SNH/11/11/B CORPORATE RISK MANAGEMENT POLICY AND RISK REGISTER

Transcription

1 CORPORATE RISK MANAGEMENT POLICY AND RISK REGISTER SNH/11/11/B Summary 1. This paper presents Board with a revised SNH Risk management policy and new list of corporate risks in the light of previous Board discussion. Both were considered by the Audit and Risk Management Committee (ARMC) at their 26 October meeting. Board Action 2. The Board is invited: a. To adopted the revised Risk Management Policy including its expression of SNH s risk appetite and culture. (Annex 1) b. To note the current set of Corporate Risks (Annex 2) and confirm that in combination they represent an adequate treatment of corporate risk. Preparation of the paper 3. The cover paper has been prepared by Programme Office and is sponsored by Ian Jardine. The Annexed corporate risks have been captured through a workshop involving senior staff across various directorates. They, and the risk management policy, have been considered by ARMC. Background 4. It is the responsibility of the Accountable Officer of SNH (The Chief Executive) to confirm each year that the organisation has in place an effective system of internal control. This responsibility is exercised with advice from ARMC. Part of that system is to have in place a corporate risk management policy and effective risk register. Given the importance of risk management within the overall corporate governance arrangements of SNH, the Accountable Officer and ARMC are asking the Board to approve the Risk Management Policy. The Board also has a key role in determining the organisation s risk appetite. Although this can be hard to define at a general level this is an appropriate time for the Board to consider the matter and give any comment. 5. The identification and management of corporate risks are principally the responsibility of the Management Team but, in the interests of good governance, the Board should review these periodically to satisfy itself that the scope and content of the Corporate Risk Register is adequate. SNH Risk Management follows the Management Of Risk (MOR) guidance set out by the Office of Government Commerce (OGC). 6. In SNH, risk is addressed from five key perspectives: project, unit, directorate, programme and corporate. (In addition individuals consider personal risks related to health & safety). A strategic risk report is presented to Management Team as part of the quarterly business performance report and comprises: The risks within the corporate risk register. These have been identified by Management Team as risks that affect SNH as a whole, or are significant to the functioning of SNH as an organisation. All new high-rated risks (i.e. those being overseen by Directors) and any risks that have been temporarily escalated to Management Team, whether these have been identified by Programme or Unit Managers. These are presented to Management Team in the quarter they are raised, enabling Management Team to make decisions on whether any risks require a contingency plan to 1

2 be created, and if any of these risks should be adopted permanently into the suite of Corporate Risks. 7. As part of a review of risk management the SNH Risk Management Policy (Annex 1) has been reviewed and following consideration by ARMC is now presented to Board for adoption. Greater effort has now been made to stress the importance of opportunity in risk management. The ARMC also discussed the terminology of risk appetite, since risk was rarely to be seen as a positive, even though quite a high level of risk might need to be tolerated at times. However, we have retained the use of the term risk appetite as defined by MOR: it is now reasonably widely understood within SNH, and it has a widely accepted technical definition. 8. The Board is asked to adopted the revised Risk Management Policy including its expression of SNH s risk appetite and culture. 9. The corporate risk register has also been reviewed with a greater emphasis on delivery risks: during quarter 2, a workshop was held to identify a refreshed suite of corporate risks. This was attended by directors, programme managers and unit managers representing each directorate. The aim was to establish a set of risks that adequately addressed SNH s outward delivery as well as internal organisation. Following the workshop, all unit and programme managers were consulted to ensure the new set of corporate risks appropriately covered critical risks across the organisation. ARMC endorsed, subject to amendments, the new set of corporate risks at their 26 October meeting. To reflect best practice in risk management risks are described using the formula: Cause: As a result of Event: there is a risk that, Effect: which may result in. 10. As well as threats to SNH, the corporate risk register now includes opportunities, enabling decisions on both positive and negative risks to the organisation. Two additional risk were suggested by the ARMC: one relating to public sector change; a second related to national and global fiscal instability (which impacts on issues such public sector funding, pension affordability and social stability). We have attempted to capture these and invite the Board to comment on these two additional risks. 11. This set of risks 1 in Annex 2 constitute the Corporate Risk suite. They are assigned to units and are the basis of the risk summaries contained in the Q2 performance report. The Board is invited to note the list of Corporate Risks and confirm that in combination they represent an adequate treatment of corporate risk. Contact: Andy Dorin ( ) 1. 1 Further detail on scores and controls are available on request. These will be reviewed by the ARMC as part of their regular consideration of risk. 2

