good practice in risk management - northern ireland audit
TRANSCRIPT
Good practice inrisk management
REPORT BY THE COMPTROLLER AND AUDITOR GENERAL8 June 2011
BELFAST:TheStationeryOffice £5.00
ReportbytheComptrollerandAuditorGeneralforNorthernIreland
Goodpracticeinriskmanagement
ThisreporthasbeenpreparedunderArticle8oftheAudit(NorthernIreland)Order1987forpresentationtotheNorthernIrelandAssemblyinaccordancewithArticle11ofthatOrder.
KJDonnelly NorthernIrelandAuditOfficeComptrollerandAuditorGeneral 8June2011
TheComptrollerandAuditorGeneralistheheadoftheNorthernIrelandAuditOfficeemployingsome145staff.HeandtheNorthernIrelandAuditOfficearetotallyindependentofGovernment.HecertifiestheaccountsofallGovernmentDepartmentsandawiderangeofotherpublicsectorbodies;andhehasstatutoryauthoritytoreporttotheAssemblyontheeconomy,efficiencyandeffectivenesswithwhichdepartmentsandotherbodieshaveusedtheirresources.
ForfurtherinformationabouttheNorthernIrelandAuditOfficepleasecontact:
NorthernIrelandAuditOffice106UniversityStreetBELFASTBT71EU
Tel:02890251100email:[email protected]:www.niauditoffice.gov.uk
©NorthernIrelandAuditOffice2011
Goodpracticeinriskmanagement
Contents
Part one Introduction 1
Part two Risk management framework 5
Part three Risk management process 13
Part four Accountability 29
Appendices 35
Appendix 1 Risk management checklist 36
Appendix 2 Participants 41
Appendix 3 HM Treasury – Key questions for an audit committee to ask 42
Appendix 4 Extract from DHSSPS communications plan 43
Appendix 5 Categories of risk 45
Appendix 6 Department for Regional Development - Risk checklist 47
Appendix 7 Department of Education - Assessment categories for impact 49 and likelihood
Appendix 8 Model of risk appetite 56
Appendix 9 Strategic Investment Board – Fraud risk assessment 58
Appendix 10 OFMDFM stewardship statements pro forma 59
Goodpracticeinriskmanagement
Glossary
Horizon scanning thetechniqueusedtoidentifyrisksbyasystematicexaminationofpotentialthreats,opportunitiesandlikelyfuturedevelopments,including(butnotrestrictedto)thoseatthemarginsofcurrentthinkingandplanning
Inherent risk theexposurearisingfromaspecificriskbeforeanyactionistakentomanageit
Residual Risk theexposurearisingfromaspecificriskafteractionhasbeentakentomanageitandassumingthattheactiontakenhasbeeneffective
Risk appetite theextentofexposuretoriskthathasbeenassessedastolerableforanorganisationorbusinessactivity
Risk Register captures,maintainsandmonitorsinformationontherisktorealisationofaspecificobjectiveandtheassociatedcontrolactionsthathavebeenputinplacetomitigatethatrisk
Goodpracticeinriskmanagement
Abbreviations
ALB ArmsLengthBody
BAFO BestandFinalOffer
CE ChiefExecutive
CGAC CorporateGovernanceAuditCommittee
DARD DepartmentofAgricultureandRuralDevelopment
DE DepartmentofEducation
DFP DepartmentofFinanceandPersonnel
ELB EducationandLibraryBoard
EU EuropeanUnion
IT InformationTechnology
MEMR MonthlyExpenditureandMonitoringReport
NAO NationalAuditOffice
NDPB Non-departmentalPublicBody
NIAO NorthernIrelandAuditOffice
NICS NorthernIrelandCivilService
OFMDFM OfficeofFirstMinisterandDeputyFirstMinister
OGC OfficeofGovernmentCommerce
PDP PersonalDevelopmentPlan
PPA PersonalPerformanceAssessment
PSA PublicServiceAgreement
RRG RiskReviewGroup
Part One:Intoduction
2Goodpracticeinriskmanagement
1.1 Riskmanagementisahighlytopicalissueforallgovernmentdepartmentsandtheirsponsoredbodiesandhasavitalroletoplayinpromotingandsecuringvalueformoneyintheuseofpublicfunds.
