Risk Management Policy and Procedures
|
|
- Juniper Sullivan
- 7 years ago
- Views:
Transcription
1 Risk Management Policy and Procedures Contents 1. Introduction and overview 2. Completion of the Corporate Risk Register 3. Roles and responsibilities Annexes Annex A Risk probability / impact setting Annex B Aid to identifying risks Annex C Risk Register template Peter Bloomfield Corporate Governance Version April
2 1. Introduction and overview Aim of this document 1.1 This document details the ICO s risk management policy and procedure. It should be read by Senior Management Team (SMT) members who, in turn, should explain the policy and procedure to their staff. What is risk? 1.2 Risk is: An event or cause leading to uncertainty in the outcome of the ICO s operations. For example, operational service standards are based on expected numbers of complaints. If complaints rise, service delivery will worsen unless staff are moved from other tasks to help. However, if complaints fall there is an opportunity to improve customer service. Risks can be opportunities as well as threats. Why we need to manage risk 1.3 We manage risk daily without describing this as risk management. We consider what might go wrong and take steps to reduce the impact if things do go wrong. However, the ICO cannot rely on informal processes. As a public body, we must provide assurance that we are managing risk to the Commissioner, auditors, Audit Committee (AC) and the Department for Culture, Media and Sport. Who should think about risk? 1.4 The main responsibility for identifying corporate risks lies with SMT members who should consider both existing risks and seek to identify new risks. 1.5 Management Board (MB), and AC also have a role. Because of this, the risk register will be brought to these committees quarterly. 1.6 Staff too have a role in identifying risks. The corporate risk register is available on ICON and staff are encouraged to contribute; risk management is included in new staff induction. 2
3 When to consider risk 1.7 Risk should be considered when making decisions. In particular, as plans for the forthcoming year develop during the spring, SMT members need to re-consider existing corporate risks; looking at our aims for the next few years and identifying what might stop us achieve these aims. Timing is important if mitigating actions are to be included in business plans. Project and departmental risks 1.8 Individual ICO projects may have their own risk registers. Where a project risk is considered serious enough it should be included in the corporate risk register. The project manager should advise Corporate Governance and relevant SMT members of any such risks. Regular project highlight reports to SMT are a good way of doing this. 1.9 Individual managers may also identify risks to departmental aims. Mitigating actions should be included in business plans if considered serious enough. If it is thought that the risks might be corporate, again the manager should advise Corporate Governance and relevant SMT members of this. Risk appetite 1.10 Risk appetite is an expression of how much risk an organisation is prepared to take. It can vary over time and by work area. If the risk appetite is clearly stated staff can take this into account when making decisions. So, when considering risk, SMT should discuss and express the risk appetite To help in this, the risk register steers risk owners into considering risk appetite when updating an entry. They need to consider not only the risk status before and after existing mitigating action but also the final tolerable risk status; ie what they are aiming for in terms of status for that particular risk. Options for dealing with risk 1.12 There are various options for dealing with risk. Tolerate if we cannot reduce a risk (or if doing so is out of proportion to the risk) we can tolerate the risk; ie do nothing further to reduce the risk. 3
4 Treat if we can reduce the risk by identifying mitigating actions and implementing them, we should do so. For most of the risks on the corporate risk register this is what we do. Transfer risks can be transferred to other organisations, for example by use of insurance or by contracting out an area of work. Terminate this applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is very high risk and these risks cannot be mitigated we might decide to cancel the project. Communicating risk 1.13 During the spring, once corporate risks have been identified and agreed, the risk register will be made available to staff via ICON. Staff will be advised that it is available. The register will also come to SMT, MB and AC quarterly for any comments members might have It has been decided that the corporate risk register should not routinely be published. 4
