Risk Management. Group Standard

Transcription

1 Group Standard Risk Management Effective risk management allows Serco to improve customer service, maximize opportunities and reduce business loss from overruns and cost from risks that materialise SMS GS-RM1 Risk Management July 2014 v1.0 Serco Public

2 Document Details Document Details erence SMS GS-RM1: Risk Management Approval Date July 2014 Serco Public Version 1 Date for next review July 2016 Applicability Serco Group covering all business regions, operating companies and business units throughout the world 1 Authority Chief Executive, Serco Group plc Accountable Policy Owner (Group) Director, Risk and Acquisitions Additional Information Supporting standards, standard operating procedures and guidance relating to this Group Standard are available on Our World under Serco Management System Governance Our policies and standards, together with any regional or market requirements and enhancements to them, are authorised through a robust governance process. The SMS Quality Manual describes this process and is available on Our World under Serco Management System Consequence Management As a Group Standard the requirements detailed in this document are mandated and must be adhered to. Non-compliance will have consequences which may include disciplinary action. The Consequence Management Group Standard (SMS-GS-G1) details how instances of non-compliance will be dealt with 1 As used herein, Serco Group and its affiliates, subsidiaries and operating companies are referred to as Serco, the Company or company, or we, us or our. Contents Document Details... 1 Contents Objectives Policy Standards Policy Risk Management Priorities Risk Management Lifecycle Risk Applied to Business Lifecycle Gates Risk Tools & Risk Registers Risk Training Compliance assessment and audit Responsibilities & Accountabilities Processes and Controls Governance processes and controls Key processes and controls Supporting documentation and guidance Definitions Further information and support SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

3 1 Objectives Risk management will be established, operated and measured in such a way as to drive value across the Serco organisation. Effective risk management allows Serco to improve customer service, maximize opportunities and reduce business loss from overruns and cost from risks that materialise. Management at all levels are required to manage risks on a daily basis as part of normal management processes. The objectives of effective risk management are to: create a robust control environment that reduces negative impacts to our business performance provide an early line of sight (visibility) and increased understanding of material risks up, down and across the organisation, and early warning of increases in threat/exposure support informed risk-taking that promotes business growth and success while recognising the risks associated with key decisions To achieve these objectives, risk management will be: mandated and integrated with all business processes and linked to the achievement of Serco s objectives standardised and structured via a continuous process of planning, identification, analysis, mitigation, monitoring and reporting open and transparent across the business and promptly communicated so as to support effective and timely decision making iterative and responsive to business change 2 Policy Standards 2.1 Policy S1. Risk Management Policy will be defined, documented, implemented and maintained S2. Risk management policy and the organisation s risk management capability will deliver three organisational service needs: a. definition of risk management standards and capability (roles, processes, tools and skills) b. managing and reporting of risk c. assurance of risk management activities S3. Group will adopt a Risk Operating Model (ROM) that will meet these service needs. The ROM will comprise of: a. Risk Policy and Standard b. Risk Organisation Structure: roles and responsibilities c. Risk Management Lifecycle: mandated processes, controls, tools, guidance and skills/training d. Risk Assurance S4. The ROM will be appropriate and proportionate to the nature of the organisation s risks S5. The ROM will be regularly reviewed (at least annually) to ensure risk continues to be effectively identified, managed and mitigated. 2.2 Risk Management Priorities S6. The priority of risk management will be on material risks and their consistent management across the business; focusing on these risks rather than all risks allows more effective use of our people and financial resources. S7. Material risks are those that present the most significant threat to the business and are defined as those risks that have a residual risk score of major or severe. Material risks will be consistently scored and defined by using a standardised risk scoring system, the Serco Standard Risk Scoring Matrix 1 1 See Risk Management GSOP : SMS GSOP RM1-1 2 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