1.2 AsaresultofrecentpublicspendingcutsannouncedbyWestminster,publicbodiesfacegreaterchallengesinmanagingrisk.ThecutsannouncedbytheChancelloroftheExchequerintheNationalSpendingReviewinOctober2010willresultinareductionof8percentintheNorthernIrelandExecutive’sdelegatedcurrentexpenditurelimitsby2014-15.ThedelegatedexpenditurelimitforcapitalinvestmentavailabletotheNorthernIrelandExecutivewillreduceby40.1percentinrealtermsby2014-15.Itisessentialtherefore,thatpublicbodiesadoptandembraceaninnovativeapproachtomanagingrisktoassistinthedeliveryofbetter,morecosteffectivepublicservices.
1.3 Thereiscurrentlyagreatdealofriskmanagementguidanceavailable,theessenceofwhichisbroadlysimilar.ThepurposeofthispublicationistoprovideabestpracticeguidetailoredtotheexperiencesandneedsofpublicsectorbodiesinNorthernIreland.Thereportreflectsonlocalcasestudyexamplestoillustratehowwellriskisbeinghandledinpracticeandtoidentifybetterandmoreinnovativewaysofmanagingrisk.
1.4 Inproducingthisreport,wedevelopedariskmanagementchecklist(seeAppendix1),designedasatooltoenablepublicbodiestoselfassesstheircapability
andcapacitytomanagerisk.However,asaone-offexercise,wecompletedthechecklistwithalloftheNorthernIrelandCivilService(NICS)departmentsandanumberofArm’sLengthBodies,(seeAppendix2forafulllist).Thisexercisefacilitatedtheidentificationofgoodpracticeintheapplicationofriskmanagementprinciples.Thisreportexaminesgoodpracticeinthecontextof:
• theriskmanagementframework(PartTwo);
• theriskmanagementprocess(PartThree);and
• accountability(PartFour).
1.5 Overall,wefoundthatthedepartmentshaddevelopedastrongawarenessofriskandhadmadegenuineeffortstodevelopandembedaneffectiveriskmanagementstrategy.Traditionallypublicsectorbodiesdisplaymanyofthecharacteristicsassociatedwithahighlyriskaverseculture,however,bestpracticeguidanceonriskmanagementemphasisesthattheconsequencesofriskcanbepositiveornegative.Wellmanagedrisktakingcanproducebenefitsfortheorganisationintermsofopportunities,butequallycanpresentthreatsthatultimatelymayimpactonanorganisation’sabilitytomeetitsstrategicobjectives.RiskmanagementisanimportantaspectofgoodgovernanceandisausefultoolincontributingtotheachievementofoutcomesandensuringthatpublicbodiesmeettheirobjectivesasthefollowingCaseStudyillustrates.
Part One:Introduction
Goodpracticeinriskmanagement3
Case Study 1 Department of Education – Managing risk to achieve outcomes
Followingsubstantialoverspendsin2003-04and2004-05bytwoEducationandLibraryBoards(ELBs),theDepartmentofEducation(DE)introducedaseriesofmeasurestoensuretighterfinancialmonitoringandcontrolwiththeaimofpreventingrecurrence.Thisincludedtheintroductionof:
• arevisedMonthlyExpenditureandMonitoringReport(MEMR)toprovidemorerelevantanddetailedinformation;
• asignedassurancestatementfromtheChiefExecutiveastotheaccuracyoftheinformationprovidedandacommitmenttoremainwithinbudget;
• monthlymeetingswitheachChiefFinanceOfficertodiscussindetailtheinformationontheMEMRandreducetheriskofunder/overspendattheyearend;
• reconciliationandreviewofdetailsprovidedintheMEMRswithdetailsheldinDEtoreducetheriskoferrorsinfiguresbeingusedbyELBsandDE;and
• keepingtheDEBoardinformedtoaidbetterdecisionmaking.
Followingtheimplementationofthesemeasures,theELBshaveremainedwithinbudgetsince2004-05.
