Risk Management Policy and Procedures

Transcription

1 Risk Management Policy and Procedures Contents 1. Introduction and overview 2. Completion of the Corporate Risk Register 3. Roles and responsibilities Annexes Annex A Risk probability / impact setting Annex B Aid to identifying risks Annex C Risk Register template Peter Bloomfield Corporate Governance Version April

2 1. Introduction and overview Aim of this document 1.1 This document details the ICO s risk management policy and procedure. It should be read by Senior Management Team (SMT) members who, in turn, should explain the policy and procedure to their staff. What is risk? 1.2 Risk is: An event or cause leading to uncertainty in the outcome of the ICO s operations. For example, operational service standards are based on expected numbers of complaints. If complaints rise, service delivery will worsen unless staff are moved from other tasks to help. However, if complaints fall there is an opportunity to improve customer service. Risks can be opportunities as well as threats. Why we need to manage risk 1.3 We manage risk daily without describing this as risk management. We consider what might go wrong and take steps to reduce the impact if things do go wrong. However, the ICO cannot rely on informal processes. As a public body, we must provide assurance that we are managing risk to the Commissioner, auditors, Audit Committee (AC) and the Department for Culture, Media and Sport. Who should think about risk? 1.4 The main responsibility for identifying corporate risks lies with SMT members who should consider both existing risks and seek to identify new risks. 1.5 Management Board (MB), and AC also have a role. Because of this, the risk register will be brought to these committees quarterly. 1.6 Staff too have a role in identifying risks. The corporate risk register is available on ICON and staff are encouraged to contribute; risk management is included in new staff induction. 2

3 When to consider risk 1.7 Risk should be considered when making decisions. In particular, as plans for the forthcoming year develop during the spring, SMT members need to re-consider existing corporate risks; looking at our aims for the next few years and identifying what might stop us achieve these aims. Timing is important if mitigating actions are to be included in business plans. Project and departmental risks 1.8 Individual ICO projects may have their own risk registers. Where a project risk is considered serious enough it should be included in the corporate risk register. The project manager should advise Corporate Governance and relevant SMT members of any such risks. Regular project highlight reports to SMT are a good way of doing this. 1.9 Individual managers may also identify risks to departmental aims. Mitigating actions should be included in business plans if considered serious enough. If it is thought that the risks might be corporate, again the manager should advise Corporate Governance and relevant SMT members of this. Risk appetite 1.10 Risk appetite is an expression of how much risk an organisation is prepared to take. It can vary over time and by work area. If the risk appetite is clearly stated staff can take this into account when making decisions. So, when considering risk, SMT should discuss and express the risk appetite To help in this, the risk register steers risk owners into considering risk appetite when updating an entry. They need to consider not only the risk status before and after existing mitigating action but also the final tolerable risk status; ie what they are aiming for in terms of status for that particular risk. Options for dealing with risk 1.12 There are various options for dealing with risk. Tolerate if we cannot reduce a risk (or if doing so is out of proportion to the risk) we can tolerate the risk; ie do nothing further to reduce the risk. 3

4 Treat if we can reduce the risk by identifying mitigating actions and implementing them, we should do so. For most of the risks on the corporate risk register this is what we do. Transfer risks can be transferred to other organisations, for example by use of insurance or by contracting out an area of work. Terminate this applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is very high risk and these risks cannot be mitigated we might decide to cancel the project. Communicating risk 1.13 During the spring, once corporate risks have been identified and agreed, the risk register will be made available to staff via ICON. Staff will be advised that it is available. The register will also come to SMT, MB and AC quarterly for any comments members might have It has been decided that the corporate risk register should not routinely be published. 4

5 2. Completion of the Corporate Risk Register Completing the register 2.1 The risk register template is below. No Risk area: The generic area with which the risk is associated with Risk owner: The Executive Team member responsible for the risk and its mitigation Risk description The identified risk should be described clearly as below: Event/cause Increase in FoI complaints received due to increased public awareness of their rights... Result results in increase in clearance times and backlogs Risk status before existing mitigation See risk status below at para 2.4 Probability Impact Overall Existing mitigating actions Existing assurances These are mitigating actions (controls) which are in place and happening. Eg CRB checks for all new staff. An assurance is a process that ensures that mitigation is working. Eg Managers reviews the CRB checks and signs them off. Risk status after existing mitigation See risk status below at para 2.4 Future mitigating actions Planned actions which have not yet happened designed to help reduce the risk even further. Risk status after future mitigating actions See risk status below at para 2.4 Aimed for risk status Probability Impact Overall Acceptable If yes tolerate the risk. If no there needs to be further action. Owner Due Notes Manager responsible for the mitigating action. Expected clearance date. Any relevant notes Probability Impact Overall When to be achieved by 5