4 S8. Where other Risk scoring systems are required (for example by a customer, regulatory agency or other), material risks will continue to be defined using the Serco Standard Risk Scoring Matrix so they are visible and internally consistent when reported within the business S9. Business Leaders will ensure that all material risks will have appropriate mitigation actions that are monitored and updated to ensure mitigation is effective S10. Business Leaders will ensure that material risks will be reported both up and down the organisation, and at each organisational level they will be aggregated to represent the profile of risk at that level S11. Non-material risks will continue to be monitored until these recede or become material, in which case they will then be reported and managed as a material risk S15. The Business Leader will be responsible for both the adoption of the Risk Management Lifecycle and allocation of employees with appropriate risk expertise to deliver the risk management processes S16. The Divisional Risk Director in consultation with the Director, Group Risk & Programmes will ensure appropriate divisional risk resources are in place based on the nature and occurrence of material risks in the division, and that those performing risk management within the business are trained and competent. The divisional risk management structure will be approved by the Divisional CEO S17. Business Leaders will ensure that Risk Management is performed at Bid, Contract, Business Unit, Division, Corporate Function and Group organisational levels. Table 1 below shows what is meant by Business Leader at each organisational level. This is not an exhaustive list 2.3 Risk Management Lifecycle S12. The Risk Management Lifecycle, consisting of seven processes, six of which apply to the business with mandated tools and templates, will be used to manage risk effectively and consistently. The seven processes are 2 : 0. Group Risk Planning (solely at Group / Corporate level) 1. Risk Planning 2. Risk Identification 3. Risk Analysis 4. Risk Mitigation 5. Risk Monitoring 6. Risk Reporting S13. The Divisional Risk Director (for Division) or the Director, Group Risk & Programmes (for Group) will be responsible for and will determine which business activities will implement the full Risk Management Lifecycle S14. Where the decision has been made to adopt the full Risk Management Lifecycle, all mandated processes, templates and tools within the lifecycle will be applied 3 Table 1 Organisational Level Group Corporate Functions Division Business Unit Contracts Bid, Transition, Transformation Programme Business Leader Role Group CEO CFO, CIO, COO, Group HR Director, General Counsel, Head of Shared Services etc. Divisional CEO BU MD Contract Manager or Director Bid Director, Transition Director, Programme Director 2 Further details of each of the mandated processes in the Risk Management Lifecycle can be found in the Risk Management GSOP : SMS GSOP RM1-1 3 These are defined in Risk Management GSOP : SMS GSOP RM1-1 3 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

5 S18. Business Leaders will review and report on risk as specified in the table below, with a focus on material risks. Table 2 below shows the risk review and reporting requirements across the organization: Table 2 Risk Register Group Risk Register Corporate Function Register Division Risk Register Business Unit (BU) Risk Register Contract Reviewed By Group Risk Management Lead Director, Group Risk & Programmes Corporate Function Director Director, Group Risk & Programmes Divisional Executive Management Team (EMT) (including Divisional Risk Director) BU Senior Management Team (SMT) Contract Management Team Approved By Report To Frequency Executive Committee Executive Committee Divisional CEO BU MD CRRC plc Board CRRC COO (in line with Divisional Performance Review (DPR) Director, Group Risk & Programmes Divisional EMT Quarterly Quarterly (as recommended by CRRC) Quarterly Bi-Monthly Quarterly Bi-Monthly Contract Manager BU SMT Bi-Monthly Risk Register Bid or Transition Reviewed By Business Lifecycle Review Team 4 Approved By Report To Frequency Bid, Transition or Transformation Director/ Manager BU SMT Bi-Monthly S19. Irrespective of reporting cycles, a material risk that the Business Leader (in consultation with their relevant risk experts) determines cannot be mitigated locally is to be immediately escalated to the next management level. The next organisation level up will then own and be responsible for developing and implementing mitigation of the risk S20. Material risks will be reported using the standard All Key Risks Dashboard in estrim (see estrim User Guide, which can be found within the estrim tool under Documents ) S21. The Group Executive Committee will decide which top ten risks will reside on the Group Risk Register and be reported to both the Corporate Responsibility and Risk Committee (CRRC) and plc Board S22. Corporate Functions will review their material risks on a quarterly basis and report these to the Director Group Risk & Programmes S23. Divisions will review their material risks on a bi-monthly basis, discuss them at Divisional Executive Management Team (EMT) meetings and in the Divisional Performance Review (DPR). These will be reported to the Director Group Risk & Programmes each quarter S24. Business Units will review their material risks on a bi-monthly basis. These will be reported by the Business Unit MD to the Divisional EMT for their review S25. Contract Managers will review their material risks with their contract management team on a bi-monthly basis, discuss them with the Business Unit MD and SMT on a regular basis, and escalate risks that cannot be mitigated at contract level S26. Bids and transition programmes will review their material risks at the respective bid or programme reviews with the Business Lifecycle Review Team 4 See Internal Boards and Committees Group Standard : SMS-GS-G4 4 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