5 2. Completion of the Corporate Risk Register Completing the register 2.1 The risk register template is below. No Risk area: The generic area with which the risk is associated with Risk owner: The Executive Team member responsible for the risk and its mitigation Risk description The identified risk should be described clearly as below: Event/cause Increase in FoI complaints received due to increased public awareness of their rights... Result results in increase in clearance times and backlogs Risk status before existing mitigation See risk status below at para 2.4 Probability Impact Overall Existing mitigating actions Existing assurances These are mitigating actions (controls) which are in place and happening. Eg CRB checks for all new staff. An assurance is a process that ensures that mitigation is working. Eg Managers reviews the CRB checks and signs them off. Risk status after existing mitigation See risk status below at para 2.4 Future mitigating actions Planned actions which have not yet happened designed to help reduce the risk even further. Risk status after future mitigating actions See risk status below at para 2.4 Aimed for risk status Probability Impact Overall Acceptable If yes tolerate the risk. If no there needs to be further action. Owner Due Notes Manager responsible for the mitigating action. Expected clearance date. Any relevant notes Probability Impact Overall When to be achieved by 5
6 Risk Status 2.2 Risk status is an assessment of the risk s seriousness based on: The probability of the risk actually arising; and The impact on the ICO if a risk does actually arise. We assign a status so that risks can be prioritised. 2.3 A traffic light and numerical indicator is used to show the risk status. Annex A provides advice on setting probability and impact. 2.4 Four assessments of risk status are needed. Risk status before existing mitigation an assessment of the risk happening and its impact if no action is taken; eg what is the risk that we receive an increase in complaints without taking any action to address increasing backlogs? Risk status after existing mitigation an assessment of the risk happening and its impact, taking into account existing actions aimed at reducing the risk. For example, we receive an increase in complaints and streamline procedures to make the process faster; what do we now think the risk status is? Risk status after future mitigation an assessment of the risk level we will reach after all the mitigating actions identified have been done. Aimed for risk status where do we want to get to at the end of the process. 2.5 If, after existing mitigation, we think the risk status is acceptable then the risk should be tolerated; there is nothing more we can do. But if the status remains unacceptable we should identify further mitigating actions. Management summary 2.6 The risk register includes a one page management summary listing all of the risks and the risk status. In addition it indicates whether or not the risk status after existing mitigation is improving. Updating the risk register 2.7 SMT formally review the risks on the risk register annually in the spring. The register is then updated monthly by Corporate 6
7 Governance. The team will liaise with risk owners and managers over risk status and mitigating actions. 2.8 The register will also come to SMT, MB and AC quarterly for comments. Comments made at these meetings can then be incorporated into the next version. 2.9 Where changes are made to the register these will be tracked. Comments will be added to explain the reason behind the changes. The track changes and the comments can be hidden in the background by changing the Word view when necessary eg when placing on ICON or when the changes are major and confuse the presentation. 7
8 3. Roles and responsibilities 3.1 Senior Management Team Identification of corporate risks. Review of corporate risks and mitigating actions. Consider risk when making decisions. Articulate a risk appetite when making decisions. 3.2 Management Board Quarterly high level review of the risk register and mitigation of risks, ensuring that the risk management process works properly. Identification of additional corporate risks. 3.3 Audit Committee The provision of advice on the strategic process for risk, control and governance and the Statement on Internal Control. Identification of additional corporate risks. 3.4 Head of Departments To identify risks to the achievement of their unit s business plan which might also be corporate risks, and to advise SMT and Corporate Governance of such risks. To identify any relevant mitigating actions, to include these within their unit s business plan, and to ensure the business plan is met To be alive to other risks that might develop in year. 3.5 Corporate Governance To manage the risk management process ensuring that: the Corporate Risk Register is presented to corporate governance groups as appropriate; the risk register is placed on ICON and staff are encouraged to contribute; inconsistencies in the Corporate Risk Register are questioned; and to ensure that the Corporate Risk Management Policy is kept up to date. 3.6 All staff To be alert to possible corporate risks and to raise risks they have identified with their managers. 8
