SPCB Internal Audit 4

11 LG (2011) Paper November 2011 ANNEX A Clear definitions of the risk scoring criteria should be applied to enable more meaningful scoring of risks and to create a more consistent basis for assessing risk across the organisation. SPCB Internal Audit 5

12 LG (2011) Paper November 2011 ANNEX A Section 2 Detailed Findings and Recommendations (Continued) 2.1 Risk Appetite (continued) From the review of the SPS Risk Register, it was noted that identified risks are not prioritised based on the degree of risk that is attached to each. Higher scoring risks should be given greater prominence and priority than lower scoring risks. Recommendation A process should be developed to give higher prominence and priority to those risks with the greatest impact and likelihood of occurring. 2.2 Risk Identification Well developed risk management frameworks include arrangements to identify potential risks both at a strategic and an operational level. For example risks that are identified at project or programme level, the Senior Responsible Officer (SRO) may propose that a risk be elevated for consideration for inclusion in the strategic risk register The SPCB routinely considers risk and prepares risk registers for programmes and projects, including procurement projects. However there is no clear and consistent mechanism for escalating significant operational, programme or project risks to the strategic risk register. Recommendation A process for including risks on the strategic risk register should be established and communicated to senior staff to ensure that all potential key strategic risks are identified and escalated accordingly Business continuity arrangements and awareness of risk in the organisation were found to be strong in a number of offices. However, in other areas there was uncertainty about the role of the risk register, those responsible for identifying risks and proposing mitigating actions, and the relevance of inclusions within the strategic risk register. SPCB Internal Audit 6

13 LG (2011) Paper November 2011 ANNEX A Recommendation The process for including or amending risks included on the register should be formalised and arrangements should be agreed with the Leadership Group and Office Heads. This process should be designed to ensure an appropriate awareness of: risk in the organisation; how to identify risk; and managing and mitigating risks timeously. 2.3 Links with Strategy Well developed risk management frameworks include risk management arrangements that are embedded in the organisation and reflected in the organisation s overall strategy. Organisational risk may be defined as the risk to an organisation of not achieving its strategic objectives. Accordingly, strategic risks should be clearly linked to organisational and strategic objectives All risks per the SPCB strategic risk register were found to have clear and direct links to the strategic risk register. It was advised that an updated strategic risk plan for the SPCB is currently under review and will be published in due course. Recommendation Any updates to the SPCB s Strategic Plan should be reflected in the Strategic Risk Register. 2.4 Managing Risks Risks identified should include, as a minimum, a clear process for managing and taking ownership of risks. Managing risks requires mitigating action/(s) to be set and ownership of that action should be assigned to an appropriate official with a real timescale to be set for the agreed action to be taken Following recent organisational changes, the owners of a number of mitigating actions are posts which have changed or are no longer in place.. Recommendation The Leadership Group should review actions assigned to owners which are out of date and the correct responsible officer for the mitigating action should be nominated. SPCB Internal Audit 7

14 LG (2011) Paper November 2011 ANNEX A Section 2 Detailed Findings and Recommendations (Continued) 2.5 Monitoring Risks A risk management framework should ensure that risks and mitigating actions identified are monitored, reviewed and reported at an appropriate level within the organisation The SPCB Strategic Risk Register has been reviewed by the Leadership Group, Advisory Audit Board and SPCB previously however the various reviews have not been consistent or frequent. Reviewing risks on a regular basis helps to ensure that risks which are no longer applicable are removed from the risk register and ensures that risks continue to be assessed and prioritised accordingly. Recommendation Risks should be reviewed on an agreed regular basis by The Leadership Group, the AAB and the SPCB to ensure awareness of all relevant risks and the appropriate risk rating of each. SPCB Internal Audit 8