3 Annex 1 SNH Risk Management Policy Introduction The aim of this policy is to detail how and why SNH carries out risk management, to lay out the roles and responsibilities across the organisation and to establish the process and techniques SNH utilise to support risk management. Corporate Statement on Risk SNH works to care for the natural heritage: the wildlife, habitats, rocks, landscapes and natural beauty of Scotland whilst ensuring sustainable public benefit from the use that is made of them. By undertaking risk management we will better manage the successful delivery of objectives including the safety of our staff, the public visiting our reserves, our reputational risk and the broader strategic implications by: Reducing the possibility that our objectives are jeopardised by unforeseen events; Recognising and managing opportunities that may offer an improved way of achieving objectives; Providing assurance to the Scottish Government that we are managing risks as part of our Internal Controls. Risk Appetite Our risk appetite reflects our overall corporate strategy, programme priorities, business plans and stakeholder expectations. It acknowledges a willingness and capacity to tolerate a higher level of risk in particular areas of our business in order to maximise public benefit. Monitoring risk tolerance is achieved through our risk management tool which is linked to reporting progress against plans. Our risk appetite statement is periodically reviewed with reference to emerging external and internal conditions. In our current operating environment where capital and operating budgets are declining with costs to delivery increasing the business continues to review the extent to which it is willing to tolerate a higher level of risk across a wider range of activities. We will actively manage risks and accept a higher level of tolerance where those risks relate to discretionary effort in support of broader strategic outcomes. Specifically, this may relate to the amount of effort spent on such tasks or the extent to which bespoke responses are offered. We will continue to adopt a low tolerance level for risks related to achievement of statutory obligations. Managing risk involves responding to opportunity as well as negative uncertainty. SNH seeks to maximise opportunities presented by uncertainty. At times this may simply mean seizing a positive initiative - perhaps the offer to work in partnership for example. However, few genuine opportunities come without organisational impacts on resources and substantial risks as well, so a culture of opportunism must always be tempered by good judgement and careful weighing of the cost and benefits. However, often uncertainty may be more ambiguous and generate both opportunity and risk, and it may be less a matter of grasping a unique possibility, and more a case of managing a situation to achieve the best result rather simply avoiding the worst consequences. Positive attitude, providing it is realistic and grounded, can be a powerful factor in the success of an organisation and is reflected in SNH s risk attitude. 3

4 Escalation Procedures When a risk reaches a level whereby the manager can implement no further controls or solutions, the risk must be escalated. This escalation can occur within the risk register either by the project manager, unit manager or the director. Project Risks Low and medium risks sit with the project manager. When a risk is recognised as being high, it will be automatically escalated to the project s Senior Responsible Owner (SRO). They can then choose to control the risk at project level or promote it to the appropriate unit risk register. This will ensure the unit manager is aware of a potentially high impact risk. The risk is then managed in accordance with unit risks. Unit Risks Low and medium risks sit with the unit manager. They are responsible for ensuring that the risks are managed and if necessary have an accompanying Action Plan. When a risk is recognised as being high, it is automatically escalated to the director for attention. Directorate Risks Any high unit risks will be automatically escalated to the Director. It is the Director s role to manage the risk, acknowledging his or her greater level of delegated authority, greater strategic perspective, access to increased resources across a number of units, and overall greater permitted tolerance. Directors determine the correct treatment for an escalated risk, and a Director will typically play a role in discussing the risk with a Unit Manager before empowering them to take appropriate action (or tolerate an increased level of risk) that would normally not be within their discretion. A Director should escalate risks to Management Team when it is of corporate significance or outside his/her agreed tolerances. They can require an action plans to be constructed to mitigate risks If the Director deems a risk to be of corporate significance, or beyond their delegated tolerance, they can escalate a risk to Management Team if they are deemed critical or effect SNH as a whole. They are then considered as corporate risks and are under Management Team observation and scrutiny. Programme Risks The Programme Managers identify potential risks to the delivery of their programme objectives as part of the quarterly performance reporting, either through analysis of unit risks coded to the programmes, or through identification of new programme level risks. These risks are presented to Management Team Corporate Risks - SNH has adopted 26 corporate risks which they have identified as affecting SNH as a whole or being particularly critical to the organisation. These risks are monitored by Management Team and changes to the definition, controls or score of these risks should receive Management Team approval. Roles and Responsibilities Role Responsibilities Board Audit and Risk Management Committee (ARMC) Accountable Officer (CEO) Management Team Overall responsibility for the SNH system of internal control and ensuring that an effective risk management system is in place. Board have overall responsibility for the risk management policy. Advise the Board on SNH's arrangements for risk management. Responsible for ensuring a sound system is in place to manage risk. Review corporate risks and individual escalated risks. Take appropriate action to mitigate risks. Review corporate risks and new high level risks quarterly and advise as to whether a contingency plan is required. 4