9 Risk Probability setting Probability Criteria Annex A Very low Low Medium High Very high 0-5% - extremely unlikely or virtually impossible 6-20% - low but not impossible 21-50% - fairly likely to occur 51-80% - more likely to occur than not % - almost certainly will occur Risk Impact setting Impact Very low Low Medium High Very high Criteria Likely to have minor impact in one or a few areas of the ICO. Likely to have minor impact in many areas of the ICO. Likely to have major impact in one or a few areas of the ICO. Likely to have major impact in many areas of the ICO. Likely to have major impact on the whole ICO. Traffic light scoring Very Low (1) (5) (4) (3) (2) (1) Low (2) (10) (8) (6) (4) (2) Medium (3) (15) (12) (9) (6) (3) Probability High (4) (20) (16) (12) (8) (4) Very High (5) (25) (20) (15) (10) (5) Very High (5) High (4) Medium (3) Low (2) Very Low (1) Impact 9
10 Aid to identifying risks Step Action 1 Identify individual / unit / ICO aims, objectives and targets 2 Think about what might stop the aims etc from being achieved and describe them in terms of event/cause and result. 3 For each risk score its impact and likelihood and prioritise accordingly. Annex B Example Develop and implement cost-effective programmes to tackle organisations which have not notified in accordance with their obligations, aiming to increase the register to 285,000. Lack of staff to develop and implement programme due to difficulties in recruiting result in shortfall in numbers registered and in Data Protection Fee Income. Impact medium as it could result in failure of the programme. [Impact could rise to high if shortfall in notification fee income was going to impact on office expenditure plans.] Likelihood medium on assumption that Notifications team are slightly understaffed and are already facing some difficulties in recruiting. [This could raise to high if these staffing and recruitment problems were more severe.] 4 Identify mitigating actions and include these in business plans if appropriate. Mitigation should be specific and time limited. 1. Identify any shortfall in numbers of staff required by December. 2. Identify existing staff who can be used on the programme by January and agree transfers and start dates. 3. Initiate recruitment of new staff to fill any remaining shortfall by February and plan to have staff in post by June. 4. Monitor income shortfall and agree point at which ICO budget would need to be revised to take account of any shortfall. 5 Agree risk status after mitigating action. Assuming reasonably successful staffing of the programme the probability would fall to low. Impact would remain at medium as this has not been addressed by mitigation. 10
11 Annex C Risk register template Risk area Status When final risk status is expected by Trend in status after existing mitigation Risk area: Risk owner: Risk description Risk status before existing mitigation Probability Impact Overall Existing mitigating actions Existing assurances Risk status after existing mitigation Future mitigating actions Probability Impact Overall Acceptable Owner Due Notes Risk status after future mitigating actions Probability Impact Overall When to be achieved by Aimed for risk status 11
Risk Management Policy and Procedures
Risk Management Policy and Procedures Contents 1. Introduction and overview 2. Completion of the Corporate Risk Register 3. Roles and responsibilities Annexes Annex A Risk probability / impact setting
More informationRisk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC
Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE
More informationRISK MANAGEMENT POLICY (Revised October 2015)
UNIVERSITY OF LEICESTER RISK MANAGEMENT POLICY (Revised October 2015) 1. This risk management policy ( the policy ) forms part of the University s internal control and corporate governance arrangements.
More informationDERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY
DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY VERSION 1.0 ISSUED JULY 2015 CONTENTS Page CONTENTS VERSION CONTROL FOREWORD i ii iii POLICY 1 Scope 1 Aim and Objectives 1 Methods and Standards 1
More informationGuidance for Industry: Quality Risk Management
Guidance for Industry: Quality Risk Management Version 1.0 Drug Office Department of Health Contents 1. Introduction... 3 2. Purpose of this document... 3 3. Scope... 3 4. What is risk?... 4 5. Integrating
More informationRisk Management & Business Continuity Manual 2011-2014
ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page
More informationV1.0 - Eurojuris ISO 9001:2008 Certified
Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified Section Page No 1 An Introduction to Risk Management 1-2 2 The Framework of Risk Management 3-6 3 Identification of Risks 7-8 4 Evaluation
More informationRisk Management Policy and Process Guide
Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including
More informationRisk Management Within an Organisation
COUNTY DURHAM AND DARLINGTON FIRE AND RESCUE SERVICE Administration and General Order No. AD/1/TBC CORPORATE RISK MANGEMENT POLICY 1. INTRODUCTION 1.1 County Durham and Darlington Combined Fire Authority
More informationProject Management Framework
Information Services Project Management Framework October 2003 Document ID No. Page 1 of 1 Contents 1. Introduction Page 3 2. Use of Framework Page 3 3. Project Register and Monitoring Page 4 4. Project
More informationRoad Asset Management Plan Risk Management : Appendix H CONTENTS. 1.0 Risk Management 2. 2.0 Risk Identification... 2. 3.0 Risk Evaluation.