6 2.4 Risk Applied to Business Lifecycle Gates S27. The relevant Business Leader (e.g. Bid Director) will commence risk management at Gate 1 of the Business Lifecycle 5 whereby the material risks will form part of the qualification decision S28. Effective use of risk management processes will be reviewed by the Business Leader and material risks will be signed off for accuracy, completeness and progress against plan at all subsequent Business Lifecycle Gates 2 9 S29. The risk register will be a live document, actively managed and handed over through each phase of the business lifecycle through to Gate 9 in order to ensure absolute continuity and consistency of interpretation and the management of risks S30. Each Gate approval decision will consider: a. the appropriateness of the risk management processes b. evidence that appropriate risk identification and analysis has been performed and that it has identified a set of material risks that bring to light the risk threat/exposure to this business activity c. evidence that material risks are being mitigated appropriately and reported correctly d. evidence that appropriate decisions relating to risk are being made and that the right subject matter experts have been involved S31. Where a deficiency in risk management activity is identified it will be reported to the Divisional Risk Director, and to the Director, Group Risks & Programmes where required 2.5 Risk Tools & Risk Registers S32. All identified risks will be scored and recorded. Material risks will be recorded on the corporate system estrim either directly or through the estrim Upload Tool. The estrim Upload Tool 6 S33. As agreed with the Divisional Risk Director, bids and contracts with three or less material risks will record these on the Business Unit Risk Register rather than create their own register in estrim S34. Entry of material risks on estrim should be timely, accurate and complete. The Divisional Risk Director will monitor material risks reported on estrim and request correction of poor quality content S35. The Divisional Risk Director will ensure registers of material risks will be retained on estrim and, where identified for disposal, disposed of in accordance with Document Retention 7 requirements 2.6 Risk Training S36. Risk training is a fundamental part of the Risk Operating Model (ROM). The Divisional Risk Director and Director of Group Risk & Programmes will identify people fulfilling the relevant risk management roles who will benefit from risk training. In agreement with the Divisional Chief Executive Officer (CEO) and Group Chief Operating Officer (COO) they will ensure all people in these roles are trained on both this Standard, the Risk Management Group Standard Operating Procedure (GSOP) and the Risk Management Lifecycle using training materials provided by Group Risk & Programmes S37. Individual competency requirements to undertake risk management and use required tools, such as estrim, will be assessed with training needs identified and delivered S38. Records will be maintained of individual s training and competency 2.7 Compliance assessment and audit S39. Risk management systems will be periodically assessed to provide evidence on the levels of risk management controls compliance within the business and to ensure continual strengthening of the risk management controls environment by addressing non-compliance. S40. Risk management compliance assessments and audits will be completed in accordance with Compliance and Internal Audit requirements 8 via a planned, independent and documented assessment of compliance, effectiveness and adequacy S41. All actions arising from risk management compliance assessments and audits including changes in procedures will be documented, communicated, followed up and completed 5 See Bidding Group Standard : SMS-GS-BD1 6 See estrim Upload Tool : FRM1 7 See Document Retention GSOP : SMS-GSOP-II1-2 8 See Compliance Group Standard : SMS-GS-G2 and Internal Audit Group Standard : SMS-GS-G3 5 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

