Risk Management Policy and Procedures



Similar documents
RISK MANAGEMENT POLICY (Revised October 2015)

RISK MANAGEMENT STRATEGY

Northern Ireland Blood Transfusion Service

Information Commissioner's Office

1. Background and business case

Risk Management Policy and Process Guide

Bridgend County Borough Council. Corporate Risk Management Policy

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7

Risk Management Within an Organisation

UoB Risk Assessment Methodology

Risk assessment. made simple

Confident in our Future, Risk Management Policy Statement and Strategy

Business Continuity Policy and Business Continuity Management System

Removal of Gender Restrictions on Australian Defence Force Combat Role Employment Categories

Business Continuity Management

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

1.20 Appendix A Generic Risk Management Process and Tasks

Bedford Group of Drainage Boards

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

Privacy and Electronic Communications Regulations

Annual Governance Statement 2013/14

POLICY : CORPORATE RISK MANAGEMENT

Following up recommendations/management actions

Claims Management Regulation. The PPI Claims market: Dealing with malpractice

RISK MANAGEMENT POLICY

TEC Capital Asset Management Standard January 2011

Risk Management Policy. Corporate Governance Risk Management Policy

HMG Security Policy Framework

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Glasgow Life Risk Management & Business Continuity Planning. Final Report

Shepway District Council Risk Management Policy

Information Security Team

Minutes of the meeting of 30 June 2014

Succession Planning Policy and Procedure

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

Auditing data protection a guide to ICO data protection audits

Risk Management Policy

Response to Ofcom s consultation on price rises in fixed term contracts

Merthyr Tydfil County Borough Council

Identifying Information Assets and Business Requirements

Risk Management Strategy

CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

How To Write A Risk Management Policy For The University Of Kerry

The Lowitja Institute Risk Management Plan

Scotland s public sector workforce. Good practice guide

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

Operating procedure. Managing customer contacts

Risk Management Strategy EEA & Norway Grants Adopted by the Financial Mechanism Committee on 27 February 2013.

CEM+ Snapshot. Introduction

DRAKENSTEIN MUNICIPALITY LONG TERM FINANCIAL PLAN

Head of Internal Audit:

CORP RISK MANAGEMENT POLICY & METHODOLOGY

IMPLEMENTATION DETAILS

Department of Health INFORMATION ASSURANCE SUMMARY REPORTS. The purpose and scope of this review

Risk Management Framework

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

REPORT OF: DIRECTOR OF DEMOCRATIC AND LEGAL SERVICES 13/358 WARDS AFFECTED: ALL

Opinion on the robustness of the budget and the adequacy of the reserves. Helen Martin Ext. 7483

CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY

EMERGENCY PREPAREDNESS POLICY

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Project Management Fact Sheet:

Purpose of Report To present a revised corporate risk register as at May 2013

WEST MERCIA BUDGET 2013/14 MEDIUM TERM FINANCIAL PLAN 2013/14 TO 2017/18. Report of the Treasurer, Director of Finance, Chief Executive and

FINANCIAL MANAGEMENT & CORPORATE GOVERNANCE WORKING PARTY MINUTES P R E S E N T

1.0 Policy Statement / Intentions (FOIA - Open)

A Risk Management Standard

Risk Policy and Risk Management Procedures

Appendix 2 to Chapter 7 GUIDANCE ON THE DEVELOPMENT OF AN SMS GAP ANALYSIS FOR SERVICE PROVIDERS

A guide for members APES 325 Risk Management for Firms

Information Commissioner's Office

A: Complaints about NHS foundation trusts (which do not relate to choice and competition or pricing)

Hazard Identification, Risk Assessment and Management Procedure. Documentation Control

RISK MANAGEMENT POLICY. Version 3

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA

Risk Management Strategy

AUDIT COMMITTEE 10 DECEMBER 2014

ITEM NO: 5. Date: 21 September Reporting Officer:

Huntingdonshire District Council Data Quality Audit Report 2006/07. March 2008

Guide 2 Organisational

Risk Based Internal Auditing & Enterprise Risk

Road Asset Management Plan Risk Management : Appendix H CONTENTS. 1.0 Risk Management Risk Identification Risk Evaluation.

Strategic Alliance. Business Continuity Policy

Blank Project Management Templates. Saving Time! Saving Money! Saving Stress!