Road Management Plan Management : Appendix H CONTENTS 1.0 Management 2 2.0 Identification... 2 3.0 Evaluation. 3 4.0 Prioritisation. 3 5.0 Control... 4 6.0 Reviewing & Reporting... 4 7.0 Register. 4 28/09/2012
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationIMPLEMENTATION DETAILS
Policy: Title: Status: 1. Introduction ISP-I4 Managing Information Asset Security Approved Information Security Policy Documentation IMPLEMENTATION DETAILS 1.1. This document supports implementation of
More informationUNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2
UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT Purpose of the guide... 2 Risk Management The Basics... 2 What is Risk Management?... 2 Applying Risk Management... 2 The Use of Risk Registers in Risk Management...
More informationBusiness Continuity Policy. Version 1.0
Business Continuity Policy Version.0 January 206 Contents Contents Version control Foreword Policy. Scope.2 Aim and objectives.3 Methods and standards.4 Responsibilities.5 Governance.6 Training and exercises
More informationComplaints Policy. Complaints Policy. Page 1
Complaints Policy Page 1 Complaints Policy Policy ref no: CCG 006/14 Author (inc job Kat Tucker Complaints & FOI Manager title) Date Approved 25 November 2014 Approved by CCG Governing Body Date of next
More informationRISK MANAGEMENT POLICY
RISK MANAGEMENT POLICY This is in compliance with clause 49 of Listing Agreement entered into between Kwality Limited (hereinafter referred to as the Company ) and Stock Exchange(s), and the provisions
More informationStrategic Alliance. Business Continuity Policy
Version 1.1 April 2016 Contents Contents Version control Foreword Policy Scope Aim and objectives Methods and standards Responsibilities Governance Training and exercises Page i ii 1 2 2 2 Version 1.1
More informationNorthern Ireland Blood Transfusion Service
Northern Ireland Blood Transfusion Service Risk Management Strategy Northern Ireland Blood Transfusion Service Lisburn Road Belfast BT9 7TS Telephone No. 028 9032 1414 www.nibts.org Page 1 of 12 CONTENTS
More informationData Protection and Community Councils Briefing Note
Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.
More informationBusiness Continuity Policy and Business Continuity Management System
Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain
More information1. Background and business case
1. Background and business case This section explains the context and why the project is being undertaken. It provides the justification for investing the time and resources in the project. 1.1 Reasons
More informationWHISTLE BLOWING POLICY & PROCEDURE
WHISTLE BLOWING POLICY & PROCEDURE Prepared by Reviewed by Approvals The signatures below certify that this procedure has been reviewed and accepted, and demonstrates that the signatories are aware of
More informationData Protection Breach Reporting Procedure
Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
More informationHealthcare Governance Alert and Guidance Review Procedure
Healthcare Governance Alert and Guidance Review Procedure Healthcare Governance Alert and Guidance Review Procedure Page: Page 1 of 20 Recommended by Approved by Quality Directorate/Medical Directorate
More informationBusiness Continuity Policy
Business Continuity Policy Ref. No. TP/028 Title: Business Continuity Policy Page 1 of 15 DOCUMENT PROFILE and CONTROL. Purpose of the document: Provides an overview of the London Ambulance Service NHS