6 Risk Status 2.2 Risk status is an assessment of the risk s seriousness based on: The probability of the risk actually arising; and The impact on the ICO if a risk does actually arise. We assign a status so that risks can be prioritised. 2.3 A traffic light and numerical indicator is used to show the risk status. Annex A provides advice on setting probability and impact. 2.4 Four assessments of risk status are needed. Risk status before existing mitigation an assessment of the risk happening and its impact if no action is taken; eg what is the risk that we receive an increase in complaints without taking any action to address increasing backlogs? Risk status after existing mitigation an assessment of the risk happening and its impact, taking into account existing actions aimed at reducing the risk. For example, we receive an increase in complaints and streamline procedures to make the process faster; what do we now think the risk status is? Risk status after future mitigation an assessment of the risk level we will reach after all the mitigating actions identified have been done. Aimed for risk status where do we want to get to at the end of the process. 2.5 If, after existing mitigation, we think the risk status is acceptable then the risk should be tolerated; there is nothing more we can do. But if the status remains unacceptable we should identify further mitigating actions. Management summary 2.6 The risk register includes a one page management summary listing all of the risks and the risk status. In addition it indicates whether or not the risk status after existing mitigation is improving. Updating the risk register 2.7 SMT formally review the risks on the risk register annually in the spring. The register is then updated monthly by Corporate 6

7 Governance. The team will liaise with risk owners and managers over risk status and mitigating actions. 2.8 The register will also come to SMT, MB and AC quarterly for comments. Comments made at these meetings can then be incorporated into the next version. 2.9 Where changes are made to the register these will be tracked. Comments will be added to explain the reason behind the changes. The track changes and the comments can be hidden in the background by changing the Word view when necessary eg when placing on ICON or when the changes are major and confuse the presentation. 7

8 3. Roles and responsibilities 3.1 Senior Management Team Identification of corporate risks. Review of corporate risks and mitigating actions. Consider risk when making decisions. Articulate a risk appetite when making decisions. 3.2 Management Board Quarterly high level review of the risk register and mitigation of risks, ensuring that the risk management process works properly. Identification of additional corporate risks. 3.3 Audit Committee The provision of advice on the strategic process for risk, control and governance and the Statement on Internal Control. Identification of additional corporate risks. 3.4 Head of Departments To identify risks to the achievement of their unit s business plan which might also be corporate risks, and to advise SMT and Corporate Governance of such risks. To identify any relevant mitigating actions, to include these within their unit s business plan, and to ensure the business plan is met To be alive to other risks that might develop in year. 3.5 Corporate Governance To manage the risk management process ensuring that: the Corporate Risk Register is presented to corporate governance groups as appropriate; the risk register is placed on ICON and staff are encouraged to contribute; inconsistencies in the Corporate Risk Register are questioned; and to ensure that the Corporate Risk Management Policy is kept up to date. 3.6 All staff To be alert to possible corporate risks and to raise risks they have identified with their managers. 8

9 Risk Probability setting Probability Criteria Annex A Very low Low Medium High Very high 0-5% - extremely unlikely or virtually impossible 6-20% - low but not impossible 21-50% - fairly likely to occur 51-80% - more likely to occur than not % - almost certainly will occur Risk Impact setting Impact Very low Low Medium High Very high Criteria Likely to have minor impact in one or a few areas of the ICO. Likely to have minor impact in many areas of the ICO. Likely to have major impact in one or a few areas of the ICO. Likely to have major impact in many areas of the ICO. Likely to have major impact on the whole ICO. Traffic light scoring Very Low (1) (5) (4) (3) (2) (1) Low (2) (10) (8) (6) (4) (2) Medium (3) (15) (12) (9) (6) (3) Probability High (4) (20) (16) (12) (8) (4) Very High (5) (25) (20) (15) (10) (5) Very High (5) High (4) Medium (3) Low (2) Very Low (1) Impact 9

10 Aid to identifying risks Step Action 1 Identify individual / unit / ICO aims, objectives and targets 2 Think about what might stop the aims etc from being achieved and describe them in terms of event/cause and result. 3 For each risk score its impact and likelihood and prioritise accordingly. Annex B Example Develop and implement cost-effective programmes to tackle organisations which have not notified in accordance with their obligations, aiming to increase the register to 285,000. Lack of staff to develop and implement programme due to difficulties in recruiting result in shortfall in numbers registered and in Data Protection Fee Income. Impact medium as it could result in failure of the programme. [Impact could rise to high if shortfall in notification fee income was going to impact on office expenditure plans.] Likelihood medium on assumption that Notifications team are slightly understaffed and are already facing some difficulties in recruiting. [This could raise to high if these staffing and recruitment problems were more severe.] 4 Identify mitigating actions and include these in business plans if appropriate. Mitigation should be specific and time limited. 1. Identify any shortfall in numbers of staff required by December. 2. Identify existing staff who can be used on the programme by January and agree transfers and start dates. 3. Initiate recruitment of new staff to fill any remaining shortfall by February and plan to have staff in post by June. 4. Monitor income shortfall and agree point at which ICO budget would need to be revised to take account of any shortfall. 5 Agree risk status after mitigating action. Assuming reasonably successful staffing of the programme the probability would fall to low. Impact would remain at medium as this has not been addressed by mitigation. 10

11 Annex C Risk register template Risk area Status When final risk status is expected by Trend in status after existing mitigation Risk area: Risk owner: Risk description Risk status before existing mitigation Probability Impact Overall Existing mitigating actions Existing assurances Risk status after existing mitigation Future mitigating actions Probability Impact Overall Acceptable Owner Due Notes Risk status after future mitigating actions Probability Impact Overall When to be achieved by Aimed for risk status 11