5 Directors Programme Managers Unit Managers Senior Responsible Owners Project Managers Programme Office All staff Manage high level risks within their Directorate that are beyond tolerance of a unit manager. Escalate corporate and very severe risks (beyond their own tolerance) to Management Team. Commission action plans to mitigate risks where appropriate. Review and summarise risks to projects that may affect the delivery of SNH programme objectives. Ensure appropriate action is taken to mitigate risks. Identify, evaluate and manage risks to the delivery of Unit Plan objectives. Monitor risks to the delivery of projects under their responsibility. Review and manage high level project risks and escalate to unit manager as necessary. Identify, evaluate and manage risks to the delivery of project objectives. Escalate risks to senior responsible owner and/or unit manager as necessary. Develop, operate, monitor and report on the SNH Risk Management System. Flag escalated risks that may effect outcomes of programmes to programme managers. Take ownership of individual unit and project risks where appropriate. Be responsible for managing risks as an integral part of their job plan. Manage project risks using the project risk register. Process SNH aims to employ a consistent approach to the identification, description and scoring of risks in order to support the overview of risk across the organisation and to ensure a coherent attitude towards risk management across the organisation. SNH uses the risk management principles as detailed in OGC Management of Risk Guide. Identify Risks Assess Review Plan & Implement Actions SNH employs this cyclical process for the creation and management of risks which can be broken down into 4 steps Identify, Assess, Plan, Review. Identify Risks Corporate risks are identified by Management Team or are adopted following escalation from the units. Programme risks are identified by Programme Managers. Unit risks are identified by the unit manager and staff within the unit. For advice on techniques and tools to aid the identification of risks, contact the risk manager on Risks are described using the formula: Cause: As a result of Event: there is a risk that Effect: which may result in 5

6 Assess Risks Risks are assessed to ascertain at what level the risk should be treated and to identify potentially high level risks. Each risk is scored as high, medium or low based on the risk s Impact x Likelihood. Impact and likelihood are scored from 1 to 4 based on the guidance tables below. Risk assessors should choose the most suitable category of impact or likelihood for each risk. Where a risk covers more than one of these categories, then the highest likelihood and impact score should be selected. Impact The impact of a risk on unit objectives will depend on the size and complexity of the risk, as well as the risk appetite of the unit. This scale is intended as a guide and can be edited to suit the unit. A project impact table is available in the Project Risk Management Strategy (B798453). IMPACT risk guidance Score Environment Human Media Stakeholder Financial 1 Little significant harm or Little risk of minor physical Some local media Little, short-term < 1,000 Minor short-term damage. injury. Minor deterioration in coverage stakeholder impact Area affected limited. morale or motivation, minor reductions in output. 2 Moderate short-term or minor long-term damage Risk of minor injury, stress or minor reduction in output. 1,001-10,000 3 Major short-term or moderate long-term damage to site. Extent of damage significant. Any recovery not short-term. Legislative implications. 4 Major long-term damage. Recovery impossible, scale significant etc. legal action/ infraction proceedings consequential. Wholesale failure to meet legislative duties. Injury or illness is likely. Staffing issues result in loss of staff, implication on delivery of Unit business plan. Resignation of significant numbers of staff compromising organisation s ability to deliver key targets. As a consequence SNH is unable to deliver core aspects of its corporate plan or ministerial commitments. NB: This includes fatal injury or illness. Likelihood The likelihood score is an indication of how likely it is that a risk will materialise, and also includes a scale for specific change projects or new areas of work. LIKELIHOOD risk guidance Principally local media coverage, some national media coverage - either adverse or positive. National coverage media PR disaster, major damage to SNH brand Stakeholder concerns longer term implications. Damage to stakeholder confidence long term implications for relationship Destruction of stakeholder confidence 10, ,000 > 100,001 Score Operational Work 1 Very Low Where an occurrence is improbable or very unlikely 2 Low - Where an occurrence is possible but the balance of probability is against 3 Medium - Where it is likely or probable that an incident will occur 4 High - Where it is certain or highly likely that an incident will occur Project Work Existing process/ Minor redesign Major change New design / process to SNH Cutting edge / never done before 6