15 Risk Appetite Section 3 Management Action Plan Ref. Recommendation Risk Priority Management Comment and Action Agreed Responsible Officer and Agreed Completion Date 2.1 An overall risk tolerance should be identified along with specific reference to likelihood and impact on a risk by risk basis. C Agreed. The risk register will be refreshed in terms of format and content following the roll out of the updated SPCB Strategic Plan in The refreshed risk register will incorporate techniques for assessing risk appetite. Head of Internal Audit December 2011 Clear definitions of the risk scoring criteria should be applied to enable more meaningful scoring of risks and to create a more consistent basis for assessing risk across the organisation. C Agreed. Definitions of the degrees of likelihood and impact will be incorporated in the refreshed risk register. Head of Internal Audit December 2011 A process should be developed to give higher prominence and priority to those risks with the greatest impact and likelihood of occurring. C Agreed. The refreshed risk register format will include a mechanism to highlight risks that have changed (in terms of likelihood and impact). Higher risks will be given greater prominence in the updated format. Head of Internal Audit December 2011 SPCB Internal Audit 9

16 Risk Identification Section 3 Management Action Plan Ref. Recommendation Risk Priority Management Comment and Action Agreed Responsible Officer and Agreed Completion Date 2.2 A process for including risks on the strategic risk register should be established and communicated to senior staff to ensure that all potential key strategic risks are identified and escalated accordingly C Agreed. New risk management arrangements will require the Head of Internal Audit, assisted by the Chief Executive s Office, to meet regularly assess risks with Office Heads / risk owners to identify potential risks from operational, programme and project activities. Head of Internal Audit December 2011 The process for including or amending risks included on the register should be formalised and arrangements should be agreed with the Leadership Group and Office Heads. This process should be designed to ensure an appropriate awareness of: risk in the organisation; how to identify risk; and managing and mitigating risks timeously C Agreed. New risk management arrangements will require the Head of Internal Audit, assisted by the Chief Executive s Office, to meet regularly assess risks with Office Heads / risk owners. Head of Internal Audit December 2011 SPCB Internal Audit 10

17 Managing Risks Links with Strategy Section 3 Management Action Plan Ref. Recommendation Risk Priority Management Comment and Action Agreed Responsible Officer and Agreed Completion Date 2.3 Any updates to the SPCB s Strategic Plan should be reflected in the Strategic Risk Register B Agreed. Refreshed risk register will flow directly from the strategic aims and objectives of the SPCB. The refreshed risk register will incorporate the risks to the SPCB of not achieving strategic objectives individually and collectively. Head of Internal Audit December The Leadership Group should review actions assigned to owners which are out of date and the correct responsible officer for the mitigating action should be nominated. B Agreed. A review of the existing risk register is complete and proposals for revisions to risk owners and timescales for action will be presented to The Leadership Group for approval. Head of Internal Audit December 2011 SPCB Internal Audit 11

18 Risk Identification Risks should be reviewed on an agreed regular basis by The Leadership Group, The AAB and the SPCB to ensure awareness of all relevant risks and the appropriate risk rating of each. B Agreed. The frequency of review of risk will be agreed with the SPCB, AAB and Leadership Group. Head of Internal Audit December SPCB Internal Audit 12

19 LG (2011) Paper November 2011 ANNEX B Scottish Parliamentary Service Strategic Risk Register Review November 2011 Interim Strategic

20 Who we are The Scottish Parliamentary Corporate Body (SPCB) was established by the Scotland Act Its main function is to provide the Scottish Parliament with the property, staff and services required for the Parliament's purposes. The staff of the Scottish Parliamentary Service (SPS) are employed by the SPCB to deliver its requirements. Our Aim Our aim is to excel as a parliamentary service, maintaining the highest standards for legislatures in the UK and internationally. We will be responsive to evolving needs of Members and public expectations of the Scottish Parliament. In doing so, we will always seek value for money. Our Delivery In seeking to meet this aim, our efforts are focussed on three key areas: (1) parliamentary business; (2) supporting Members; (3) public engagement. These efforts are underpinned by a fourth element organisational health which recognises that sustained success is built on a well-led, high quality workforce and robust systems. Our Values Integrity We demonstrate high standards of honesty and reliability. Impartiality We are fair and even-handed in dealing with Members, the public and one another. Professionalism We provide high-quality professional advice and support services focussed on meeting the needs of Members and the Parliament. In doing so we actively pursue value for money and encourage innovation. Equality We work together to embed principles of equality and diversity and promote a culture of openness and fairness in everything we do. 14

