Risk Management Framework

Size: px
Start display at page:

Download "Risk Management Framework"

Transcription

1 4 November 2013 Performance and Resources Board 15 To consider Risk Management Framework Issue 1 To consider a draft revised Risk Management Framework as requested by Council at its meeting on 7 February The Framework will be discussed by the Audit and Risk Committee at its meeting on 6 November 2013, and then considered for approval by Council on 10 December Recommendations 2 The Performance and Resources Board name] is asked to: a consider the draft revised Risk Management Framework, at Annex A b endorse the basic principle of a Risk Summary tool (at Annex B), which was commissioned by the Audit and Risk Committee as a means of displaying our high-level risk profile, and to note that this will be further developed in line with the emerging Corporate Strategy.

2 Risk Management Framework Issue Revising the Risk Management Framework 3 At its meeting on 7 February 2013, Council asked the Audit and Risk Committee to oversee a review of the Risk Management Framework. This review was necessary because: a the Framework had not been substantively reviewed since 2009, and there had been improvements made to internal practice since then b the Framework needed to incorporate outstanding improvement actions identified in recent internal audit recommendations c there would be a clear benefit in this work as it would provide members with the chance to reflect, as a newly formed Audit and Risk Committee, on a range of issues linked to risk management d other changes to our governance structure, such as the role of the Performance and Resources Board, also needed to be reflected in the Framework. 4 The Audit and Risk Committee considered the project at its meeting on 30 April 2013 and agreed that this should be taken forward with external support and expertise. The Audit and Risk Committee was asked to report back to Council with a draft Framework for approval by the end of The exercise of revision and approval offers the opportunity to re-assert the value of the Framework in driving good risk practice and performance management within the organisation. 6 The revised Risk Management Framework: a reflects the outcomes of the review, overseen by the Audit and Risk Committee. It was driven by opinion expressed by our business champions and by Council members, and by a comparison of good practice from other regulators and review of internal risk process b updates roles and responsibilities for risk management to reflect recent changes to our governance, for example inclusion of the Performance and Resources Board, within the monitoring and decision making process around risk c removes inconsistency and gaps in the existing Framework highlighted in recent audits and resulting from improvements to internal practice made 2

3 since the publication of the previous version in 2009, for example, the provision of a clear process for the escalation of risk d Following approval of our revised Risk Management Framework by Council, we will begin its roll out and embedding within our work, including training relevant staff. We will undertake internal communication activity to ensure that the changes to the framework are well understood by our staff. Our Review 7 Initial engagement with the Business Champions helped us identify their perceptions of the strengths and weaknesses of the existing Framework. A record of outstanding actions from recent risk audits was considered, and external support from PA Consulting was commissioned. 8 A seminar on risk management for members of the Audit and Risk Committee and other interested Council members was held on 5 September The objectives of the session were to: a ensure a consistent understanding of the current Framework b share understanding of the different models of risk management c discuss the main risks facing the GMC which the Audit and Risk Committee would like to consider d agree the themes to be taken forward in the review e confirm the next steps. 9 The seminar also included a presentation on alternative models for risk management, together with innovative methods for reviewing key risks, as used by several UK regulators from other sectors. This generated Audit and Risk Committee interest in designing a Risk Summary tool to support discussion on corporate risks; a straw man for which is presented at Annex B. 10 Further work to support the review included: a assessment of where our current practice may have moved on from that outlined in the current Framework b a line by line review of the Framework by both PA Consulting and the Intelligence Unit c views on good practice by PA Consulting. 3

4 11 These recommendations were circulated to Audit and Risk Committee members. A draft Framework was then developed and refined in consultation with the Business Champions and the Head of Consultancy and Review Service. Revisions made to the Framework 12 Whilst substantial updating of the document was required, the existing Framework was fundamentally sound in approach and principle. 13 The draft revised Framework is at Annex A, and features the following substantive changes: a Introduction - a short Purpose section is included, some definitions have been added, and we have emphasised the importance of embedding risk management in our organisational culture. b Policy Principles - we are adding two new principles that, firstly, advocate clear ownership for each risk, and secondly ensure risk review and mitigation is an active process which is considered as part of our everyday work. c Risk Management Overview this section has been added, to replace the previous Planning & risk section. It provides a clear view of risk management through all levels of our organisation and provides guidance for staff in framing their thinking about risk. d Roles and Responsibilities updated largely to reflect changes in our governance structure. We are now including the role of the Performance and Resources Board in the monitoring, discussion and approval of risk. The responsibilities of individual risk owners and of all staff have also been emphasised. e Risk Management Methodology We have provided clearer guidance on how to assess both the impact of the risk to us as an organisation and the likelihood of it occurring. We have also stressed the importance of clear definition of risks, and discussed the roles of the Performance and Resources Board, Audit and Risk Committee and Council. f Throughout the Framework we have highlighted the importance of ownership of risk, raising awareness and taking action. 14 We are encouraging the use of evidence in our identification, assessment and mitigation of risk to take advantage of our research programme, continuing insight received through engagement with stakeholders and the increasing sophistication of our understanding of the regulatory environment. 15 We are communicating the importance of connecting risk management with delivery of our new Corporate Strategy

5 Supporting information How this issue relates to the corporate strategy and business plan 16 Risk management forms an essential part of our corporate and planning processes by ensuring our activity is based on a sound risk assessment. Our local risk register forms part of our Operational Plan. The framework helps manage threats and opportunities effectively thereby creating an environment where surprises are minimised and projects managed effectively. Other relevant background information 17 Risk management forms a central part of our internal control and corporate governance. A good framework enables the Council and the executive to communicate effectively about the risks to the delivery of our aims and objectives at strategic and operational levels How the action will be evaluated 18 The Corporate Risk Register, created using the Risk Management Framework guidance, will be reviewed at the Audit and Risk Committee twice a year. If you have any questions about this paper please contact: Paul Chase, Planning and Reporting Manager,

6 15 Risk Management Framework Annex A Draft Risk Management Framework A1

7 Contents Purpose page 3 Introduction page 3 Policy principles page 4 Risk management overview... page 4 Roles and responsibilities.. page 6 Risk management methodology and guidance. page 8 o Risk identification page 9 o Risk assessment. page 10 o Risk mitigation page 11 o Risk evaluation. page 12 o Risk monitoring and assurance page 12 Annex A Risk glossary page 14 Annex B Business champions.. page 16 Annex C Version Control Log... page 17 A2