Council, 14 May Information Governance Report. Introduction

The Government's Drug Strategy

- NOT PROTECTIVELY MARKED -

Business Continuity Policy

FINANCIAL MANAGEMENT MATURITY MODEL

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

Business Continuity (Policy & Procedure)

Audit of Project Management Governance. Audit Report

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Transcription:

Risk Management Policy and Procedures Contents 1. Introduction and overview 2. Completion of the Corporate Risk Register 3. Roles and responsibilities Annexes Annex A Risk probability / impact setting Annex B Aid to identifying risks Annex C Risk Register template Peter Bloomfield Corporate Support Unit Version 1.1.8 January 2011 1

1. Introduction and overview Aim of this document 1.1 To detail the ICO s corporate risk management policy and procedure. It should be read by ET members and their direct reports who intur shoudlexplain the policy and procedure to their staff. What is risk? 1.2 Risk is: An event or cause leading to uncertainty in the outcome of the ICO s operations. For example, service standards are based on expected numbers of complaints. If more complaints are received, service delivery will fall unless staff are moved from other tasks to help. Conversely, if complaint numbers fall there is an opportunity to improve customer service. Risks represent opportunities as well as threats. Why we need to manage risk 1.3 Daily we manage risk without describing this as risk management. We consider what might go wrong and take steps to reduce the impact if things do go wrong. However, the ICO cannot rely on informal processes. Also, as a public body, we must provide assurance to the Commissioner, auditors, the Audit Committee (AC) and the Ministry of Justice that we are managing risk correctly. We do need to formally identify corporate risks and mitigating actions. Who should think about risk? 1.4 The main responsibility for identifying corporate risks lies with ET. Members should consider both existing risks and think about any new corporate risks. ET input is important as members are well placed to identify and monitor corporate risks. 1.5 MB, AC, and other committees also have a role. Because of this, the risk register will be brought to relevant groups as appropriate. 1.6 Staff too have a role in identifying corporate risks. The corporate risk register is available on ICON and staff are encouraged to contribute. 2

When to consider risk 1.7 Risk needs to be considered when decisions are made. In particular, as corporate aims develop during the planning round, ET members and managers need to consider afresh existing corporate risks; looking at what we want to do over the next few years and identifying risks which may arise. Timing is important if mitigating actions are to be included in business plans. Project and departmental risks 1.8 Individual ICO projects may have their own risk registers. Where a project risk is considered high priority it should be included in the corporate risk register. The project manager or steering group should advise Corporate Governance and relevant ET members of any such risks. The regular highlight reports to ET arer a good way of doing this. 1.9 Individual managers may also identify risks to their department s aims. Mitigating actions should be included in business plans if considered serious enough. If it is thought that the risks might be corporate, again the manager should advise Corporate Governance and relevant ET members of this. Risk appetite 1.10 Risk appetite is an expression of how much risk an organisation is prepared to take. It can vary over time and from work area to work area. If the ICO s risk appetite is clearly articulated staff can take this into account when making their decisions. ET should therefore, when considering risk, discuss and express the risk appetite as they see it. 1.11 The risk register steers risk owners into considering risk appetite when updating a risk entry. They need to consider not only the risk status before and after existing mitigating action but also the final tolerable risk status; ie what they are aiming for in terms of status for that particular risk. Options for dealing with risk 1.12 There are various options for dealing with risk. Tolerate if we cannot reduce the risk in a specific area (or if doing so is out of proportion to the risk) we can decide to tolerate the risk; ie do nothing further to reduce the risk. Tolerated risks are simply listed in the corporate risk register. 3

If the risk is shown as green after existing mitigating actions are taken it can probably be tolerated. Treat if we can reduce the risk in a sensible way by identifying mitigating actions and implementing them, we should do so. For most of the risks on the corporate risk register this is what we are doing. Transfer here risks might be transferred to other organisations, for example by use of insurance or transferring out an area of work. Terminate this applies to risks we cannot mitigate other than by not doing work in that specific area. So if a particular project is very high risk and these risks cannot be mitigated we might decide to cancel the project. 4

2. Completion of the Corporate Risk Register Completing the register 2.1 The risk register template is below. 1.1 Risk area: The generic area with which the risk is associated with Risk owner: The Executive Team member responsible for the risk and its mitigation Corp aim: The aim associated with the risk. Risk description The identified risk should be described clearly as below: Event/cause Increase in FoI complaints received due to increased public awareness of their rights... Result results in increase in clearance times and backlogs Risk status before existing mitigation See risk status below from para 2.3 Probability Impact Overall Existing mitigating actions These are mitigating actions (controls) which are in place and happening. Eg CRB checks for all new staff. Existing assurances An assurance is a process that ensures that mitigation is working. Eg Managers reviews the CRB checks and signs them off. Risk status after existing mitigation See risk status below from para 2.3 Future mitigating actions Planned actions which have not yet happened designed to help reduce the risk even further. Risk status after future mitigating actions See risk status below from para 2.3 Probability Impact Overall Acceptable If yes tolerate the risk. If no there needs to be further action. Owner Due Notes Manager responsible for the mitigating action. Expected clearance date. Probability Impact Overall Any relevant notes 5