21 Our Approach to Risk This Strategic Risk Register is owned by the Parliament s Strategic Leadership Team (SLT). Designed to complement our Strategic Plan, the register sets out the primary risks to the successful delivery of the four key outcomes in the Strategic Plan and the actions we are taking to mitigate these risks. The content of the risk register has been agreed by the SLT and the Scottish Parliamentary Corporate Body (SPCB). It is reviewed on a quarterly basis by SLT and SPCB to ensure that it remains current, and that any new or developing risks are identified and prioritised. While this risk register sets out our main strategic risks, there are a number of other documents and mechanisms that contribute to effective risk management at all levels of the organisation. These include our Business Continuity Management (BCM) strategy, the Standing Financial Instructions (SFIs) and our local level (operational) plans. Risks associated with our strategic and operational portfolios are managed through separate project and programme monitoring arrangements. This monitoring is undertaken by our Strategic Portfolio Group (for strategic programmes) and Operational Portfolio Group (for major operational projects). Where a project or programme risk is considered significant enough to jeopardise the organisation s ability to deliver one of its key outcomes, it may be escalated to the main strategic risk register. Content of the Strategic Risk Register The risks identified in the register have been scored on a 5 x 5 scale, reflecting the likelihood of the risks being realised and the consequent impact this would have on the organisation s ability to achieve its key outcomes. The resulting score, out of 25, is used as an aid in prioritising the risks and the actions we take to mitigate them. In assessing the likely impact of the risks being realised, we have sought to take into account all relevant aspects of each risk. This includes reputational risk, the realisation of which could potentially undermine confidence in the Parliament. This in turn could restrict our ability to deliver high quality parliamentary services, maintain the trust of Members and promote public engagement with the parliamentary process. The Strategic Risk Register was reviewed in May A sample of 15 risks was selected, and the corresponding actions were reviewed through interviews with staff and testing of corroborating evidence where applicable. A summary of the status of the mitigating actions is set out below. 15

22 Status of Mitigating Actions Risk Area Risks Reviewed Mitigating Actions In operation Partially implemented Not implemented No longer applicable Parliamentary Business Supporting Members Engagement Organisational Health The findings of the review of the risk register are discussed in more detail below. 16

23 Glossary of Terms Headings: Headline Risk Ref (Reference) Risk cause L (Likelihood) I (Impact) Sc (Score) Owners Mitigating Action(s) Deadline/Review Terminology The four primary risks to the successful delivery of the key outcomes in the Strategic Plan. The alphanumeric reference we have allocated to each risk cause for identification and monitoring purposes. The main potential causes of the headline risks being realised. On a scale of 1 to 5, how likely it is that the risk cause will be realised and become an issue. On a scale of 1 to 5, the assessed impact of the realised risk on organisational ability to deliver key outcomes. The overall risk score, determined by multiplying the numbers in the Likelihood and Impact columns. The offices/groups responsible for the mitigating action. (Named owner = the head of the office/group.) The high level actions that have been identified to mitigate the risk. The deadline for completion (discrete actions) or frequency of review (recurrent or ongoing actions) Name Full title Definition AAB Advisory Audit Board A body responsible for advising the SPCB on accounting, audit and governance matters. BIT Business Information Technology The group responsible for the Parliament s IT infrastructure. CCP Corporate Change Programme Change programme undertaken around organisational strategy, risk and structures. FM Facilities Management The group responsible for maintaining the Parliament s buildings and facilities. KPI Key Performance Indicator High level performance measures being developed to complement the Strategic Plan. OMG Operational Management Group Group of functional heads who have operational responsibility for service delivery. PO Presiding Officer The Presiding Officer of the Parliament and chair of the SPCB. PPS Principal Private Secretary The main adviser to a senior official or politician (e.g. Presiding Officer). RIR Research, Information & Reporting The group responsible for parliamentary research, information and the Official Report. SDO Strategy and Development Office The office responsible for supporting organisational strategy and development SLT Strategic Leadership Team The most senior advisory group to the Clerk/Chief Executive. SPCB Scottish Parliamentary Corporate The group of elected Members, chaired by the Presiding Officer, with responsibility for Body providing the property, staff and services required for the Parliament s purposes. SPS Scottish Parliamentary Service The parliamentary staff employed by the SPCB to deliver its requirements. SRO Senior Responsible Owner The member of senior staff with overall responsibility for a programme or project. TUS Trade Union Side The collective term for the three trade unions officially recognised by the SPCB. 17