8 Purpose 1 This document sets out our approach to risk management, defines roles and responsibilities, and provides you with guidance on identifying and managing risks. A risk may represent a hazard to our work but it can also present a positive opportunity for action. This framework applies to the entirety of the GMC, including the MPTS. References to Directors should be read as including the MPTS Tribunal Clerk. Introduction 2 A risk is defined as the possibility of an event that could affect the achievement of objectives. For the GMC this ultimately means events that could affect fulfilment of the organisation s statutory purpose: To protect, promote and maintain the health and safety of the public by ensuring proper standards in the practice of medicine. 3 Effective risk management should be embedded in our culture and everyday business, and should not be seen as a separate process outside the normal responsibilities of line management. 4 Risk management is a central part of our internal control and corporate governance arrangements. A good risk management framework enables consistency of approach and a shared view throughout the organisation on the risks to our aims and objectives at strategic and operational levels. 5 The risk management process supports the delivery of the GMC corporate strategy, and is an important part of our business planning processes. It requires us to identify and manage threats and opportunities effectively, creating an environment which minimises unexpected events or surprises. 6 Through our risk registers we classify each risk and identify planned courses of mitigating action to reduce both the impact and also the likelihood of the risk occurring. Both corporate and local risk registers, along with our Performance Review of operational plan delivery, are made available to staff in a central resource, in order to engage them in the day-to-day management of corporate and local risk. 7 We have a Business Continuity Plan which details our immediate response, in the event of an incident, to enable us to deliver an agreed level of key services to stakeholders. A Pandemic Plan is also in place. 8 As a registered charity, we are required under the Charities (Accounts and Reports) Regulations 2005 ("the 2005 Regulations" - SI No.572) to produce an Annual Report. This must contain a statement in which we confirm that our trustees have given consideration to the major risks to which the charity is exposed, and that systems and procedures have been established within our Risk Management Framework in order to manage those risks. A3

9 Policy principles 9 Our policy on risk management can be summarised in the following eight principles: a. Encourage well-managed risk-taking to deliver business objectives. b. Identify and prioritise risk by using effective risk management methodology. c. Embed risk management in the day-to-day business. d. Ensure risk review and mitigation is an active process which is considered as part of our everyday work. e. Require the ownership of risks and their corresponding actions. f. Regularly monitor risks at Chief Executive, Chief Operating Officer and Director level. g. Achieve continuous improvement in risk management. h. Meet the requirements of the Charities Statement of Recommended Practice (SORP) Risk management overview 10 Consideration and mitigation of risk is embedded at both local and corporate levels. All staff are responsible for identifying and raising awareness of risk and ensuring that risk owners are identified to take any required mitigating action. Three questions help to initiate this: a. What are the nature and the scale of the risk to the GMC? b. Who needs to be aware of this risk? c. Who needs to initiate the appropriate response actions? 11 At a corporate level, Council, Audit and Risk Committee and our Boards provide strong governance through review and challenge to risk. A4

10 Figure 1: Risk management and communication throughout the organisation 12 At the local level risk management is driven by: a. Our annual Business Plan which is framed in the context of our Corporate Strategy, and outlines priorities and how they will be achieved. Dynamic Operational Plans communicate activity. b. Local risk registers, embedded in our Operational Plans form an essential part of each directorate s assessment of risk as they develop and monitor activity. They are owned and agreed by Directors, and are updated and monitored as part of performance monitoring. c. In line with best practice, directorates undertake robust risk assessment for major project and programme activity, with clear responsibilities for monitoring, decision and reporting. d. On-going identification and management by staff of concerns arising in their operational areas. 13 Directors take responsibility for the management of risk at a local level, receiving regular risk monitoring through their Business Champion (identified in Annex B). This responsibility includes the escalation of risk between a local register and a Corporate Risk Register. 14 Directors collectively own and compile the Corporate Risk Register which is an aggregation of risks escalated from local level, plus cross-cutting risks. It is held centrally by the Strategy and Communication directorate who present a combined bimonthly review of operational plan delivery and risk status to the Performance and Resources Board. A5

11 15 The Performance and Resources Board is where Directors consider the Corporate Risk register, approving, removing or amending risks. Escalation to the Corporate Risk Register should be driven by: a. An increase in the impact or likelihood of a threat to delivery of the planned activity and/or strategic priorities. b. Where early awareness or discussion of emerging risk by the executive would be beneficial. c. The need to identify increased mitigation especially if executive support and approval is required. 16 The Medical Practitioners Tribunal Service manages its local risks, maintaining a risk register, and escalates risks where appropriate to the Executive level where they are managed alongside all GMC corporate risks. The MPTS Risk Register is reviewed at the quarterly meetings of the GMC/MPTS Liaison Group. 17 Council and the Audit and Risk Committee each receive a full risk review twice a year facilitating an informed discussion and understanding of risk. This includes a full summary of the contemporary Corporate Risk Register, complete with insight into key areas for discussion. An example of this is presented in Annex C. This promotes assurance that the organisation is capable of fulfilling its purpose and strategic priorities. 18 It is imperative to view any risk register as the means to manage risk, rather than the object of the risk management process itself. They are to be used as an objective, evidence-based tool to assist managers organise their understanding of their risk environment and to capture how we have responded to risks. Roles and responsibilities 19 The table below summarises organisational and individual responsibilities for both the operation and monitoring of the risk management process. Council Members (Trustees) Audit and Risk Committee Responsibilities Ultimate responsibility for all risk facing the organisation. Delegated authority for overseeing risk management arrangements on behalf of the Council. Provide assurance to Actions Reviewing the GMC s risk profile within the Corporate Risk Register. Holding the Executive to account, providing challenge, requesting information, or seeking assurance on risks and the appropriateness/ effectiveness of mitigating action. Guidance on appropriate risk appetite. Approval of changes to the Framework. Obtaining assurance on risk management arrangements from internal auditors and senior management. Reviewing and approving the risk A6