Source: Department of Education
Case Study 2 The Fermanagh Flooding – Managing risk to achieve outcomes
DuringthecourseoflateOctoberandNovember2009,CountyFermanaghexperiencedunprecedentedlevelsofrainfall.Theareawassubjecttowidespreadflooding,leadingtosignificantdisruptiontolifeinthecountyatbothindividualandcommunitylevel.TheNorthernIrelandExecutivedecided,atitsmeetingon3December2009,thataFloodingTaskforceshouldbeestablishedtoinvestigatethecausesoftheflooding,identifylessonslearnedandconsidermeasuresrequiredtomitigatetheimpactofanyfutureflooding.Thiscross-departmentalTaskforcegatheredevidencefrommembersofthepublicintheaffectedareas,businesspeople,localrepresentativesandstakeholderorganisations.TheTaskforcealsotookfullaccountoftheissuesidentifiedbyaReviewoftheFloodResponseconductedbytheRiversAgency,DepartmentofAgriculture&RuralDevelopment.
4Goodpracticeinriskmanagement
FollowingdetailedexaminationofalltheevidencetheTaskforcepresentedanumberofrecommendationstotheNorthernIrelandExecutiveon22July2010.Theseincluded:
• conductinganin-depthreviewoftheManagementoftheOperatingRegimefortheErneSystem;
• undertakingaprogrammeofroadimprovementworks;
• conductingafeasibilitystudytoconsideroptionsforafloodalleviationscheme;
• undertakingaprogrammeofworktoimprovethelevelofprotectionfromfloodrisk;
• maintainingandfurtherdevelopingemergencyplanningarrangementsandnetworks;
• ensuringthatrobustcontingencyarrangementsareinplacefortheprovisionofessentialservicestothelocalcommunity;and
• developinganeducationandpublicawarenessprogrammetoinformthelocalcommunityaboutfloodingintheFermanaghareaandhowtodealwithit.
TherecommendationsoutlinedabovewereapprovedbytheNorthernIrelandExecutiveon22July2010andOfficeofFirstMinisterandDeputyFirstMinisteradvisedusthatconsiderableprogresshassincebeenmadeontheirimplementation.
RainfalllevelsinCountyFermanaghhavenotreachedtheunprecedentedlevelsexperiencedinNovember2009sinceandthemeasuresoutlinedabovehavenot,therefore,beentestedinaliveenvironment.However,ifthesecontrolmeasuresprovetobeeffective,thiscasedemonstratestheprinciplesofeffectiveriskmanagement.Asaresult,anyadverseimpactonthecommunityonthescaleofthatexperiencedinNovember2009shouldbeaverted.
Source: Department of Agriculture and Rural Development
Part One:Introduction
Part Two:Risk management framework
6Goodpracticeinriskmanagement
Risk management function
2.1 Thestructureofanorganisation’sriskmanagementfunctionwillvaryaccordingtoitssize,natureandresourceconstraints.Theriskmanagementfunctionmayrangefromasingleindividualriskchampionormanagertoawholeriskmanagementdepartment.Figure1providesasummaryoftherolesandresponsibilitiesthatmaybedelegatedto,andcoordinatedby,theriskmanagementfunction.
Figure 1 – Risk management function: roles and responsibilities
Good Practice – Forums for exchanging knowledge and working practices
HMTreasurycurrentlyrunsariskimprovementgroupthatmeetstwiceayear.Thisprovidesagoodnetworkingopportunityandenablesattendeestomeetexpertsinthefield.Guestspeakersareinvitedtoattendthemeetingsandshareexperiencesincludingcasestudiesandguidance.Theforumplaysausefulroleinspreadingandembeddinggoodpractice.
Provides regularupdates and
communicationon risk
managementissues
RiskManagement
Function
Providesguidance andadvice to staff
Produces riskmanagement
strategy
Maintains riskregisters
Provides riskmanagement
trainingto staff
Monitorscontect of
registers andstatus of actions
Part Two:Risk management framework
Goodpracticeinriskmanagement7
Leadership
2.2 InpublicbodiestheAccountingOfficerhasresponsibilityformaintainingasoundsystemofinternalcontrolthatsupportstheachievementofpolicies,aimsandobjectives,whilstsafeguardingthepublicfundsanddepartmentalassets.Thisinvolvesputtingasysteminplacetoensurethatallbusinessareasidentifythekeyriskstotheachievementoftheorganisation’sobjectives.TheAccountingOfficermustreportannuallyontheorganisation’ssystemofinternalcontrolintheStatementonInternalControl.Thestatementshouldhighlightanykeyinternalcontrolissuesthathavebeenencounteredthroughoutthatyear.