7 Risk Tolerance and Profile Likelihood Low Medium 2 High Medium 3 4 Escalated to Director When a risk has been scored, it will achieve a score of high, medium or low. Low or medium risks are managed at project level and high level risks are automatically escalated to the director. The unit manager can then utilise the escalation process to move the risk to management team level if necessary. Impact Plan Controls are put in place in order to reduce the impact or likelihood, consequently reducing the level of the risk. Risks should be rescored following controls put in place. An action planning tool is available in order to record any actions or controls which should be implemented during the life of a risk. Review Risks should be constantly and frequently reviewed to ensure all risks to the unit are identified, controls and descriptions are relevant and no further actions are required. This should take place alongside and between reporting requirements. Reporting Requirements A progress report should be provided for risks in line with the reporting frequency of the unit and activity reporting. This report should include details of changes to the risk score, new controls or early warning indicators that may require attention. If a risk is escalated to director, the director will also complete a risk report for unit risks under their directorate. Risks which are escalated to Management Team will feature in the quarterly performance report presented to Management Team. Tools Project and unit risks are held on the Risk Registers in the business planning system. Project risks which are escalated to unit level will generate a new risk on the unit risk register. Extract from original version 2.0 date Nov 2011 at B

8 Annex 2: Revised list of SNH Corporate Risks following ARMC consideration Please note : the numbering of the risks is generated by our corporate planning system to help us to identify and trace them, linked to other aspects of business planning. It has no other significance. The Sea Risk 1218 Delivering MPA project on time As a result of SNH delay in advice on the MPA network (possibly due to competing priority demands on marine renewables for the same staff resources), there is a risk that SNH milestones for the MPA project are not met, which may result in reputational damage and delayed or incomplete delivery of the MPA network. Land and Freshwater Risk 1664: New SRDP programme As a result of changes within the SRDP s 2nd programme, there is a risk that SNH's priorities will not be adequately reflected and insufficient funding will be available, resulting in fewer sites brought into assured management or favourable condition, wider failure to secure potential natural heritage benefits and increased pressure for alternative management schemes. Risk 1196: SRDP There is a risk that SNH is unable to encourage sufficient applications for Rural Development Contracts with measures to improve management on designated sites or benefitting biodiversity generally resulting in failure to meet government targets on favourable condition and biodiversity loss. Designated Sites Risk1728: Interpretation of Natura legislation As a result of failing to understand the implications of Natura legislation, there is a risk of either: the deployment of resources beyond that necessary to meet European legislative requirements to the detriment of other element's of SNH's remit, or through a lack of resource and understanding, a risk of exposing the Government to infraction proceedings from the European Commission with its associated financial and reputational consequences. As a result of well-judged implementation of Natura legislation, there is an opportunity for SNH to demonstrate an exemplar of Natura management, protecting key ecosystem services and natural assets, and avoiding the cost and reputational damage of infraction proceedings and any subsequent restoration costs. Biodiversity Action Risk1646: Wider biodiversity and ecosystems approach As a result of policy drivers and reduced resources, there is a risk that SNH focuses disproportionately on Designated Sites, with the result that attention is deflected from addressing wider biodiversity loss and ecosystems damage in the wider countryside. As a result of focusing more on an ecosystems approach, there is the opportunity that if we get it right, we will increase the value people place on the natural heritage and the services it provides and develop functionally resilient ecosystems. People and Landscape Risk1652: Pressures on the 3rd Sector 8