12 Performance & Resources Board Directors, Chief Operating Officer, Chief Executive and the MPTS Tribunal Clerk Business Champions Individual risk owners Council on the adequacy and effectiveness of our risk management processes. Oversee the implementation of recommendations, and ensuring continuous improvement. Ownership and responsibility for the risks on the Corporate Risk Register. Ensuring risk management is embedded in the culture and everyday business. Ensuring that each risk has a specific owner, responsible for the corresponding mitigating Reviewing and reporting on risks to Council and other components of the governance model. Identifying and evaluating risks against operational performance, Business Plan activity or Corporate Strategy priorities. Implementing the Risk Management Framework. Responsible for assisting directors to co-ordinate risk management at a local level. Responsible for the identification, assessment and ownership (where appropriate) of individual risks together with ensuring appropriate mitigating actions are taken. Monitoring and reporting any management statement in the Annual Report and Accounts. Review of the Corporate Risk Register. Obtain assurance as to the effective management of risks. Oversight to ensure a fit for purpose Risk Management Framework. Regular review of the Corporate Risk Register and risk therein, to ensure their continued relevancy, and consider proposed escalations. Challenging and identifying risks in the course of meetings and discussions. Ensure both local and the Corporate Risk Registers are up to date, relevant and comprehensive. Ensure that Council and Committee papers provide insightful commentary on contemporary risks and mitigation. Regularly review all risks on their local risk register and assisting Directors with consideration of risks for escalation to the Corporate Risk Register. Acting as a local point of information, knowledge and expertise for staff on the Risk Management Framework. Support the risk assessment of new activity during annual business and operational planning. Development of appropriate management information. Initiating mitigating actions and maintaining progress on these actions. Regular review of risks to assess status of impact, likelihood and the effectiveness/progress of mitigating actions. Exercising judgement on the A7

13 All staff Strategy & Communication Directorate GMC/MPTS Liaison Group change in the status. Responsible for identifying, assessing and raising awareness of risk. Supporting directors in the production and review of the Corporate Risk Register. Providing guidance and advice on all aspects of our corporate risk management arrangements. Co-ordinating of risk assessment as part of annual business and operational planning The purpose of the Liaison Group is to establish an effective working relationship between the MPTS and the functions of the GMC with which it will interact appropriate level of awareness and escalation of each risk. Communication and explanation of their risks to line management and Directors. Identifying risks and cconcerns against the objectives for which they are responsible, raising awareness and escalating where appropriate. Prompting regular updates of the local registers and the Corporate Risk Register. Reporting changes in risk status as part of the regular management reporting to the Chief Executive and directors. Continually reviewing internal and external events and scanning for changes in the business and political environment to identify risks to the organisation. To work collaboratively to manage corporate risks and issues Risk Management Methodology and Guidance 20 Risk is not the responsibility of a few specialists, but rather of all staff. It must be seen as an essential part of primary management responsibility, and a process which is embedded within all policy formulation and in colleagues decision making in day-to-day delivery. A glossary of terms is provided at Annex A. 21 The methodology is underpinned by five key stages a. Risk identification. b. Risk assessment. c. Risk mitigation. d. Risk evaluation. e. Risk monitoring and assurance. A8

14 Figure 2: The GMC risk management methodology Risk identification 22 Risk identification is about asking what can happen to hamper delivery of our business objectives and how might it happen? 23 Best practice is to develop and make available insightful sources that support staff in their identification of potential risk such as our Research Programme meetings with stakeholders, and policy and strategy development tools. Intelligent environmental assessment, including regular horizon scanning, forms part of our ongoing insight work. 24 Risks should be recorded in a clear and precise way that describes the event and it s the root cause, thereby enabling effective mitigation, assessment and audit. 25 The impact of a risk on other activities and teams, and on the GMC s external partners, should be described. Where a risk involves external partners working with the GMC in mitigation, the risk description should be clear on the perimeters of the GMC s responsibility. 26 Good practice recommends that identification involves considering risks to: a. Achievement of strategic priorities and/or our core purpose. For example, this might include risk originating from legislative or regulatory change, which might impact our ability to review doctors fitness to practise. b. Achieving operational objectives, for example, delivering a new standard for doctors. c. Operational health, for example, financial shock or ability to recruit staff. 27 When scoping a risk for inclusion in a Corporate Risk Register, risks should be identified as being one of the following categories which help signify their nature: A9

15 a. Reputational. b. Policy. c. Operational. d. Strategic/Political. 28 For each risk identified a risk owner should be assigned. The owner is responsible for overseeing the management of that risk and periodically reporting on its status. Risk assessment 29 The risk assessment process should drive a clear and decisive consideration of the severity of impact and its likelihood, which supports risk prioritisation and in turn specific risk controls and allocation of resources. 30 Our Risk Assessment Matrix enables risk owners to record and communicate their risks, and these risks should be derived from an evidence-based assessment in order to make a clear and objective recommendation. This is assessment also essential in understanding risk escalation. Consideration of the expected timeframe of the event is also important. Figure 3: Risk Assessment Matrix IMPACT MINOR MODERATE MAJOR UNLIKELY Possible, but unlikely to occur (<40% chance) Low Low Significant LIKELIHOOD QUITE LIKELY More than possible (40-60% chance) HIGHLY LIKELY Much more likely than not to occur (>60% chance) Low Significant Critical Significant Critical Critical Sources of evidenced for assessment: Research and analysis Available tacit or explicit knowledge Assessment of the impact of your activity on wider GMC outcomes Assessment of the threat to operational functionality/ viability e.g. Financial Organisational experience of a similar risk occurring previously A10

16 31 A simple guide to deciding the severity of impact can be to consider the following: Operational Functions Achievement of Strategic Aims Reputation Timeframe of effect Minor Limited disruption to GMC operational functions and/or intended outcomes Almost no adverse impact on the achievement of strategic aim(s) Little/limited adverse impact Short term Moderate Very concerning disruption to GMC operational functions and/or intended outcomes Achievement of strategic aim(s) disrupted or inhibited Very concerning adverse impact More enduring, but still time-bound Major GMC operational functionality critically impaired Strategic aim(s) severely compromised or cannot be achieved Highly damaging adverse impact Potentially longlasting 32 The resulting risk ranks are then grouped into critical (red), significant (amber) and low (green) bands to show the relative priority of the risks. These ratings can only provide a guideline of the relative urgency of a risk and must be used along with all other relevant information to aid judgement and decision-making on risk control and mitigation. 33 Directors are accountable for ensuring that risk assessments in local risk registers are up to date. They are supported by Business Champions, activity leads and all staff. The Performance Review Report, presented to Bi-monthly Performance and Resources Board meetings, and containing a summary of the proposed updated Corporate Risk Register facilitates discussion by Directors and the Chief Operating Officer. Risk mitigation 34 Countermeasures in place to mitigate each risk are recorded. We apply the question what have we done to reduce the likelihood or impact of this risk? 35 Examples of mitigating action include: a. Control procedures. Likely to be the largest component of mitigating action, they include measures such as publishing guidance and conducting regional visits. b. Sharing risks with a third party, such as outsourcing aspects of delivery. c. Avoiding the activity creating the risk. d. Making contingency arrangements, for example through the Responses to Concerns Assessment Team (RCAT) in relation to issues arising in medical education and training. A11