7 3 Responsibilities & Accountabilities S42. The following responsibilities will apply to the delivery of the defined standards. If these are not completed effectively, the person responsible will be accountable for any consequences 9 S43. Risk management is delivered through roles in the Group and Divisional risk management function and roles embedded in the business as defined in the ROM Group S44. The Serco plc Board and Corporate Responsibility and Risk Committee (CRRC) is responsible for: a. setting the context regarding risk and organisational risk taking b. oversight of risk management within the Group c. oversight of Group level material risks S45. The Group Executive Management Team is responsible for: a. reviewing and monitoring the implementation of the ROM b. reviewing and challenging the Group risk register associated controls and management action plans for completeness, effectiveness and appropriateness c. considering the findings from internal audit in the context of their impact on risk d. considering new and changed emerging risks and key control gaps S46. The Group CEO is responsible for: a. ensuring the context regarding risk and risk taking is as directed by the CRRC b. owning Group level material risks c. The appointment of a Risk Management Lead S47. The Group COO is responsible for: a. the development and enforcement of all Serco policies and standards, including this Risk Management Standard b. the oversight of operational risks that reside on the Group risk register 9 See Consequence Management Group Standard : SMS-GS-G1 S48. The Group Risk Management Lead is responsible for: a. reviewing and maintaining risk management policy and associated ROM b. ensuring the SMS standard and associated procedures and key controls remain fit for purpose, reflect legislative and regulatory requirements and effectively manage business risks c. overseeing the activities of the Group risk management function d. owning the Group level risk register to ensure that its breadth in focus is an appropriate aggregation of all the business risks, and that focus is on the major enterprise level risks e. ensuring Group level material risks are identified and managed f. providing oversight and reporting on business risks and the performance of the ROM S49. The Group Risk Management Lead will establish a Group risk management function the head of which [Director Group Risk and Programmes] will be responsible for: a. developing risk management policy and associated ROM b. ensuring risk management standards, processes and controls, tools and risk training are defined, agreed and remain fit for purpose, and that Group has oversight of their implementation in the business c. defining risk management service needs, standards and capability (roles, processes, tools and skills) d. ensuring appropriate Group level risk resources (Group Risk Managers) are in place, based on the nature and occurrence of material risks at Group level, development of policy and the ROM and business support required to embed risk management e. ensuring the risk management function operates globally to support the business, coordinating the activities of Group and divisional risk directors and managers f. assessing Group risks and developing the Group risk register, the detailed review of Group risks, and managing Group level material risks that impact our strategy g. ensuring material risks are defined consistently and ensuring focus is on material risk h. reporting on risk including trend analysis across the divisions and identifying and communicating emerging Group level material risks i. assuring risk management activities j. appropriate retention and disposal of Group risk registers on the corporate system estrim 6 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

8 Division S50. The Divisional Chief Executive Officers (CEOs) are responsible for: a. owning material risks across the division b. owning Group level material risks that are operational in nature c. ensuring the bi-monthly review of all material risk at Divisional level d. monthly reporting obligation including DPR S51. The Divisional Executive Management Team is responsible for: a. reviewing and challenging material risks facing the division; associated controls and management actions each quarter b. considering key current and emerging risks facing the division c. assessing and agreeing the internal processes for determining and managing key risks S52. The Divisional CEO in consultation with the Director of Group Risk and Programmes will jointly appoint a divisional risk lead [Divisional Risk Director] who, whilst being part of the Divisional Executive Team, will have a dotted line reporting relationship to the Director of Group Risk and Programmes. Divisional Risk Directors are responsible for: a. implementing risk policy, ROM, standards, procedures and key controls across the division b. ensuring procedures and key controls, remain fit for purpose and effectively manage business risks c. Reviewing the Divisional risk organizational structure and determine, in agreement with the Divisional CEO, the appropriate structure and roles required for effective risk management d. ensuring appropriate risk resources [managers and subject matter experts] are in place, based on the nature and occurrence of material risk in the division, to support the division in managing its risks, comply with the ROM and provide competent risk management e. ensuring those performing risk management are trained and competent to fulfill their roles f. ensuring risk management is performed by the business reinforcing that ultimately the business is responsible for risk management g. assessing risks within the division and developing the Divisional risk register h. determining which Divisional business activities will implement the full Risk Management Lifecycle i. ensuring material risks are defined consistently and ensuring focus is on material risk j. oversight of the divisions material risks (this may be part of project or contract reviews, through appropriate risk reporting, as a combination of both of these or by other means) k. providing oversight and reporting on Divisional risks and the performance of the Divisional risk function l. assuring divisional risk management activities m. reviewing all Internal Audit and assurance reports produced for their Division to help ensure the necessary improvements S53. The Divisional Risk Manager where necessary and in agreement with the Divisional CEO: a. supporting the implementation of the ROM and risk standards, procedures and controls across the division b. ensuring material risks are defined consistently and ensuring focus is on material risk c. assessing, reviewing and reporting on material risks faced by the division d. assuring risk management activities in the division e. supporting the business in managing its risks Business Unit S54. The Business Unit Managing Director is responsible for: a. complying with risk policy, ROM, standards, procedures and key controls b. assessing risks within their Business Unit c. owning material risks in their Business Unit d. allocating competent resource and ensuring risk responsibilities are clearly defined to enable appropriate risk management and assurance within the Business Unit e. ensuring material risks are defined consistently and ensuring focus is on material risk f. ensuring the bi-monthly review of all material risk at Business Unit level and considering emerging risks facing the Business Unit g. monthly reporting into the DPR process, escalating material risks that cannot be mitigated at the Business Unit level 7 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