24 1. Parliamentary Business Headline Risk: Failure of Chamber and Committee business to take place as scheduled and be resilient to disruptions and threats Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 1C Unavailability of sound Testing prior to each meeting B casting & voting or Rigorous maintenance regime FM broadcasting Backup generators in place and fully tested FM Monthly equipment Mitigating Action Status at May 2011 Action Required Testing prior to each meeting In operation Rigorous maintenance regime In operation Backup generators in place and fully tested In operation Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 1D Lack of required facilities or accommodation Formal arrangements in place for use of alternative parliamentary accommodation as part of BCM FM Chamber Annually Mitigating Action Status at May 2011 Action Required Formal arrangements in place for use of alternative parliamentary accommodation as part of BCM Partially implemented: Memorandums of Understanding are in place with alternative chamber providers and agreements with two audio-visual companies are in place to provide broadcasting and voting equipment as required. However, a reliance on university accommodation means that an alternative chamber may not be available at certain times of year. A property services company has been engaged to perform a quarterly review of premises available to accommodate parliamentary staff if required. Work to identify appropriate parliamentary accommodation outside universities should continue and agreements with alternative providers should be formalized in order to ensure that alternatives are available throughout the year. 18

25 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 1F Absence of staff Attendance register developed and ready for use HR required to support meetings Business Continuity (BC) arrangements in place for key suppliers Response plans in place for small teams Procurement/ contract managers BC Coordinators Mitigating Action Status at May 2011 Action Required Attendance register developed and ready In operation for use Business Continuity (BC) arrangements in place for key suppliers Partially implemented: the Business Continuity Plans of key suppliers were confirmed before the May 2011 elections. No Business Continuity Plans were in place for the existing legal services contract or for outgoing mail services. Response plans in place for small teams In operation The impact of a disrupted outgoing mail service can be mitigated by increased use of and courier services. Existing legal services contracts expired in April BC arrangements should be agreed with the new supplier. 19

26 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 1H Unavailability of parliamentary business papers and publications Standards in place and regularly reviewed for Official Report, Business Bulletin, Parliamentary Minute and document supply RIR/ P mentary Business Team Annually Mitigating Action Status at May 2011 Action Required Standards in place and regularly reviewed for Official Report, Business Bulletin, Parliamentary Minute and document supply Partially implemented: business continuity plans surrounding document supply and printing are in operation. However, responsibility for the standards and review of parliamentary documents depends on the nature of that document. There is a lack of clarity over ownership of this risk cause. This risk cause should be reviewed to verify that this is a genuine and current risk to the achievement of the key outcomes in the strategic plan and that the mitigating action reflects current practice. Responsibility for this risk and the corresponding mitigating action should be agreed. 20

27 2. Supporting Members Headline Risk: Failure to provide the necessary facilities, technology and support services to enable Members to carry out their parliamentary and representative functions and their roles as employers Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 2B Required support not adequately provided for Members local Local office technical refresh and engagement work continuing to replace IT hardware and agree future support arrangements BIT offices Service levels in place for local office support BIT/FM Contingency plans in place to maintain network availability and access BIT Mitigating Action Status at May 2011 Action Required In operation Local office technical refresh and engagement work continuing to replace IT hardware and agree future support arrangements Annually Service levels in place for local office support Contingency plans in place to maintain network availability and access In operation In operation 21