17 36 Mitigating actions are clearly and concisely agreed and regularly updated in a risk register. 37 Once countermeasures have been identified, the risk assessment is applied a second time. The potential severity of impact and likelihood of occurrence is reassessed, taking into account the effect of the countermeasures. The resultant score is known as the residual risk. 38 If the residual risk remains critical on the local risk register, the risk should normally be considered for escalation to the Corporate Risk Register. Risk evaluation 39 Risk evaluation establishes whether risks are adequately mitigated and, if not, determines what additional action is required to reduce their impact or likelihood of occurrence. In each case, we define the level of residual risk that is acceptable. 40 The level of risk appetite is guided by Council and the Audit and Risk Committee during discussion of corporate risk, and at a local level by Directors, guided by the Performance and Resources Board. This supports a clear definition of the level of residual risk that is tolerable and justifiable once mitigating action has been taken. 41 Using these factors, we identify risks that are not adequately mitigated and determine what additional measures are required. 42 Where the residual risk is still considered significant or critical, the risk register includes a further action column for further mitigation. 43 The Performance and Resources Board and the Audit and Risk Committee should be satisfied that mitigation is appropriate, and if not will require further action to be taken. Risk monitoring and assurance 44 As outlined in this Framework, our risk management process seeks to be dynamic and effective with continuous review, evaluation and improvement. This is done by way of: a. Continual review of local risk registers by Directors and their teams. b. Full review of the Corporate Risk Register by the Strategy and Communication Directorate together with directorate Business Champions on behalf of the Performance and Resources Board. c. Oversight by Audit & Risk Committee and Council, who seek assurance from a and b above of effective management of risk. d. Through our annual internal audit programme, the management of specific risk, as well as the approach to risk management, are subject to scrutiny by the GMC s internal auditors, who provide assurance to the Audit A12

18 and Risk Committee that risk is being managed appropriately. The Programme is agreed at the Committee and contains a series of reviews into internal processes and actions. A13

19 Appendix A Risk Glossary Activity Audit & Risk Committee Contingency Corporate Risk Register Effect Evaluation Identification Impact Likelihood Local Risk Registers Milestone Mitigation Monitoring Objectives Operational Plans Operational risk Policy risk Political risk Reputational risk Residual risk Risk Any work which uses resources (people, materials or facilities) and has an associated cost and duration. Has responsibility for overseeing risk management on behalf of the Council. A planned amount of time and/or cost set aside against accepted risks. A record of corporate-level risks from the risk management process. The possible outcome of a risk if it occurs. Establishing if the risks are adequately mitigated and if not, determining what additional action is required to reduce their impact or likelihood of occurrence. The process of exposing knowable risks specifically in relation to business objectives. An assessment of the effect on the activity if a risk occurs. The probability of a risk occurring. A record of all identified risks from the risk management process in each operational area. They are included in the Operational Plans. A marker which notes the end of a phase or project. The planned series of actions to be performed to reduce the likelihood or impact of a risk occurring. Identifying new risks and reassessing and evaluating existing risks in light of any significant changes or developments. Set out what is to be achieved and who will benefit. They should be specific and measurable and included in the Operational Plans. Internal management tools for planning work and reviewing organisational performance. A risk resulting from inadequate or failed internal processes, people and systems, or from external events. A risk to our ability to uphold a policy or arising from a particular policy decision. A risk resulting from unexpected change in government policy. A risk resulting in damage to the GMC through loss of its reputation. The risk remaining after taking into account the effect any actions taken to manage it. The possibility of an event that could affect the A14

20 Risk appetite Risk assessment Risk management Risk Management Framework Risk owner Risk review Strategic risk achievement of an objective. Defining the level of residual risk that is tolerable and justifiable. The process of prioritising risks in terms of their potential severity of impact and likelihood of occurrence using the Risk Assessment Matrix. The process of managing the risks associated with an activity so that if a risk occurs, the impact is minimised. A GMC internal control which reflects the GMC s commitment to sound risk management principles and practices. The person responsible for overseeing the management of a given risk, ensuring that appropriate mitigating action is selected and implemented and is responsible for periodically reporting on the status of the risk. A structured update of the assessment of current risk exposure. A risk resulting from poor strategic business decisions, improper implementation of decisions or lack of responsiveness to changes in the business environment. A15

21 Appendix B Business Champions Education and Standards Nathan Lambert ( ) Fitness to Practise Tom Russell ( ) MPTS Howard Matthews ( ) Registration and Revalidation Rob Scanlon ( ) Resources and Quality Assurance Steve Downs ( ) Strategy and Communication Kimberley Kingsborough ( ) A16

22 Appendix C Version Control Log This current version of the Risk Management Framework was approved [approvals/date] following a formal review of the framework in August - October The schedule below sets out a summary of all amendments to the framework since then. Date Reason for amendment?? October 2013 Redrafted during formal RMF review and approved by the Audit & Risk Committee A17

23 Note: Final approved version will feature a new back cover in the house style. A18

24 15 Risk Management Framework Annex B Risk Summary Tool Purpose of the Risk Summary 1 The Risk Summary Tool will provide the Performance and Resources Board, the Audit and Risk Committee and Council meetings with a visual representation of the risk profile and trends across the organisation, enabling them to prioritise their discussions on specific risk groupings. Background to development of a Risk Summary 2 At a seminar on risk management for the Audit and Risk Committee on 5 September 2013, it was recommended that the review team consider ways in which the Committee might be able to review corporate risks in a more structured way. The Audit and Risk Committee therefore asked the team to develop two strawman diagrams which would provide a summary view of the risks on the Corporate Risk Register. Taking the Risk Summary tool forward 3 Two options were designed to further the discussion as to how we can best support the Audit and Risk Committee s consideration of the Corporate Risk Register. Both options were tested, the pros and cons were discussed and a paper presented back to Committee members on circulation. 4 In discussion with the Chair of the Committee, a preferred option was identified and refined, and which will be finalised in light of the completion of the corporate strategy and approval of the new Risk Management Framework. It will be brought for consideration to each of the first meetings of the Performance and Resources Board, Audit and Risk Committee and Council in The finalised Risk Summary will be compiled by the Intelligence Unit and will be a high-level view of the risks to the achievement of our corporate strategy, using the organisation s current corporate risks. B1