9 Contract/Function S55. Business Leads (Bid Director/ Transition and or Transformation Director/Contract Director or Manager/Corporate Function Head) are responsible for: a. complying with risk policy, ROM, standards, procedures and key controls b. ensuring risks within their area of responsibility are identified, analysed and managed c. ensuring appropriate resources i.e. risk experts are of sufficient competence to perform risk management responsibilities d. ensuring material risks are defined consistently and ensuring focus is on material risk e. ensuring local controls are in place for providing assurance that risks are being effectively managed f. bi-monthly review of risks, and regular reporting requirements are met, considering emerging risks and escalating material risks that cannot be mitigated at the contract level 8 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

10 Group (S44-S49) Division (S50 S53) Business Unit (S54) Contract/ function (S55) All Employees 4 Processes and Controls 4.1 Governance processes and controls Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference Responsibility for ensuring controls are in place and operating effectively Description Description P1 Risk Responsibilities are defined and understood C1 Risk management organisation and roles are in place that meet the organisational service needs and the requirements of this standard C2 Risk management responsibilities are clearly defined C3 Appropriate and competent risk management resource is deployed P2 Establish Risk Operating Model C4 Risk Operating Model is defined and published through policy, standards and group procedures C5 Appropriate risk management processes, controls and tools are defined, developed and published C6 The ROM, risk policy. standards, processes, controls, tools and guidance are communicated and implemented 9 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

11 Group (S44-S49) Division (S50 S53) Business Unit (S54) Contract/ function (S55) All Employees Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference Responsibility for ensuring controls are in place and operating effectively Description Description C7 The ROM, risk policy, standards, processes, controls, tools and guidance are periodically reviewed (at least annually) P3 Develop competent risk resources C8 Risk training requirements are defined, planned and recorded C9 Risk training materials are developed and available which reflect the ROM and how risk management is to be managed C10 Risk training requirements are periodically reviewed (at least annually) and updated P4 Risk compliance C11 Risk management compliance plan in place C12 Risk management compliance and audit reports with action plans to address non conformances C13 Agreed actions closed out 10 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

12 Group (S44-S49) Division (S50 S53) Business Unit (S54) Contract/ function (S55) All Employees 4.2 Key processes and controls Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference Responsibility for ensuring controls are in place and operating effectively Description Description P5 Application of risk management priorities C14 Serco Standard Scoring Matrix is used to identify material risks P6 Application of the Risk Management Lifecycle C15 Business activities which will apply the full Risk Lifecycle are defined C16 Where the full Risk Management Lifecycle is being applied all mandated processes, templates and tools are being used P7 Risk planning C17 An approved Risk Management Plan is in place P8 Risk identification C18 Stakeholders have participated in the risk identification process C19 Business Leader has reviewed and approved identified risks P9 Risk analysis C20 Identified risks have inherent, residual and target risk probability and impact assessments C21 Risk registers have been reviewed and approved 11 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

13 Group (S44-S49) Division (S50 S53) Business Unit (S54) Contract/ function (S55) All Employees Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference Responsibility for ensuring controls are in place and operating effectively Description Description C22 Risk Registers are live documents that are reviewed and updated throughout the business lifecycle of a Contract through to Gate 9 P10 Risk mitigation C23 Approved controls and plans are in place to manage and mitigate material risks P11 Risk monitoring C24 Approved material risks are entered on estrim C25 Data entered on estrim is accurate and complete C26 Material risks and mitigating controls and plans are monitored and periodically reviewed and approved P12 Risk reporting C27 Risk reporting and escalation requirements are defined C28 Risk reports are timely, accurate and complete 12 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

14 5 Supporting documentation and guidance The following should be read in conjunction with this standard: SMS_PS_RM SMS-GSOP-RM1-1 SMS_GS-BD1 SMS-GS-BD2 SMS-GS-O1 SMS-GS-G2 SMS-GS-G3 SMS GSOP II1-2 FRM1 Document Risk Management Policy Risk Management GSOP Bidding Group Standard Transition Group Standard Operations Group Standard Compliance Group Standard Internal Audit Group Standard Document Retention GSOP estrim Upload Tool 6 Definitions Term Accountability Responsibility Group Division Definition Being accountable means being not only responsible for something but also answerable for your actions. A responsible person is the individual who completes the task required. Responsibility can be shared and delegated. All responsible persons will also be accountable for completing tasks effectively. Non-compliance will have consequences which may include disciplinary action as defined within the Consequence Management Group Standard. Serco Group plc is the administrative centre of the organisation, responsible for setting corporate strategy, defining governance requirements and supporting the business in its day to day operations. The Group will define a set of business divisions which will be responsible for business delivery within a defined set of markets or geographies. Business Unit A Business Unit is a cluster of contracts which provide a similar service e.g. Health, Defence, Transport etc. Where appropriate, a separate legal entity wholly owned or where Serco has a controlling share may also be referred to as a Business Unit. This may also refer to Counties/Territories. 13 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