9 As a result of reduced funding and a changing relationship with the third sector, there is a risk that the third sector will have a reduced capacity and willingness to support SNH s work, resulting in poorer achievement of outcomes. Risk 831: Changing 3 rd sector relationships As a result of SNH funding statutory work alone, there is a risk that SNH will not be able to continue to support some 3 rd sector organisations, possibly resulting in tensions and legal challenge. Risk 1654: Natural Heritage Marginalisation As a result of the natural heritage seen as a constraint rather than an asset, there is a risk that the natural heritage is marginalised in government prioritisation and decision-making, resulting in poor public decisionmaking, weak budgetary support and ultimately damage to the natural heritage Wildlife Management Risk: 1656 New WANE responsibilities As a result of the new WANE responsibilities, there is an opportunity for consolidated wildlife management, resulting in clear priorities, more efficient process of providing licences, efficient use of SNH skills and reduced duplication of effort in the public service. As a result of a consolidated licensing approach and SNH assuming responsibility for more contentious licensing issues, such as piscivorous birds, predatory species, bats and development, there is a risk of greater resource implications and potential criticism from some land managers, developers and planning authorities. Social & Economic Development Risk 1577 Strategic Renewables Developments As a result of lack of early strategic engagement with the National Renewables Infrastructure Plan process there is a risk of late-stage involvement in specific projects resulting in unmanageable workloads, slippage and reputational damage, and ultimately prejudicing the delivery of the Government s target on renewables Risk 1577 Exposure to market forces As a result of economic drivers well beyond our influence, there is a risk of overwhelming development casework demand pressures resulting in SNH failing to agreed service standards or requiring excessive resources, and with the ultimate result of unnecessary delay to legitimate development, and development occurring in the absence of adequate SNH advice with the consequence of damage to the natural heritage. Communications and Information Risk1658: Government and Public Expectations If we are politically connected, there is an opportunity to better influence public policy, resulting in outcomes sympathetic to the natural heritage, more joined up government, and enhanced reputation. Risk 1336: Ineffective Communications As a result of not adhering to the SNH communications strategy, there is a risk that SNH will have a negative profile and will not be communicating our key messages successfully, resulting in reputational damage to stakeholder and customer relations, and experience difficulties in delivering its objectives. Risk 1307: Customer Focus As a result a poor customer focus, there is a risk of failing to recognise customer needs, resulting in misapplied resources, missed opportunities and reputational damage from a customer perspective. 9

10 Risk1648: Evidence base As a result of decrease in confidence in our evidence base, or out of date scientific knowledge, there is a risk that SNH advice will not be seen as authoritative, resulting in it not achieving sufficient influence. Supporting Delivery Risk 1663: Preventative Spend As a result of Scottish Government focus on preventative spend, there is an opportunity to present outcomes achieved through SNH expenditure more favourably, with the result that SNH may attract an improved Grant in Aid settlement Risk: 480 Budget Management As a result of poor financial management, there is a risk that SNH will underspend, which represents poor allocation of public funds and may result in budget penalties in future years Risk 417: Strategic Direction As a result of astute strategic development, there is an opportunity to develop well defined, long term direction and related budgets, resulting in potential to commit to longer term outcomes and continue to reflect government priorities. Risk: 1665: Shared Services As a result of working with others and utilising shared services, there is an opportunity to deliver better public service at a lower cost, allowing SNH to deliver more, with fewer resources. Risk 1660: Pressures on Paybill As a result of weak implementation of corporate controls on vacancy management, and an unsuccessful VER/VES scheme, there is a risk that SNH fails to deliver the required savings in paybill with the consequence that we overspend or create an unsustainable paybill in future years. Risk 15: Inadequate H&S Policy and Compliance As a result of inadequate health and safety policies, poor advice given to staff or weak staff compliance, there is a risk that there is a contravention of Health & Safety legislation including staff/public death or injury, which may result in SNH liability and reputational damage. Risk1660: Prioritisation As a result of failure to prioritise against the corporate strategy, there is a risk of poor allocation of resources, resulting in missed opportunities and failure to maximise delivery. Risk1669: Workforce Planning As a result of organisational change, there is a risk that we have the wrong set of competencies needed for SNH deliver its priorities, resulting in poorly motivated staff, non-delivery and ultimately outcomes not achieved. Risk1671: Changing UK and International relationships As a result of changes in Scotland's relationships within the UK and Europe, there is a risk that SNH becomes more insular and/or parochial, resulting in disconnect with national and international initiative and policy, missed opportunities and ministerial disfavour. 10

11 Risk # Not allocated: Public Sector Change As a result of future public sector reform, there is a potential opportunity SNH to enhance its delivery but also a risk that it will become marginalised or perceived as lesser national priority, with the result that delivery of SNH s core purposes are either benefited or alternatively compromised. Risk# Not allocated: Global and National Fiscal Instability As a result of fiscal instability and associated political pressures there is a risk that SNH s work may become less affordable by Government, or that national government maybe threatened, ultimately leading to an inability for SNH to deliver its core purposes and goals 11