25 Explanation of the preferred option 6 This draft Risk Summary displays the GMC s corporate level risks within five major categories: a Three which link directly to risk to patients. b One dealing with environmental risk, for example political risk. c One covering risk to the business, for example financial risk. 7 Discussions took place at the Audit and Risk Committee seminar on different ways of categorising our organisational risks. The categories used here have been developed subsequently and refined following testing. The categories are based on our purpose, and the organisation s risk profile as recorded in the Corporate Risk Register. 8 The approach taken in this strawman is broadly based on good practice in the Civil Aviation Authority (CAA) (which was discussed at the risk management seminar), which displays the significant seven safety risks facing the CAA. Figure 1: Illustration of draft Risk Summary GMC Purpose: To protect, promote and maintain the health and safety of the public by ensuring proper standards in the practice of medicine RISK TO PATIENTS ENVIRONMENTAL RISK RISK TO THE BUSINESS 1. Failure to provide assurance that doctors are properly qualified and fit to practise 2. Failure to ensure standards in medical education, training and on going practice 3. Failure to detect and act on risk to patients 4. Inability to adapt to external changes in the operating environment 5. Inadequate/ inefficient organisational process or resource utilsation (externally, internally and locally) Crit. Sig SP4 SP5 2.4 SP2 7.3/ SP3 Low SP The illustration above has been populated using existing corporate risks. The shapes and arrows represent the risk rating (after mitigating action) from the Corporate Risk Register, with the arrows indicating a risk that has risen or fallen in rating since the last Council review, the dots representing a risk which has retained the same rating since the last review, and the squares indicating a new risk. B2

26 Benefits 10 The benefits of using the preferred option are: a Displays clear linkage of risk categories (1-4) back to the GMC purpose. b Provides a straightforward view of risk and trends at corporate level. c Encourages more discipline in the articulation of risks. d By phrasing the categories in this way we can better see the likely impact, on our purpose, of failure to mitigate a risk. Explanation of the alternate option 11 Following discussions on the preferred option, an alternate option has been developed, using the same structure as the preferred option, but replacing the risk categories with the Priorities for The headings currently used are based on the emerging themes presented to Council on 25 September 2013, and will be finalised alongside the completion of the development of the corporate strategy. Figure 2: Illustration of alternate option for Risk Summary GMC Purpose: To help protect patients and improve standards of medical practice Priorities for Identifying and acting on risk to patients 2. Maximising the impact of our work 3. Being more effective locally 4. Raising professional standards in medical practice. 5. Working better together Crit. Sig. SP3 SP SP /4 Low SP1 SP The pros and cons of using the alternate option in place of the preferred option are outlined in the table below. Pros Priorities clearly understood throughout the organisation. Cons Not all of the current risks on the Corporate Risk Register map to the emerging Priorities B3

27 Avoids adding a level of complexity if risk categories were used B4

Bridgend County Borough Council. Corporate Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk

More information

Confident in our Future, Risk Management Policy Statement and Strategy

Confident in our Future, Risk Management Policy Statement and Strategy Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents

More information

Risk Management Policy and Process Guide

Risk Management Policy and Process Guide Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including

More information

Update from the Business Continuity Working Group

Update from the Business Continuity Working Group 23 June 2014 Performance and Resources Board 19 To note Update from the Business Continuity Working Group Issue 1 The Business Continuity Working Group oversees the development, maintenance and improvement

More information

The Risk Management strategy sets out the framework that the Council has established.

The Risk Management strategy sets out the framework that the Council has established. Derbyshire County Council Management Policy Statement The Authority adopts a proactive approach to Management to achieve Best Value and continuous improvement and is committed to the effective management

More information

Report of the Audit and Risk Committee

Report of the Audit and Risk Committee 10 December 2014 Council 7 To consider Report of the Audit and Risk Committee Issue 1 Twice a year the Audit and Risk Committee prepares a report for Council which details the work it has undertaken since

More information

APPENDIX 50. Enterprise risk management - Risk management overview

APPENDIX 50. Enterprise risk management - Risk management overview APPENDIX 50 Enterprise risk management - Risk management overview Energex regulatory proposal October 2014 ENTERPRISE RISK MANAGEMENT Risk Management Overview (RMO) 06 11 2013 Table of Contents 1. INTRODUCTION...

More information

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer RISK MANAGEMENT FRAMEWORK 1 SUMMARY The Risk Management Framework consists of the following: Risk Management policy Risk Management strategy Risk Management accountability Risk Management framework structure.

More information

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES GOVERNMENT ACCOUNTING SECTION DEPARTMENT OF FINANCE MARCH 2004 Risk Management Guidance CONTENTS Pages List of guidelines on risk management

More information

RISK MANAGEMENT POLICY

RISK MANAGEMENT POLICY RISK MANAGEMENT POLICY Nuffield College s Risk Management Policy defines the College's approach to risk and how risk management should be embedded into management processes to ensure that the major risks

More information

Northern Ireland Blood Transfusion Service

Northern Ireland Blood Transfusion Service Northern Ireland Blood Transfusion Service Risk Management Strategy Northern Ireland Blood Transfusion Service Lisburn Road Belfast BT9 7TS Telephone No. 028 9032 1414 www.nibts.org Page 1 of 12 CONTENTS

More information

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: POL ENTERPRISE RISK MANAGEMENT SC51 POLICY CODE: SC51 DIRECTORATE: Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: Executive Support Services RESPONSIBLE OFFICER:

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate

More information

Risk Management & Business Continuity Manual 2011-2014

Risk Management & Business Continuity Manual 2011-2014 ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page

More information

Update from the Business Continuity Working Group

Update from the Business Continuity Working Group 18 June 2015 Performance and Resources Board 14 To note Update from the Business Continuity Working Group Issue 1 The Business Continuity Working Group oversees the development, maintenance and improvement

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

MARCH 2012. Strategic Risk Policy Update March 2012 v1.10.doc

MARCH 2012. Strategic Risk Policy Update March 2012 v1.10.doc MARCH 2012 Version 1.10 Strategic Risk Policy Update March 2012 v1.10.doc Document History Current Version Document Name Risk Management Policy Statement and Strategic Framework Last Updated By Alan Till

More information

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise 4. Embedding

More information

Compliance Management Framework. Managing Compliance at the University

Compliance Management Framework. Managing Compliance at the University Compliance Management Framework Managing Compliance at the University Risk and Compliance Office Effective from 07-10-2014 Contents 1 Compliance Management Framework... 2 1.1 Purpose of the Compliance