28 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 2A Failure to identify or Customer Relationship Managers in place to lead on FM/BIT respond effectively to facilities/technology issues Members concerns SPCB portfolio arrangements in place to facilitate around service effective consultation Chief Exec provision and parliamentary services Consultation with MSPs around resource planning Chief Exec Nov 2010 Development of arrangements for future rolling SDO Mar 2011 surveys of Members Mitigating Action Status at May 2011 Action Required Customer Relationship Managers in place to lead on facilities/technology issues In operation SPCB portfolio arrangements in place to facilitate effective consultation Consultation with MSPs around resource planning and parliamentary services Development of arrangements for future rolling surveys of Members In operation Partially implemented. The Parliamentary Bureau advises on the parliamentary agenda and the quality of service provided. However, as below, no further consultation with Members in this area evident. Not implemented. No routine surveys of members and staff are in place. Further consideration of surveys of members and staff has been postponed until a new Strategic Plan has been agreed. Ensure that there is sufficient and regular consultation with MSPs about the quality and type of service offered by SPCB, and whether it meets their needs. Develop and conduct surveys of Members to aid SPCB in providing them with effective support. 22

29 3. Engagement Headline Risk: Failure to increase public awareness of the Parliament and engagement with the parliamentary process in Scotland Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 3B Engagement Language policy in place and regularly reviewed, Public Affairs Annually programme fails to taking account of demographic changes meet needs of some Continued roll-out of public engagement strategy Public Affairs sections of Scottish Outreach and other engagement programmes society tailored to reach disengaged groups Public Affairs Mitigating Action Status at May 2011 Action Required Language policy in place and regularly reviewed, taking account of demographic changes In operation Continued roll-out of public engagement strategy Outreach and other engagement programmes tailored to reach disengaged groups In operation In operation 23

30 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 3C Publicly available Delivery of upgraded SP website redesigned with RIR Dec 2010 information about the emphasis on accessibility and usability Parliament is Full user acceptance testing of new website to Web Project Nov 2010 inadequate or ensure no loss of access at go live Board inaccessible Public information leaflets regularly reviewed for Public Affairs relevance, accuracy and accessibility Annually Mitigating Action Status at May 2011 Action Required Delivery of upgraded SP website redesigned with emphasis on accessibility and usability Partially implemented: new website has been designed but is not operational. The launch is planned for summer recess The new website has been designed with Complete development and launch of upgraded website. Full user acceptance testing of new website to ensure no loss of access at go live Public information leaflets regularly reviewed for relevance, accuracy and accessibility the aim of improving accessibility. Partially implemented: the upgraded website is currently in the testing phase. Full user acceptance testing has not yet been completed. The website is expected to be launched in the summer recess In operation Ensure that full user acceptance testing of the upgraded website has been completed for launch in summer

31 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 3A Failure to identify or respond effectively to public concerns Quarterly organisational performance and risk monitoring for early identification of potential delivery failures SLT Quarterly Further development of mechanisms in public engagement strategy for obtaining public opinion & feedback Public Affairs Dec 2010 Media relations strategy in place and regularly reviewed Public Affairs Annually Complaints procedure in place and all complaints reviewed to identify possible improvements to practice Public Affairs Annually Mitigating Action Status at May 2011 Action Required Quarterly organisational performance and risk monitoring for early identification of potential delivery failures Further development of mechanisms in public engagement strategy for obtaining public opinion & feedback Partially implemented: risk registers are reviewed periodically by the Leadership Group and a report on the current status is submitted to the SPCB. At present this review is not performed quarterly. The previous review was completed in October In operation Ensure risk registers are reviewed quarterly for operation and relevance. Media relations strategy in place and regularly reviewed Complaints procedure in place and all complaints reviewed to identify possible improvements to practice Partially implemented: the media relations strategy has been drafted and will be presented to the Change Management Programme Board in summer In operation Finalize and implement media relations strategy. Review annually from date of implementation. 25

