Risk Management Policy and Procedures

Similar documents
Risk Management Policy and Procedures

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

RISK MANAGEMENT POLICY (Revised October 2015)

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Guidance for Industry: Quality Risk Management

Risk Management & Business Continuity Manual

V1.0 - Eurojuris ISO 9001:2008 Certified

Risk Management Policy and Process Guide

Risk Management Within an Organisation

Project Management Framework

Road Asset Management Plan Risk Management : Appendix H CONTENTS. 1.0 Risk Management Risk Identification Risk Evaluation.

RECORDS MANAGEMENT POLICY

IMPLEMENTATION DETAILS

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2

Business Continuity Policy. Version 1.0

Complaints Policy. Complaints Policy. Page 1

RISK MANAGEMENT POLICY

Strategic Alliance. Business Continuity Policy

Northern Ireland Blood Transfusion Service

Data Protection and Community Councils Briefing Note

Business Continuity Policy and Business Continuity Management System

1. Background and business case

WHISTLE BLOWING POLICY & PROCEDURE

Data Protection Breach Reporting Procedure

DATA PROTECTION POLICY

Healthcare Governance Alert and Guidance Review Procedure

Business Continuity Policy

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

ABERDEEN CITY COUNCIL JOB DESCRIPTION

Information Commissioner's Office

One Call Away.

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

Definition document for the governing bodies of maintained and other state-funded schools in Wales

RISK MANAGEMENT PLAN APRIL M:\MAPPS\RiskManagementPlanApr10.doc Page 1 of 5

RISK MANAGEMENT POLICY

Publications code: REG Registering and running a childminding service: what you need to know

- NOT PROTECTIVELY MARKED -

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

KENYA NATIONAL BUREAU OF STATISTICS RISK MANAGEMENT POLICY

CONFORMED COPY. Method Statement Helpdesk Services. Revision History. Revision Date Reviewer Status. 23 March 2007 Project Co Final Version

Risk Management Policy

PLANNING & RESOURCE ALLOCATION POLICY AND GUIDELINES Newman University College Planning & Resource Allocation Policy and Guidelines 1

Human Resources and Data Protection

Safety Management Systems (SMS) guidance for organisations

Risk Management Procedure

Information Commissioner's Office

CORP RISK MANAGEMENT POLICY & METHODOLOGY

Shepway District Council Risk Management Policy

Copeland Borough Council. Communications Strategy 2006/7

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7

Overview TECHIS Carry out security testing activities

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

1.1 The Chair welcomed the Board members and officials to the meeting. 1.3 The Board accepted the Minute of 30 September as a true record.

Risk Register Policy and Procedure

Annual Governance Statement 2013/14

Risk Management Policy. Corporate Governance Risk Management Policy

AUDITOR GUIDELINES. Responsibilities Supporting Inputs. Receive AAA, Sign and return to IMS with audit report. Document Review required?

Safety Management System. Compliance Checklist/Statement

Work-related stress risk assessment guidance

Appendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan

Risk Management Statement, Strategy and Policy. Index. Risk Management Statement page 2. Risk Management Strategy page 2

Minutes of the meeting of 30 June 2014

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

States of Jersey Human Resources Department. Code of Conduct

City of York Council Public Health 2014/15 Internal Audit Report

4. Critical success factors/objectives of the activity/proposal/project being risk assessed

Risk assessment. made simple

The PNC Financial Services Group, Inc. Business Continuity Program

DATA PROTECTION POLICY

INFORMATION SECURITY INCIDENT REPORTING POLICY

Good Practice Guide: the internal audit role in information assurance

Bridgend County Borough Council. Corporate Risk Management Policy

DIRECTORATE OF AUDIT, RISK FF AND ASSURANCE. Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY

ORDINANCE 22 UNIVERSITY OF LONDON RISK MANAGEMENT POLICY

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

The Regulatory Reform (Fire Safety) Order 2005: Enforcement Policy

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

The Compliance Universe

GOVERNMENT INTERNAL AUDIT COMPETENCY FRAMEWORK

Audit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction

Confident in our Future, Risk Management Policy Statement and Strategy

Business Continuity Policy

Achieve. Performance objectives

Information security incident reporting procedure

A blueprint for an Enterprise Information Security Assurance System. Acuity Risk Management LLP

Bedford Group of Drainage Boards

Risk Management Guide

Information Governance Management Framework

Commissioning Strategy

DISASTER RECOVERY PLAN

Enterprise Risk Management: From Theory to Practice

Corporate Governance Report

LG (2011) Paper November 2011 LEADERSHIP GROUP RISK MANAGEMENT ARRANGEMENTS. Executive summary

Office of Internal Audit

RISK MANAGEMENT STRATEGY (UPDATED MAY 2015)

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

Joint Strategic Needs Assessment Draft Project Initiation Document

Our Ref Direct Line Ext Date

How To Ensure That Sovini Is A Successful Business

Transcription:

Risk Management Policy and Procedures Contents 1. Introduction and overview 2. Completion of the Corporate Risk Register 3. Roles and responsibilities Annexes Annex A Risk probability / impact setting Annex B Aid to identifying risks Annex C Risk Register template Peter Bloomfield Corporate Governance Version 1.2.2 April 2016 1