More information

Group Risk Management Policy

Group Risk Management Policy Group Risk Management Policy Originator: Approval date: Policy and Strategy Team Sovini Board PCHA Board OVH Board/EMT 6 th December 2013 31 st October 2013 14 th October 2013 Review date: December 2014

More information

Bedford Group of Drainage Boards

Bedford Group of Drainage Boards Bedford Group of Drainage Boards Risk Management Strategy Risk Management Policy January 2010 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise

More information

RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014

RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014 RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014 Version 1.0 October 2013 Not protectively marked INDEX PAGE NO TITLE 3 Executive Summary 4 Our Shared Vision and Priorities 5 Outline of the Risk and

More information

PM Governance. Executive Team ADCA ADCA

PM Governance. Executive Team ADCA ADCA Item 6.5a Action Plan against the Recommendations Made in the Review of Risk Management Arrangements by PM Governance, November 2014 Key: PM Governance Paul Moore, Risk Consultant ADCA Associate Director

More information

Merthyr Tydfil County Borough Council

Merthyr Tydfil County Borough Council Merthyr Tydfil County Borough Council DRAFT Risk Management Policy & Strategy April 2014 Prepared by: Kerry O Donovan Page 1 of 47 Contents Page Numbers Foreword 3 Merthyr Tydfil County Borough Council

More information

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17 The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17 Summary This paper sets out the University s current obligations and arrangements for

More information

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE

More information

ORDINANCE 22 UNIVERSITY OF LONDON RISK MANAGEMENT POLICY

ORDINANCE 22 UNIVERSITY OF LONDON RISK MANAGEMENT POLICY UNIVERSITY OF LONDON RISK MANAGEMENT POLICY Introduction 2 Guide to Risk Management 2 Underlying approach to Risk Management 2 Components of the Risk Management Framework 3 Role and Responsibilities of

More information

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise

More information

Risk Policy and Risk Management Procedures

Risk Policy and Risk Management Procedures Risk Policy and Risk Management Procedures Preface The University s Risk Policy sets out The University s approach to risk and its management together with the means for identifying, analysing and managing

More information

Risk Management. National Occupational Standards February 2014

Risk Management. National Occupational Standards February 2014 Risk Management National Occupational Standards February 2014 Skills CFA 6 Graphite Square, Vauxhall Walk, London, SE11 5EE T: 0207 0919620 F: 0207 0917340 E: info@skillscfa.org www.skillscfa.org Skills

More information

Shepway District Council Risk Management Policy

Shepway District Council Risk Management Policy Shepway District Council Risk Management Policy Contents Section 1 Risk Management Policy... 3 1. Updates and amendments... 3 2. Definition... 3 3. Policy statement... 3 4. Objectives... 3 Section 2 Risk

More information

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

More information

Project Risk Analysis toolkit

Project Risk Analysis toolkit Risk Analysis toolkit MMU has a corporate Risk Management framework that describes the standard for risk management within the university. However projects are different from business as usual activities,

More information

WFP ENTERPRISE RISK MANAGEMENT POLICY

WFP ENTERPRISE RISK MANAGEMENT POLICY WFP ENTERPRISE RISK MANAGEMENT POLICY Informal Consultation 3 March 2015 World Food Programme Rome, Italy EXECUTIVE SUMMARY For many organizations, risk management is about minimizing the risk to achievement

More information

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2 UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT Purpose of the guide... 2 Risk Management The Basics... 2 What is Risk Management?... 2 Applying Risk Management... 2 The Use of Risk Registers in Risk Management...

More information

What Every Director. How to get the most from your internal audit. Endorsed by

What Every Director. How to get the most from your internal audit. Endorsed by What Every Director Should Know How to get the most from your internal audit Endorsed by Foreword This is the second edition of our flagship governance guide What every director should know. Since we published

More information

Risk Management Strategy

Risk Management Strategy Risk Management Strategy 2010 RISK MANAGEMENT STRATEGY 1 INTRODUCTION 1.1 What is Risk Management? 1.1.1 Risk can be defined as uncertainty of outcome (whether positive opportunity or negative threat).

More information

London Legacy Development Corporation s Statement of Risk Appetite September 2015

London Legacy Development Corporation s Statement of Risk Appetite September 2015 London Legacy Development Corporation s Statement of Risk Appetite September 2015 Appendix 1 1. INTRODUCTION 1.1 Her Majesty s Treasury uses the Orange Book definition of risk management The amount of

More information

Risk Management. Group Standard

Risk Management. Group Standard Group Standard Risk Management Effective risk management allows Serco to improve customer service, maximize opportunities and reduce business loss from overruns and cost from risks that materialise SMS

More information

Policy and Procedure Statement

Policy and Procedure Statement Policy and Procedure Statement SUBJECT: Enterprise Risk CATEGORY: General Administration NO. 502-G PREAMBLE Risk exists in all activities and cannot be avoided, nor can it always be eliminated. However,

More information

Avondale College Limited Enterprise Risk Management Framework 2014 2017

Avondale College Limited Enterprise Risk Management Framework 2014 2017 Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.

More information

V1.0 - Eurojuris ISO 9001:2008 Certified

V1.0 - Eurojuris ISO 9001:2008 Certified Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified Section Page No 1 An Introduction to Risk Management 1-2 2 The Framework of Risk Management 3-6 3 Identification of Risks 7-8 4 Evaluation

More information

A Risk Management Standard

A Risk Management Standard A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management

More information

COMPLIANCE CHARTER 1

COMPLIANCE CHARTER 1 COMPLIANCE CHARTER 1 Contents 1. Compliance Policy Statement... 2 2. Purpose... 2 3. Mission and objective of the Directorate: Compliance... 2 3.1 Mission... 2 3.2 Objective... 3 4. Compliance risk management...

More information

Risk Methodology. Contents. Introduction... 2. The Risk Management Structure... 2. The Risk Management Cycle... 2. Methodology...

Risk Methodology. Contents. Introduction... 2. The Risk Management Structure... 2. The Risk Management Cycle... 2. Methodology... Risk Methodology Contents Introduction... 2 The Risk Management Structure... 2 The Risk Management Cycle... 2 Methodology... 3 Appendix 1...5 Definition of Controls... 5 Appendix 2...6 Definition of Impact...