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Industrial Cyber Security Risk Industrial Attacks Continue to Increase in Frequency & Sophistication Today, industrial organizations
More informationABERDEEN CITY COUNCIL JOB DESCRIPTION
ABERDEEN CITY COUNCIL JOB DESCRIPTION All employees are required to carry out their duties and responsibilities in accordance with the Council s Safety Policy and all other Council policies and legislation
More informationInformation Commissioner's Office
Information Commissioner's Office IT Procurement Review Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Last updated 18 June 2012 Will Simpson Senior Manager T: 0161 953 6486 E: will.g.simpson@uk.gt.com
More informationOne Call Away. www.factor8ltd.co.uk
One Call Away www.factor8ltd.co.uk Who We Are Factor 8 Ltd is a young, dynamic and reliable property management company which brings years of varied knowledge and experience together to produce a dedicated,
More informationCHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT
CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT 1 Scope of Internal Audit 1.1 Terms of Reference 1.1.1 Do terms of reference: (a) establish the responsibilities and objectives
More informationDefinition document for the governing bodies of maintained and other state-funded schools in Wales
` Freedom of Information Act 2000 Definition document for the governing bodies of maintained and other state-funded schools in Wales For the avoidance of doubt, this information covers all schools in Wales
More informationRISK MANAGEMENT PLAN APRIL 2010. M:\MAPPS\RiskManagementPlanApr10.doc Page 1 of 5
RISK MANAGEMENT PLAN APRIL 2010 M:\MAPPS\RiskManagementPlanApr10.doc Page 1 of 5 1. RISK MANAGEMENT STRATEGY 1.1 Risk Identification Process Departmental risk assessments are carried out annually, in line
More informationRISK MANAGEMENT POLICY
RISK MANAGEMENT POLICY Approved by Governing Authority February 2016 1. BACKGROUND 1.1 The focus on governance in corporate and public bodies continues to increase. It resulted in an expansion from the
More informationPublications code: REG-0812-032. Registering and running a childminding service: what you need to know
Publications code: REG-0812-032 Registering and running a childminding service: what you need to know Contents Introduction 1 Section 1: What is childminding? 2 Section 2: Before you apply to register
More information- NOT PROTECTIVELY MARKED -
Report to: Police & Crime Commissioner 27 July 2015 Outturn 2014/15 Report of the Chief Finance Officers Contacts: Carolyn Williamson, PCC Chief Finance Officer 01962 871400, carolyn.williamson@hants.gov.uk
More informationOffice of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary
Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary Internal Audit Report () FINAL Risk Management: Follow Up of Previous Internal Audit Recommendations
More informationKENYA NATIONAL BUREAU OF STATISTICS RISK MANAGEMENT POLICY
KENYA NATIONAL BUREAU OF STATISTICS RISK MANAGEMENT POLICY SEPTEMBER 2009 Table of Contents Pg No. FOREWARD... ii PREFACE...iii CHAPTER ONE... 1 INTRODUCTION... 1 1.0 Background... 1 1.1 KNBS policy statement...
More informationCONFORMED COPY. Method Statement Helpdesk Services. Revision History. Revision Date Reviewer Status. 23 March 2007 Project Co Final Version
CONFORMED COPY Method Statement Revision History Revision Date Reviewer Status 23 March 2007 Project Co Final Version Table of Contents 1 Objectives... 3 2 Management Supervision and Organisation Structure...