Risk Status 2.2 Risk status is an assessment of the risk s seriousness and is based on: The probability of the risk actually arising; and The impact on the ICO if a risk does actually arise. We assign a status so that risks can be prioritised. A high impact high likelihood risk should be given more attention than a high impact low likelihood risk; for example a meteorite strike on Wilmslow. 2.3 A traffic light and numerical indicator is used to show the risk status. Annex A provides advice on setting probability and impact. 2.4 Three assessments of risk status are needed. Risk status before existing mitigation an assessment of the risk happening and its impact if no action is taken; eg what is the risk that we receive an increase in complaints without taking any action to address increasing backlogs? Risk status after existing mitigation an assessment of the risk happening and its impact, taking account of existing actions aimed at reducing the risk. For example, we receive an increase in complaints and streamline procedures to make the process faster; what do we now think the risk status is? Risk status after future mitigation an assessment of the risk level we will reach after allthe mitigating actions identified have been done. 2.5 If after existing mitigation we think this the risk status is acceptable then the risk should be tolerated; there is nothing more we can do. But if the status remains unacceptable (bearing in mind our risk appetite) then we should identify further mitigating actions. Management summary 2.6 The risk register includes a one page management summary listing all of the risks and the various risk statuses. In addition it indicates whether or not the risk status after existing mitigation is improving. 6

3. Roles and responsibilities 3.1 Executive Team Identification of corporate risks. Detailed review of corporate risks and mitigating actions. Consider risk when making decisions. Articulate a risk appetite when making decisions. 3.2 Management Board Quarterly high level review of the risk register and mitigation of risks, ensuring that the risk management process works properly. Identification of additional corporate risks. 3.3 Audit Committee The provision of advice on the strategic process for risk, control and governance and the Statement on Internal Control. Identification of additional corporate risks. 3.4 ET direct reports To identify risks to the achievement of their unit s business plan which might also be corporate risks, and to advise ET and Corporate Governance of such risks. To identify any relevant mitigating actions, to include these within their unit s business plan, and to ensure the business plan is met To be alive to other risks that might develop in year. 3.5 Corporate Governance To manage the risk management process ensuring that: the Corporate Risk Register is presented to corporate governance groups as appropriate; the risk register is placed on ICON and staff are encouraged to contribute; inconsistencies in the Corporate Risk Register are questioned; and to ensure that the Corporate Risk Management Policy is kept up to date. 3.6 All staff To be alert to possible corporate risks and to raise risks they have identified with their managers. Peter Bloomfield Corporate Governance 7

Risk Probability setting Probability Criteria Annex A Very low Low Medium High Very high 0-5% - extremely unlikely or virtually impossible 6-20% - low but not impossible 21-50% - fairly likely to occur 51-80% - more likely to occur than not 81-100% - almost certainly will occur Risk Impact setting Impact Very low Low Medium High Very high Criteria Likely to have minor impact in one or a few areas of the ICO. Likely to have minor impact in many areas of the ICO. Likely to have major impact in one or a few areas of the ICO. Likely to have major impact in many areas of the ICO. Likely to have major impact on the whole ICO. Traffic light scoring Very Low (1) (5) (4) (3) (2) (1) Low (2) (10) (8) (6) (4) (2) Medium (3) (15) (12) (9) (6) (3) Probability High (4) (20) (16) (12) (8) (4) Very High (5) (25) (20) (15) (10) (5) Very High (5) High (4) Medium (3) Low (2) Very Low (1) Impact 8

Aid to identifying risks Step Action 1 Identify individual / unit / ICO aims, objectives and targets 2 Think about what might stop the aims etc from being achieved and describe them in terms of event/cause and result. 3 For each risk score its impact and likelihood and prioritise accordingly. Annex B Example Develop and implement cost-effective programmes to tackle organisations which have not notified in accordance with their obligations, aiming to increase the register to 285,000. Lack of staff to develop and implement programme due to difficulties in recruiting result in shortfall in numbers registered and in Data Protection Fee Income. Impact medium as it could result in failure of the programme. [Impact could rise to high if shortfall in notification fee income was going to impact on office expenditure plans.] Likelihood medium on assumption that Notifications team are slightly understaffed and are already facing some difficulties in recruiting. [This could raise to high if these staffing and recruitment problems were more severe.] 4 Identify mitigating actions and include these in business plans if appropriate. Mitigation should be specific and time limited. 1. Identify any shortfall in numbers of staff required by December. 2. Identify existing staff who can be used on the programme by January and agree transfers and start dates. 3. Initiate recruitment of new staff to fill any remaining shortfall by February and plan to have staff in post by June. 4. Monitor income shortfall and agree point at which ICO budget would need to be revised to take account of any shortfall. 5 Agree risk status after mitigating action. Assuming reasonably successful staffing of the programme the probability would fall to low. Impact would remain at medium as this has not been addressed by mitigation. 9

Annex C Risk register template Current risks (summary) Status Before existing mitigation After existing mitigation After future mitigation actions Trend Risk area: Risk owner: Corp aim: Risk description Risk status before existing mitigation Probability Impact Overall Existing mitigating actions Existing assurances Risk status after existing mitigation Future mitigating actions Probability Impact Overall Acceptable Owner Due Notes Risk status after future mitigating actions Probability Impact Overall 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information