15 Contract Organisation Contract Manager Corporate Responsibility & Risk Committee (CRRC) Director, Group Risk & Programmes Divisional Risk Director Emerging Risk estrim A Contract provides specified requirements to a customer (either directly with Serco or to a consortium/joint Venture in which Serco is a party) A Contract will also refer to a corporate/functional area. Corporate/functional areas are functions which support the business and they include finance, HR, procurement etc. Organisation refers to a site, Contract, Business Unit and Division. This refers to a manager with responsibility for managing the performance of a contract and can include a Contract Manager on a day-to-day basis (or Operational Manager with devolved responsibility), a Contract Director, Partnership Director and/or a Business Unit Managing Director. Is a sub-committee of the plc Board responsible for the oversight of corporate responsibility and risk across the business. The committee meets each quarter. The Director of the Group Risk & Programmes Function, assigned by the Risk Management Lead. The identified and responsible Risk Management lead for each Division within Serco. An emerging risk is a newly developing or changing risk which is difficult to quantify and which may have a major impact on Serco. It needs to be highlighted and further investigated due to the potential impact on the business. estrim is Serco s electronic software tool for risk management and has been developed to support the Serco risk management process. estrim upload tool Group Risk & Programmes Function Impact Material Risk Risk The estrim upload tool aligns with estrim to provide risk process leads that are not directly accessing estrim, a risk register tool with standardised minimum mandatory fields that can subsequently be uploaded. This ensures that we have standardised risk registers for business activities where estrim is not used and all risk data is contained in our corporate risk repository. Centre of excellence for risk management through leadership and oversight. Sets the overall risk management strategy and risk policy across Serco globally and works with the Divisional Risk Directors to support risk management implementation. Impact, is the effect of a risk, should it occur. This effect is generally measured in terms of quality, cost and/or time. Material risks are those that are the most significant threat and as a business we have to manage very effectively. Using the Serco standard risk scoring matrix material risk are those residual risks that score above 20, in category 1 or 2, red or orange. When using estrim or the estrim upload tool the tool will automatically define risks scoring as material. Risk is defined as an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. A risk is measured by a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives. An upside source of risk is termed as on opportunity (+ve risk) while a downside source of risk is viewed as a threat (-ve risk). 14 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public

16 Risk Escalation Risk Management Lifecycle Risk Management Plan Risk Management Training Risk Register Serco Management System (SMS) Risk escalation is an essential management activity that ensures risks which cannot be resolved by the management teams at one level are elevated to the next level where they can be effectively assessed and managed. A set of processes and their expected application, providing detailed procedures that help the business implement and integrate risk in to operations The Risk Management Plan defines how activityrelated risks will be identified, analysed, and managed. The Risk Management Plan contributes to the achievement of business activity objectives as it outlines how risk management will be performed, recorded, and monitored throughout the lifecycle of the business activity using Serco Group provided tools and templates for recording and prioritising risks. A training regime to enhance risk awareness, embed risk culture and improve understanding of Serco s risk management approach. Conducted via face to face training sessions, WebEx sessions and CBTs (Computer Based Trainings) Record of Information about identified risks. The term risk log is sometimes used instead of risk register but Serco prefer the use of the term Risk Register. The register can sometimes be part of a Risk, Assumptions, Issues and Dependencies (RAID) Log. The SMS is the Group s management framework which describes how we do business. It defines the rules which govern the way we operate, deliver our strategy and the way we behave. Serco Standard Risk Scoring Matrix Risk scores are a function of the risk s probability and impact. A standard Serco formula is applied via use of the Serco Standard Risk Scoring Matrix; this scores risks on a numeric basis and enables an associated red, amber and green status to be applied. 7 Further information and support If you require any further information or support regarding this Group Standard, or if you have any suggestions for improvement, please contact the Accountable Policy Owner (Group) or sms@serco.com 15 SMS-GS-RM1 Risk Management July 2014 v1.0 Serco Public