More informationRisk Management Policy
Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012
More informationPLANNING & RESOURCE ALLOCATION POLICY AND GUIDELINES 2006. Newman University College Planning & Resource Allocation Policy and Guidelines 1
PLANNING & RESOURCE ALLOCATION POLICY AND GUIDELINES 2006 Planning & Resource Allocation Policy and Guidelines 1 NEWMAN UNIVERSITY COLLEGE PLANNING AND RESOURCE ALLOCATION POLICY AND GUIDELINES Introduction
More informationHuman Resources and Data Protection
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
More informationSafety Management Systems (SMS) guidance for organisations
Safety and Airspace Regulation Group Safety Management Systems (SMS) guidance for organisations CAP 795 Published by the Civil Aviation Authority, 2014 Civil Aviation Authority, CAA House, 45-59 Kingsway,
More informationRisk Management Procedure
Purpose of this document Develop and document procedures and work instructions for Risk Management to cover the project Stages set out in the Project Process Map. The purpose of this procedure is to identify
More informationInformation Commissioner's Office
Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft
More informationCORP 600 00 RISK MANAGEMENT POLICY & METHODOLOGY
CORP 600 00 RISK MANAGEMENT POLICY & METHODOLOGY CORP 600 RISK MANAGEMENT POLICY Purpose In March 2003, the Australian Stock Exchange (ASX) Corporate Governance Council released the first version of its
More informationShepway District Council Risk Management Policy
Shepway District Council Risk Management Policy Contents Section 1 Risk Management Policy... 3 1. Updates and amendments... 3 2. Definition... 3 3. Policy statement... 3 4. Objectives... 3 Section 2 Risk
More informationCopeland Borough Council. Communications Strategy 2006/7
Copeland Borough Council Communications Strategy 2006/7 CONTENTS Introduction: Why Communicate? - external communications - internal communications The Purpose; - what is a communications strategy? - what
More informationRisk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7
Risk assessment made simple Introduction 3 step1 Identifying the risks 4 step2 Assessing the risks 7 step3 Establishing action points 11 step4 Developing a risk register 13 Monitoring and assessment 14
More informationOverview TECHIS60441. Carry out security testing activities
Overview Information, services and systems can be attacked in various ways. Understanding the technical and social perspectives, how attacks work, the technologies and approaches used are key to being
More informationRISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers
Appendix 1 RISK MANAGEMENT POLICY AND STRATEGY Document Status: Draft Originator: A Struthers Updated: A Struthers Owner: Executive Director Corporate Services Version: 01.01.03 Date: 30/3/14 Approved
More information1.1 The Chair welcomed the Board members and officials to the meeting. 1.3 The Board accepted the Minute of 30 September as a true record.
Meeting of the Revenue Scotland Board MINUTE 09:00, 4 November 2015, Conference Room 3, VQ, Edinburgh Present: Dr Keith Nicholson [Chair] Lynn Bradley Jane Ryder OBE Ian Tait John Whiting OBE Attended:
More informationRisk Register Policy and Procedure
Risk Register Policy and Procedure Printed copies must not be considered the definitive version DOCUMENT CONTROL POLICY NO. Policy Group Risk Management Group Author Maureen Stevenson Version no. 3.0 Reviewer
More informationAnnual Governance Statement 2013/14
31 Annual Governance Statement 2013/14 1. SCOPE OF RESPONSIBILITY ESPO is responsible for ensuring that its business is conducted in accordance with the law and proper standards, and that public money
More informationRisk Management Policy. Corporate Governance Risk Management Policy
Corporate Governance Risk Management Policy Approved by the Council of Ministers, May 2006 1. Background The Isle of Man Government is working to promote better risk management, with emphasis on the importance
More informationAUDITOR GUIDELINES. Responsibilities Supporting Inputs. Receive AAA, Sign and return to IMS with audit report. Document Review required?
1 Overview of Audit Process The flow chart below shows the overall process for auditors carrying out audits for IMS International. Stages within this process are detailed further in this document. Scheme
More informationSafety Management System. Compliance Checklist/Statement
Safety Management System Compliance Checklist/Statement. Version 1 Page 1 of 22 Organisation: Approval Signature: Position: Print Name: Date of signing: SMS Manual Revision: To be completed and signed
More informationWork-related stress risk assessment guidance
Safety and Health Services Work-related stress risk assessment guidance Document control information Published document name: stress-ra-gn Date issued: Version: 5.0 Previous review dates: Next review date:
More informationAppendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan
Appendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan HFR Version 2 5th Oct 2010 Objective 1 - Introduce mandatory requirements 11, 12, 14, 15, 16, 19, 21, 31, 32, 33, 34, 35, 36,
More informationRisk Management Statement, Strategy and Policy. Index. Risk Management Statement page 2. Risk Management Strategy page 2
Index Risk Management Statement page 2 Risk Management Strategy page 2 Principles of Risk Management Policy page 3 Risk Management in Planning page 3 Scope of Risk Management page 3 Practical Application
More informationMinutes of the meeting of 30 June 2014
Minutes of the meeting of 30 June 2014 The meeting opened at 10.34. Present: Brian Baverstock, Chair Linda Watt, committee member Andrew Thin, committee member Also present: Boyd McAdam, National Convener/Interim
More informationNOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager 17.09.12
POLICY BUSINESS CONTINUITY Policy owners Policy holder Author Head of Services Specialist Operations Contingency Planning Business Continuity Manager Policy No. 132 Approved by Legal Services 17.09.12
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationStates of Jersey Human Resources Department. Code of Conduct
States of Jersey Human Resources Department Code of Conduct INTRODUCTION The Island community is entitled to expect the highest standards of conduct from all employees who work for the States of Jersey.