1. Introduction and overview Aim of this document 1.1 This document details the ICO s risk management policy and procedure. It should be read by Senior Management Team (SMT) members who, in turn, should explain the policy and procedure to their staff. What is risk? 1.2 Risk is: An event or cause leading to uncertainty in the outcome of the ICO s operations. For example, operational service standards are based on expected numbers of complaints. If complaints rise, service delivery will worsen unless staff are moved from other tasks to help. However, if complaints fall there is an opportunity to improve customer service. Risks can be opportunities as well as threats. Why we need to manage risk 1.3 We manage risk daily without describing this as risk management. We consider what might go wrong and take steps to reduce the impact if things do go wrong. However, the ICO cannot rely on informal processes. As a public body, we must provide assurance that we are managing risk to the Commissioner, auditors, Audit Committee (AC) and the Department for Culture, Media and Sport. Who should think about risk? 1.4 The main responsibility for identifying corporate risks lies with SMT members who should consider both existing risks and seek to identify new risks. 1.5 Management Board (MB), and AC also have a role. Because of this, the risk register will be brought to these committees quarterly. 1.6 Staff too have a role in identifying risks. The corporate risk register is available on ICON and staff are encouraged to contribute; risk management is included in new staff induction. 2

When to consider risk 1.7 Risk should be considered when making decisions. In particular, as plans for the forthcoming year develop during the spring, SMT members need to re-consider existing corporate risks; looking at our aims for the next few years and identifying what might stop us achieve these aims. Timing is important if mitigating actions are to be included in business plans. Project and departmental risks 1.8 Individual ICO projects may have their own risk registers. Where a project risk is considered serious enough it should be included in the corporate risk register. The project manager should advise Corporate Governance and relevant SMT members of any such risks. Regular project highlight reports to SMT are a good way of doing this. 1.9 Individual managers may also identify risks to departmental aims. Mitigating actions should be included in business plans if considered serious enough. If it is thought that the risks might be corporate, again the manager should advise Corporate Governance and relevant SMT members of this. Risk appetite 1.10 Risk appetite is an expression of how much risk an organisation is prepared to take. It can vary over time and by work area. If the risk appetite is clearly stated staff can take this into account when making decisions. So, when considering risk, SMT should discuss and express the risk appetite. 1.11 To help in this, the risk register steers risk owners into considering risk appetite when updating an entry. They need to consider not only the risk status before and after existing mitigating action but also the final tolerable risk status; ie what they are aiming for in terms of status for that particular risk. Options for dealing with risk 1.12 There are various options for dealing with risk. Tolerate if we cannot reduce a risk (or if doing so is out of proportion to the risk) we can tolerate the risk; ie do nothing further to reduce the risk. 3

Treat if we can reduce the risk by identifying mitigating actions and implementing them, we should do so. For most of the risks on the corporate risk register this is what we do. Transfer risks can be transferred to other organisations, for example by use of insurance or by contracting out an area of work. Terminate this applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is very high risk and these risks cannot be mitigated we might decide to cancel the project. Communicating risk 1.13 During the spring, once corporate risks have been identified and agreed, the risk register will be made available to staff via ICON. Staff will be advised that it is available. The register will also come to SMT, MB and AC quarterly for any comments members might have. 1.14 It has been decided that the corporate risk register should not routinely be published. 4

2. Completion of the Corporate Risk Register Completing the register 2.1 The risk register template is below. No Risk area: The generic area with which the risk is associated with Risk owner: The Executive Team member responsible for the risk and its mitigation Risk description The identified risk should be described clearly as below: Event/cause Increase in FoI complaints received due to increased public awareness of their rights... Result results in increase in clearance times and backlogs Risk status before existing mitigation See risk status below at para 2.4 Probability Impact Overall Existing mitigating actions Existing assurances These are mitigating actions (controls) which are in place and happening. Eg CRB checks for all new staff. An assurance is a process that ensures that mitigation is working. Eg Managers reviews the CRB checks and signs them off. Risk status after existing mitigation See risk status below at para 2.4 Future mitigating actions Planned actions which have not yet happened designed to help reduce the risk even further. Risk status after future mitigating actions See risk status below at para 2.4 Aimed for risk status Probability Impact Overall Acceptable If yes tolerate the risk. If no there needs to be further action. Owner Due Notes Manager responsible for the mitigating action. Expected clearance date. Any relevant notes Probability Impact Overall When to be achieved by 5