2.3 StrongleadershipandclearownershipatAccountingOfficerlevelisessentialinembeddinganorganisationalriskmanagementculture.Anorganisation’sriskmanagementstrategyshouldoutlineclearlytherolesandresponsibilitiesforriskmanagement,includingthatoftheAccountingOfficer.
2.4 Inaddition,thecorporategovernanceframeworkofpublicsectorbodieswillincludeaBoard,anAuditCommitteeandaninternalauditservice,allofwhichwillassumesomeresponsibilityforseekingandprovidingassuranceinrelationtoriskmanagement.Themanagementofriskhowever,alwaysremainsanexecutiveresponsibility.
2.5 AccordingtoHMTreasuryguidance,“theBoardshouldensurethateffectiveriskmanagementarrangementsare
inplacetoprovideassuranceonriskmanagement,governanceandinternalcontrol”.1Dependingonanorganisation’scircumstancesitmaychoosetoestablishaseparateriskcommittee.However,frequentlytheroleoftheAuditCommitteewillbeextendedtoincludeseekingassurancesinrelationtoriskmanagement.ForthisreasontheAuditCommitteeissometimesreferredtoastheAuditandRiskCommittee.TheAuditCommitteewillsupporttheBoardandtheAccountingOfficerbygatheringassuranceandprovidingadvicetotheBoardonriskmanagement,governanceandcontrolissues.HMTreasuryguidancereflectsthat,“theAuditCommitteeischargedwithensuringthattheBoardandAccountingOfficeroftheorganisationgaintheassurancetheyneedonriskmanagement,governanceandinternalcontrol”.2TheguidanceprovidesalistofquestionsthatanAuditCommitteemaywishtoaskinseekingassuranceonriskmanagementissues(Appendix3).Itisessential,however,thatauditcommitteesmaintaintheirindependenceanddonotbecomeoperationallyinvolvedinriskmanagement.
2.6 InternalAuditshouldadoptariskbasedapproachtoplanningitsprogrammeofworkwhichwillrefertoorganisationalriskregisterstoidentifytopicsforreview.Inadditiontoindividualauditreports,InternalAuditprovidesanindependentopinionontheoveralladequacyandeffectivenessoftheframeworkofgovernance,riskmanagementandinternalcontrolwhichshouldsupportandinformtheAccountingOfficer’sStatementonInternalControl.
1 HMTreasuryguidance-Corporategovernanceincentralgovernmentdepartments:CodeofGoodPractice.2 HMTreasury–AuditCommitteeHandbook.
8Goodpracticeinriskmanagement
Figure 2 – Risk management in practice: roles and responsibilities
• Retainsultimateresponsibilityfortheorganisation’ssystemofinternalcontrolandensuresthataneffectiveriskmanagementprocessisinplaceandisregularlyreviewed
• Providescleardirectiontostaff• Establishes,promotesandembedsanorganisationalriskculture• ReportstotheBoardandtheAuditCommittee
• Establishesandoverseesriskmanagementprocedures• Endorsestheriskmanagementstrategy/policies• Ensuresappropriatemonitoringandmanagementofsignificantrisksbymanagement• Challengesriskmanagementtoensurethatallkeyriskshavebeenidentified• Isawareofanyinstanceswhererisksarerealised
• ReportstotheBoardontheeffectivenessofthesystemofinternalcontrolandalertstheBoardmemberstoanyemergingissues
• Endorsestheorganisation’sriskmanagementstrategy/policies• Takesresponsibilityfortheoversightoftheriskmanagementprocess• Reviewsriskregisterstoprovidechallengeandadvice(notinanexecutivecapacity)
• ActsonbehalfoftheBoardandwill:• determinetheorganisation’sapproachtoriskmanagement• implementpoliciesonriskmanagementandinternalcontrol• discussandapproveissuesthatsignificantlyaffecttheorganistion’sriskprofileor
exposure• continuallymonitortheidentificationandmanagementofsignificantrisksandensurethat
actionstoremedycontrolweaknessareimplemented• reportchangesinriskassessmenttotheBoardonanexceptionbasis• annuallyreviewtheorganisation’sapproachtoriskmanagementandapprovechanges