More informationCity of York Council Public Health 2014/15 Internal Audit Report
City of York Council Public Health 2014/15 Internal Audit Report Business Unit: Communities & Neighbourhoods Responsible Officer: Interim Director of Public Health Service Manager: Public Health Consultants
More information4. Critical success factors/objectives of the activity/proposal/project being risk assessed
ARTC Risk Management Work Instruction 2: 1. Conduct Risk Assessment Workshop This Work Instruction provides general guidelines for conducting a generic Risk Assessment workshop. The instructions supplement
More informationRisk assessment. made simple
Risk assessment made simple July 2015 1 Sayer Vincent LLP Chartered accountants and statutory auditors Invicta House 108 114 Golden Lane London EC1Y 0TL Offices in London, Bristol and Birmingham 020 7841
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationINFORMATION SECURITY INCIDENT REPORTING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationGood Practice Guide: the internal audit role in information assurance
Good Practice Guide: the internal audit role in information assurance Janaury 2010 Good Practice Guide: the internal audit role in information assurance January 2010 Official versions of this document
More informationBridgend County Borough Council. Corporate Risk Management Policy
Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk
More informationDIRECTORATE OF AUDIT, RISK FF AND ASSURANCE. Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY
DIRECTORATE OF AUDIT, RISK FF AND ASSURANCE Internal (Foundry Audit Forms Service San/ Font size to 20/ the RBG: 160, GLA 160, 170) Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY DISTRIBUTION
More informationORDINANCE 22 UNIVERSITY OF LONDON RISK MANAGEMENT POLICY
UNIVERSITY OF LONDON RISK MANAGEMENT POLICY Introduction 2 Guide to Risk Management 2 Underlying approach to Risk Management 2 Components of the Risk Management Framework 3 Role and Responsibilities of
More informationWe are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.
Inspection Report We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards. Bury DCA United Response, City View Business Centre, 9 Long
More informationThe Regulatory Reform (Fire Safety) Order 2005: Enforcement Policy
COMMUNITY SAFETY The Regulatory Reform (Fire Safety) Order 2005: Enforcement Policy Relevant legislation The Fire and Rescue Services Act 2004 The Regulatory Reform (Fire Safety) Order 2005 Legislative
More informationRisk Management: Coordinated activities to direct and control an organisation with regard to risk.
POLICY CG01 RISK MANAGEMENT Document Control Statement This Policy is maintained by the Governance and Organisational Strategy. Any printed copy may not be up to date and you are advised to check the electronic
More informationThe Compliance Universe
The Compliance Universe Principle 6.1 The board should ensure that the company complies with applicable laws and considers adherence to non-binding rules, codes and standards This practice note is intended
More informationGOVERNMENT INTERNAL AUDIT COMPETENCY FRAMEWORK
GOVERNMENT INTERNAL AUDIT COMPETENCY FRAMEWORK March 2007 Government Internal Audit Profession This framework has been compiled by the Assurance, Control and Risk Team and the PSG Competency Framework
More informationAudit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction
Audit Committee, 28 November HCPC Project Risk Management Executive summary and recommendations Introduction At its meeting on 29 September 2013 the Committee agreed that it would receive the Education
More informationConfident in our Future, Risk Management Policy Statement and Strategy
Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents
More informationBusiness Continuity Policy
Business Continuity Policy Reference Number: 243 Author & Title: Siân Dyson Resilience Manager Responsible Director: Chief Operating Officer Review Date: 29 May 2018 Ratified by: Francesca Thompson Chief
More informationAchieve. Performance objectives
Achieve Performance objectives Performance objectives are benchmarks of effective performance that describe the types of work activities students and affiliates will be involved in as trainee accountants.