Risk Status 2.2 Risk status is an assessment of the risk s seriousness based on: The probability of the risk actually arising; and The impact on the ICO if a risk does actually arise. We assign a status so that risks can be prioritised. 2.3 A traffic light and numerical indicator is used to show the risk status. Annex A provides advice on setting probability and impact. 2.4 Four assessments of risk status are needed. Risk status before existing mitigation an assessment of the risk happening and its impact if no action is taken; eg what is the risk that we receive an increase in complaints without taking any action to address increasing backlogs? Risk status after existing mitigation an assessment of the risk happening and its impact, taking into account existing actions aimed at reducing the risk. For example, we receive an increase in complaints and streamline procedures to make the process faster; what do we now think the risk status is? Risk status after future mitigation an assessment of the risk level we will reach after all the mitigating actions identified have been done. Aimed for risk status where do we want to get to at the end of the process. 2.5 If, after existing mitigation, we think the risk status is acceptable then the risk should be tolerated; there is nothing more we can do. But if the status remains unacceptable we should identify further mitigating actions. Management summary 2.6 The risk register includes a one page management summary listing all of the risks and the risk status. In addition it indicates whether or not the risk status after existing mitigation is improving. Updating the risk register 2.7 SMT formally review the risks on the risk register annually in the spring. The register is then updated monthly by Corporate 6

Governance. The team will liaise with risk owners and managers over risk status and mitigating actions. 2.8 The register will also come to SMT, MB and AC quarterly for comments. Comments made at these meetings can then be incorporated into the next version. 2.9 Where changes are made to the register these will be tracked. Comments will be added to explain the reason behind the changes. The track changes and the comments can be hidden in the background by changing the Word view when necessary eg when placing on ICON or when the changes are major and confuse the presentation. 7

3. Roles and responsibilities 3.1 Senior Management Team Identification of corporate risks. Review of corporate risks and mitigating actions. Consider risk when making decisions. Articulate a risk appetite when making decisions. 3.2 Management Board Quarterly high level review of the risk register and mitigation of risks, ensuring that the risk management process works properly. Identification of additional corporate risks. 3.3 Audit Committee The provision of advice on the strategic process for risk, control and governance and the Statement on Internal Control. Identification of additional corporate risks. 3.4 Head of Departments To identify risks to the achievement of their unit s business plan which might also be corporate risks, and to advise SMT and Corporate Governance of such risks. To identify any relevant mitigating actions, to include these within their unit s business plan, and to ensure the business plan is met To be alive to other risks that might develop in year. 3.5 Corporate Governance To manage the risk management process ensuring that: the Corporate Risk Register is presented to corporate governance groups as appropriate; the risk register is placed on ICON and staff are encouraged to contribute; inconsistencies in the Corporate Risk Register are questioned; and to ensure that the Corporate Risk Management Policy is kept up to date. 3.6 All staff To be alert to possible corporate risks and to raise risks they have identified with their managers. 8

Risk Probability setting Probability Criteria Annex A Very low Low Medium High Very high 0-5% - extremely unlikely or virtually impossible 6-20% - low but not impossible 21-50% - fairly likely to occur 51-80% - more likely to occur than not 81-100% - almost certainly will occur Risk Impact setting Impact Very low Low Medium High Very high Criteria Likely to have minor impact in one or a few areas of the ICO. Likely to have minor impact in many areas of the ICO. Likely to have major impact in one or a few areas of the ICO. Likely to have major impact in many areas of the ICO. Likely to have major impact on the whole ICO. Traffic light scoring Very Low (1) (5) (4) (3) (2) (1) Low (2) (10) (8) (6) (4) (2) Medium (3) (15) (12) (9) (6) (3) Probability High (4) (20) (16) (12) (8) (4) Very High (5) (25) (20) (15) (10) (5) Very High (5) High (4) Medium (3) Low (2) Very Low (1) Impact 9

Aid to identifying risks Step Action 1 Identify individual / unit / ICO aims, objectives and targets 2 Think about what might stop the aims etc from being achieved and describe them in terms of event/cause and result. 3 For each risk score its impact and likelihood and prioritise accordingly. Annex B Example Develop and implement cost-effective programmes to tackle organisations which have not notified in accordance with their obligations, aiming to increase the register to 285,000. Lack of staff to develop and implement programme due to difficulties in recruiting result in shortfall in numbers registered and in Data Protection Fee Income. Impact medium as it could result in failure of the programme. [Impact could rise to high if shortfall in notification fee income was going to impact on office expenditure plans.] Likelihood medium on assumption that Notifications team are slightly understaffed and are already facing some difficulties in recruiting. [This could raise to high if these staffing and recruitment problems were more severe.] 4 Identify mitigating actions and include these in business plans if appropriate. Mitigation should be specific and time limited. 1. Identify any shortfall in numbers of staff required by December. 2. Identify existing staff who can be used on the programme by January and agree transfers and start dates. 3. Initiate recruitment of new staff to fill any remaining shortfall by February and plan to have staff in post by June. 4. Monitor income shortfall and agree point at which ICO budget would need to be revised to take account of any shortfall. 5 Agree risk status after mitigating action. Assuming reasonably successful staffing of the programme the probability would fall to low. Impact would remain at medium as this has not been addressed by mitigation. 10

Annex C Risk register template Risk area Status When final risk status is expected by Trend in status after existing mitigation Risk area: Risk owner: Risk description Risk status before existing mitigation Probability Impact Overall Existing mitigating actions Existing assurances Risk status after existing mitigation Future mitigating actions Probability Impact Overall Acceptable Owner Due Notes Risk status after future mitigating actions Probability Impact Overall When to be achieved by Aimed for risk status 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information