More information

Risk Management Plan 2012-2015

Risk Management Plan 2012-2015 Risk Management Plan 2012-2015 This controlled document shall not be copied in part or whole without the express permission of the author or the author s representative. Revision Date Previous Revision

More information

Best Value toolkit: Performance management

Best Value toolkit: Performance management Best Value toolkit: Performance management Prepared by Audit Scotland July 2010 Contents Introduction The Audit of Best Value The Best Value toolkits Using the toolkits Auditors evaluations Best Value

More information

Risk assessment. made simple

Risk assessment. made simple Risk assessment made simple July 2015 1 Sayer Vincent LLP Chartered accountants and statutory auditors Invicta House 108 114 Golden Lane London EC1Y 0TL Offices in London, Bristol and Birmingham 020 7841

More information

Council Meeting Agenda 27/07/15

Council Meeting Agenda 27/07/15 3 Risk Management Framework Abstract Council s Risk Management Framework ( the Framework ) was adopted by Council in 2012. The Framework provides structure and guidance to Council s risk management activities

More information

Paper J WEST LEICESTERSHIRE CLINICAL COMMISSIONING GROUP BOARD MEETING. 10 February 2015. Governance How we manage our business

Paper J WEST LEICESTERSHIRE CLINICAL COMMISSIONING GROUP BOARD MEETING. 10 February 2015. Governance How we manage our business Paper J WEST LEICESTERSHIRE CLINICAL COMMISSIONING GROUP BOARD MEETING 10 February 2015 Title of the report: Section: Report by: Presented by: Risk Management Strategy & Policy Governance How we manage

More information

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers Appendix 1 RISK MANAGEMENT POLICY AND STRATEGY Document Status: Draft Originator: A Struthers Updated: A Struthers Owner: Executive Director Corporate Services Version: 01.01.03 Date: 30/3/14 Approved

More information

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management Enterprise Risk Management Framework 2012 2016 Strengthening our commitment to risk management Contents Director-General s message... 3 Introduction... 4 Purpose... 4 What is risk management?... 4 Benefits

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...

More information

Administration and General Order No. AD/1/TBC

Administration and General Order No. AD/1/TBC COUNTY DURHAM AND DARLINGTON FIRE AND RESCUE SERVICE Administration and General Order No. AD/1/TBC CORPORATE RISK MANGEMENT POLICY 1. INTRODUCTION 1.1 County Durham and Darlington Combined Fire Authority

More information

Risk Management Policy

Risk Management Policy Risk Management Policy DOCUMENT CONTROL Developed by: Date: Origination: Quality, Systems & Shared s March 2014 Authorised by: Colette Kelleher April 2014 DOCUMENT REVIEW HISTORY Original Circulation date:

More information

Risk Management Strategy 2014-2017

Risk Management Strategy 2014-2017 Appendix 1 London Fire and Emergency Planning Authority London Fire Brigade Risk Management Strategy 2014-2017 Our Risk Management Strategy, together with our underpinning risk management framework and

More information

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) Subject and version number of document: Serial Number: Business Continuity Management Policy

More information

SUMMARY OF MONITOR S WELL-LED FRAMEWORK FOR GOVERNANCE REVIEWS: GUIDANCE FOR NHS FT S PUBLICATION Report by Trust Secretary

SUMMARY OF MONITOR S WELL-LED FRAMEWORK FOR GOVERNANCE REVIEWS: GUIDANCE FOR NHS FT S PUBLICATION Report by Trust Secretary SUMMARY OF MONITOR S WELL-LED FRAMEWORK FOR GOVERNANCE REVIEWS: GUIDANCE FOR NHS FT S PUBLICATION Report by Trust Secretary 1. Introduction Under the Risk Assessment Framework and in line with the NHS

More information

Internal Audit Strategic and Annual Plans 2015/16

Internal Audit Strategic and Annual Plans 2015/16 Internal Audit Strategic and Annual Plans 2015/16 Financial Scrutiny and Audit Committee 10 February 2015 Agenda Item No 8 Summary: This report provides an overview of the stages followed prior to the

More information

Head of Internal Audit:

Head of Internal Audit: Head of Internal : Opinion on the effectiveness of the system of Internal Control at Northern Devon Healthcare NHS Trust for the year ended 31 March 2010 Roles and responsibilities The whole Board of Directors

More information

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving

More information

Successfully identifying, assessing and managing risks for stakeholders

Successfully identifying, assessing and managing risks for stakeholders Introduction Names like Enron, Worldcom, Barings Bank and Menu Foods are household names but unfortunately as examples of what can go wrong. With these recent high profile business failures, people have

More information

Aegon Global Compliance

Aegon Global Compliance Aegon Global Compliance GLOBAL Charter COMPLIANCE CHARTER aegon.com The Hague, June 1, 2013 Information sheet Target audience: All employees and management of Aegon companies Issued by: Aegon N.V. Group

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective

More information

DATA QUALITY POLICY PORTFOLIO RESPONSIBILITY: CORPORATE, CUSTOMER SERVICES AND HUMAN RESOURCES CABINET 10 APRIL 2008

DATA QUALITY POLICY PORTFOLIO RESPONSIBILITY: CORPORATE, CUSTOMER SERVICES AND HUMAN RESOURCES CABINET 10 APRIL 2008 DATA QUALITY POLICY PORTFOLIO RESPONSIBILITY: CORPORATE, CUSTOMER SERVICES AND HUMAN RESOURCES CABINET 10 APRIL 2008 Wards Affected County-wide Purpose To approve the data quality policy. Key Decision

More information

Risk Management Policy Adopted by:

Risk Management Policy Adopted by: Risk Management Policy Adopted by: Infigen Energy Limited Infigen Energy (Bermuda) Limited Infigen Energy RE Limited in its capacity as Responsible Entity of Infigen Energy Trust Adopted: 17 December 2009

More information

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7 Risk assessment made simple Introduction 3 step1 Identifying the risks 4 step2 Assessing the risks 7 step3 Establishing action points 11 step4 Developing a risk register 13 Monitoring and assessment 14

More information

Policy 10.105: Enterprise Risk Management Policy

Policy 10.105: Enterprise Risk Management Policy Name: Responsibility: Complements: Enterprise Risk Management Framework Coordinator, Enterprise Risk Management Policy 10.105: Enterprise Risk Management Policy Date: November 2006 Revision Date(s): January

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK BUSINESS CONTINUITY MANAGEMENT FRAMEWORK Document Author: Civil Contingencies Service - Authorised by the CCS Joint Management Board - Version 1.0. Issued December 2012 Page 1 FRAMEWORK STATEMENT Business

More information

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy and Business Continuity Management System Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

More information

Risk Management and Risk Assessment Policy

Risk Management and Risk Assessment Policy SharePoint Location Non-clinical Policies and Guidelines SharePoint Index Directory 3.0 Corporate Sub Area 3.1 Risk and Health & Safety Documents Key words (for search purposes) Risk, Risk Management,