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationA blueprint for an Enterprise Information Security Assurance System. Acuity Risk Management LLP
A blueprint for an Enterprise Information Security Assurance System Acuity Risk Management LLP Introduction The value of information as a business asset continues to grow and with it the need for effective
More informationBedford Group of Drainage Boards
Bedford Group of Drainage Boards Risk Management Strategy Risk Management Policy January 2010 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise
More informationRisk Management Guide
Risk Management Guide Page(s) Introduction 3 The 5 steps to identifying risk 4 Risk Management Process - Step 1 5 Identify - Step 2 Assess Step 3 5-6 6 Control - Step 4 6 Monitor and Review -Step 5 6 Risk
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationCommissioning Strategy
Commissioning Strategy This Commissioning Strategy sets out the mechanics of how Orkney Alcohol and Drugs Partnership (ADP) will implement its strategic aims as outlined in the ADP Strategy. Ensuring that
More informationDISASTER RECOVERY PLAN
DISASTER RECOVERY PLAN Data breaches are a threat faced by every business, regardless of size or sector. Whether such an incident is the result of human error or a malicious act, every company needs a
More informationEnterprise Risk Management: From Theory to Practice
INSURANCE Enterprise Risk Management: From Theory to Practice KPMG LLP Executive Summary Enterprise Risk Management (ERM) is a structured and disciplined business tool aligning strategy, processes, people,
More informationCorporate Governance Report
Corporate Governance Report Chairman s introduction From 1 January 2015 until 31 December 2015, the company applied the 2014 edition of the UK Corporate Governance Code (the Code ). 1. BOARD COMPOSITION
More informationLG (2011) Paper 053 28 November 2011 LEADERSHIP GROUP RISK MANAGEMENT ARRANGEMENTS. Executive summary
LG (2011) Paper 053 28 November 2011 LEADERSHIP GROUP RISK MANAGEMENT ARRANGEMENTS Executive summary Issues 1. This paper sets out proposals to implement new strategic risk management arrangements for
More informationOffice of Internal Audit
Internal Audit Bear Line Shuttle Service Contract June 26, 2015 Office of Internal Audit Report No. 118-15 DATE: June 26, 2015 TO: CC: FROM: Tom Johnson, Director of Safety and Transportation Ken McClure,
More informationRISK MANAGEMENT STRATEGY 2014 2017 (UPDATED MAY 2015)
RISK MANAGEMENT STRATEGY 2014 2017 (UPDATED MAY 2015) 1 Policy title Risk Management Strategy Policy RM12 reference Policy category Risk Relevant to All Trust staff Date published May 2015 Implementation
More informationRisk Methodology. Contents. Introduction... 2. The Risk Management Structure... 2. The Risk Management Cycle... 2. Methodology...
Risk Methodology Contents Introduction... 2 The Risk Management Structure... 2 The Risk Management Cycle... 2 Methodology... 3 Appendix 1...5 Definition of Controls... 5 Appendix 2...6 Definition of Impact...
More informationJoint Strategic Needs Assessment Draft Project Initiation Document
Draft Project Initiation Document Approved by: < Enter name> Date: < DD: MM: YY> Author: Rebecca Brown, Projects and Information Officer Project Initiation Document History Revision History Revision Version
More informationOur Ref Direct Line Ext Date
[Name and address] AstraZeneca PLC 2 Kingdom Street London, W2 6BD, United Kingdom T: +44 (0) 20 7604 8000 F: +44 (0) 20 7604 8151 astrazeneca.com Our Ref Direct Line Ext Date Dear [Name] On behalf of
More informationHow To Ensure That Sovini Is A Successful Business
Group Risk Management Policy Originator: Approval date: Policy and Strategy Team Sovini Board PCHA Board OVH Board/EMT 6 th December 2013 31 st October 2013 14 th October 2013 Review date: December 2014
More information