32 4. Organisational Health Headline Risk: Failure of the organisation to work efficiently, effectively and progressively towards a shared aim, or to operate according to principles of sustainable development and in a safe and secure environment Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 4B Anticipated reduction in available resources Future resource planning exercise being undertaken to inform strategic plan and budget assumptions SLT/OMG Nov 2010 Mitigating Action Status at May 2011 Action Required Future resource planning exercise being undertaken to inform strategic plan and budget assumptions No further action required on this mitigating action. Fully implemented: future resource planning exercise now complete and succeeded by the change management programme which has been developed to implement agreed cuts at a local level. Consider revising this mitigated actions associated with this risk to reflect current approach to budget reductions. 26

33 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 4E Downturn in industrial Partnership agreement in place with TUS and HR relations arising from regular liaison meetings held with senior officials anticipated resource reductions (linked to risk cause 4B) Direct engagement with TUS on future resource planning work Mitigating Action Status at May 2011 Action Required Partnership agreement in place with TUS and regular liaison meetings held with senior officials In operation Direct engagement with TUS on future resource planning work In operation Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 4K Failure to manage organisational change effectively in relation to Robust programme documentation in place and regularly reviewed, including dedicated risk register and communication plan FRP Board Monthly future resource planning work Close ongoing liaison with TUS FRP Board Mitigating Action Status at May 2011 Action Required Robust programme documentation in place and regularly reviewed, including dedicated risk register and communication plan Fully implemented: the future resource planning project has now been superseded by the change management programme (see 4B also above). A risk register and a communication plan have been developed for this programme. Close ongoing liaison with TUS In operation e 27

34 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 4I Failure to secure, Partnership agreement in place with TUS and HR motivate and retain regular meetings held high quality staff and leadership Enhanced performance management system in place Leadership Academy in place to deliver coordinated approach to leadership development at Grades 5 and 6 Review of CCP changes to confirm effectiveness of governance arrangements Mitigating Action Status at May 2011 Action Required Partnership agreement in place with TUS and regular meetings held In operation. Enhanced performance management system in place Leadership Academy in place to deliver coordinated approach to leadership development at Grades 5 and 6 Review of CCP changes to confirm effectiveness of governance arrangements In operation. In operation. In operation. No further action required No further action required 28

35 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 4D Loss or mismanagement of parliamentary information/records Information Management Strategy in place and organisation-wide standards agreed RIR/BIT Information security plans in place Security/BIT Mitigating Action Status at May 2011 Action Required Information Management Strategy in place and organisation-wide standards agreed Partially implemented. Phase 1 of the Information Management Strategy is complete, with Phase 2 to be commenced in summer Progress with Phase 2 of the infrastructure programme. Information security plans in place Partially implemented: an infrastructure programme is underway which will improve information security with improved encryption and a remote access system, Complete infrastructure programme in order to improve information security at SCPB. 29

36 Ref Risk Cause L I Sc Mitigating Action(s) Owners Deadline/ Review 4F Failure to meet commitments on Carbon management plan in place with FM, SLT environmental management interim carbon reduction targets to 2020 Environmental engagement and education strategy in place ISO certification maintained Environmental objectives included in all operational plans Investment in capital projects to deliver significant ongoing reductions in energy use Mitigating Action Status at May 2011 Action Required Carbon management plan in place with interim carbon reduction targets to 2020 In operation. No further action required Environmental engagement and education strategy in place In operation. No further action required ISO certification maintained In operation. No further action required Environmental objectives included in all operational plans Investment in capital projects to deliver significant ongoing reductions in energy use Not implemented: there was no review of this in 2010/11. In operation. Ensure that environmental concerns are considered in operational plans. No further action required 30