More information

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Guide to the National Safety and Quality Health Service Standards for health service organisation boards Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

More information

Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction

Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction The purpose of this paper is to help financial institutions, in particular their senior management, address business

More information

Internal Audit Terms of Reference

Internal Audit Terms of Reference Internal Audit Terms of Reference Introduction 1. The Internal Audit Terms of Reference (ToR) describes the framework within which the Internal Audit Service is delivered. It is intended to act as a guide

More information

The Lowitja Institute Risk Management Plan

The Lowitja Institute Risk Management Plan The Lowitja Institute Risk Management Plan 1. PURPOSE This Plan provides instructions to management and staff for the implementation of consistent risk management practices throughout the Lowitja Institute

More information

RISK MANAGEMENT STRATEGY AND FRAMEWORK

RISK MANAGEMENT STRATEGY AND FRAMEWORK Uniting Church in Australia Synod of Victoria and Tasmania RISK MANAGEMENT STRATEGY AND FRAMEWORK Prepared by: Synod Risk Management Committee Date Prepared and Issued: February 2010 S:\AdminFinance\EDAF\Risk

More information

VISION FOR LEARNING AND DEVELOPMENT

VISION FOR LEARNING AND DEVELOPMENT VISION FOR LEARNING AND DEVELOPMENT As a Council we will strive for excellence in our approach to developing our employees. We will: Value our employees and their impact on Cardiff Council s ability to

More information

Understanding and articulating risk appetite

Understanding and articulating risk appetite Understanding and articulating risk appetite advisory Understanding and articulating risk appetite Understanding and articulating risk appetite When risk appetite is properly understood and clearly defined,

More information

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Capital Requirements Directive Pillar 3 Disclosure. December 2015 Capital Requirements Directive Pillar 3 Disclosure December 2015 1. Background The purpose of this document is to outline the Pillar 3 disclosures for BlueBay Asset Management LLP ( BlueBay ). BlueBay

More information

Disability ACT. Policy Management Framework

Disability ACT. Policy Management Framework Disability ACT Policy Management Framework OCT 2012 Disability ACT Policy Management Framework Version October 2012 Page 1 of 19 1. Context... 3 1.1 Purpose... 3 1.2 Scope... 3 1.3 Background... 3 1.4

More information

Risk Management Strategy & Implementation Plan 2014 2016

Risk Management Strategy & Implementation Plan 2014 2016 St George s Healthcare NHS Trust: the next decade Risk Management Strategy & Implementation Plan 2014 2016 DRAFT VERSION 6.0 UPDATED 19.11.14 Executive summary We know, from external assurances received

More information

Principles for An. Effective Risk Appetite Framework

Principles for An. Effective Risk Appetite Framework Principles for An Effective Risk Appetite Framework 18 November 2013 Table of Contents Page I. Introduction... 1 II. Key definitions... 2 III. Principles... 3 1. Risk appetite framework... 3 1.1 An effective

More information

Effective Internal Audit in the Financial Services Sector

Effective Internal Audit in the Financial Services Sector Effective Internal Audit in the Financial Services Sector Recommendations from the Committee on Internal Audit Guidance for Financial Services: How They Relate to the Global Institute of Internal Auditors

More information

Managing ICT contracts in central government. An update

Managing ICT contracts in central government. An update Managing ICT contracts in central government An update Prepared by Audit Scotland June 2015 Auditor General for Scotland The Auditor General s role is to: appoint auditors to Scotland s central government

More information

the role of the head of internal audit in public service organisations 2010

the role of the head of internal audit in public service organisations 2010 the role of the head of internal audit in public service organisations 2010 CIPFA Statement on the role of the Head of Internal Audit in public service organisations The Head of Internal Audit in a public

More information

Risk management framework

Risk management framework Risk management framework Security classification: PUBLIC Reference number: DSITI:FW:001P Policy owner: Executive Director, Strategic Transformation & Performance Contact officer: Principal Consultant,

More information

RISK MANAGEMENT. Authors: Phil McNaull / Lorraine Loy Approved By: PME and Court Date: December 2008 Version: 4.0 1

RISK MANAGEMENT. Authors: Phil McNaull / Lorraine Loy Approved By: PME and Court Date: December 2008 Version: 4.0 1 RISK MANAGEMENT 1 Contents Introduction 2 Corporate Governance 2 Purpose of this policy 2 Policy Objectives 2 Policy Statement 3 Scope of the policy 3 What is Risk? 4 The University s Approach 4 Description

More information

Business Continuity Management Policy

Business Continuity Management Policy Governance 1 Purpose The purpose of this policy is to communicate Business Continuity Management (BCM) framework, responsibilities and guiding principles for Victoria to effectively prepare for and achieve

More information

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting Guidance Corporate Governance Financial Reporting Council September 2014 Guidance on Risk Management, Internal Control and Related Financial and Business Reporting The FRC is responsible for promoting

More information

Human Services Quality Framework. User Guide

Human Services Quality Framework. User Guide Human Services Quality Framework User Guide Purpose The purpose of the user guide is to assist in interpreting and applying the Human Services Quality Standards and associated indicators across all service

More information

Second Clinical Safety Review of the Personally Controlled Electronic Health Record (PCEHR) June 2013

Second Clinical Safety Review of the Personally Controlled Electronic Health Record (PCEHR) June 2013 Second Clinical Safety Review of the Personally Controlled Electronic Health Record (PCEHR) June 2013 Undertaken by KPMG on behalf of Australian Commission on Safety and Quality in Health Care Contents

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st

More information

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA Performance Management Framework DISTRIBUTION LIST Audit Team David Esling, Head of Audit and Assurance - Risk Management

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Solvency II Data audit report guidance. March 2012

Solvency II Data audit report guidance. March 2012 Solvency II Data audit report guidance March 2012 Contents Page Introduction Purpose of the Data Audit Report 3 Report Format and Submission 3 Ownership and Independence 4 Scope and Content Scope of the

More information

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy Reference No: CG 01 Version: Version 1 Approval date 18 December 2013 Date ratified: 18 December 2013 Name of Author

More information

Code of Audit Practice

Code of Audit Practice Code of Audit Practice APRIL 2015 Code of Audit Practice Published pursuant to Schedule 6 Para 2 of the Local Audit and Accountability This document is available on our website at: www.nao.org.uk/ consultation-code-audit-practice

More information

Business Continuity (Policy & Procedure)

Business Continuity (Policy & Procedure) Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity

More information