orimprovementstokeyelementsofitsprocessesandprocedures• reporttotheAuditCommitteeandtotheBoardonriskmanagementmatters
• Providessubsidiarymanagement/internalcontrolstatementstotheAccountingOfficer
• Identifiesandassessesindividualrisks• Decideswhetherariskissufficientlyserioustobeescalatedtothenextlevelofthe
organisation• Ensuresthatactionstotreatorcontroltheriskarecarriedoutandinformstheriskmanagerof
anyconsequentupdatestotheriskregister• Reviewstheriskratingandthenecessitytokeeptheriskontheregister
Accounting Officer
Board
Audit (& Risk) Committee
Senior Management
Risk Owner
Part Two:Risk management framework
Goodpracticeinriskmanagement9
Risk management strategy and policies
2.7 Publicbodiesshoulddocumentformallytheirapproachtoriskmanagementinariskmanagementstrategy.ThiswillassisttheAccountingOfficer,theBoardandtheseniormanagementteaminpromotingandembeddingriskmanagementinthecultureoftheorganisation.Theriskmanagementstrategywillusuallybepublishedinaseparatedocumentbutmaybeintegratedwithestablishedpoliciesfordepartmentalbusinessactivities.Regardlessofhoworganisationschoosetopresenttheirriskmanagementstrategy,thereareanumberofkeyissuesthatshouldbeaddressed.
1. Thestrategyshouldoutlinetheorganisation’sapproachtoriskmanagementandshoulddefineitsriskappetite.
2. Therolesandresponsibilitiesforthemanagementandownershipofriskshouldbedocumentedtoensurethat
allstaffhaveaclearunderstandingoftheirremit.
3. Theriskmanagementprocessadoptedbytheorganisationshouldbeclearlyoutlinedinthestrategy.
4. Thestrategyshoulddefinehowriskswillbeevaluatedorranked.Thisshouldassistinidentifyingkeyrisks.
5. Riskregistersshouldberegularlyreviewedandthisprocessshouldbeidentifiedinthestrategy.
6. Theprocessformonitoringandreviewingriskmanagementproceduresshouldbedocumented.
7. TheprocessbywhichtheAccountingOfficersatisfieshimself/herselfthatthereisanadequatesystemofinternalcontrolinplaceshouldbeoutlinedinthestrategy.
• Maintainstheriskregisterunderthedirectionofriskownersandupdatesoramendstheriskregisterasnecessary
• Regularlyreviewsthecontentofriskregisterswithaviewtoensuringthatriskactionsarebeingcompletedandthatalldetailsontheriskregisterarecorrect
• Carryoutriskactionsidentifiedanddelegatedbytheriskowners• Maintainsawarenessoftheorganisation’sriskmanagementstrategyandthekeyrisksfaced
bytheorganisation• Ensuresthatdutiesrelatingtocontrolsarecarriedout
• Providesindependentopinionontheoveralladequacyandeffectivenessoftheorganisation’sframeworkofgovernance,riskmanagementandinternalcontroltotheAccountingOfficer(andAuditCommittee)
Risk Management Functione.g. risk champion/manager/co-ordinator/department
Staff
Internal Audit
10Goodpracticeinriskmanagement
2.8 Theriskmanagementstrategyisakeydocumentwhichshouldunderpintheorganisation’sriskmanagementculture.Itisessential,therefore,thatitisendorsedbytheAccountingOfficer,theBoardandtheAuditCommitteegiventheirrespectiverolesandresponsibilitiesinrelationtoriskmanagement.
Good Practice - Risk management guidance
Inadditiontoitsriskmanagementstrategy,theDepartmentofJusticehasproduced‘apracticalguide’toriskmanagementwhichaimstoassiststaffininterpretingtheguidanceandaddressescommonissues.TheDepartmentinformedusthatthisdocumentismadeavailabletoallstaffandsupplementsanytrainingprovided.Theguideisuserfriendlyandwouldbeofparticularbenefittothosestaffwhomaynothavedirectresponsibilityforriskmanagement,butneedtobeawareofthekeyconcepts.
Communicating the risk management strategy
2.9 OncetheriskmanagementstrategyhasbeenapprovedbytheBoard,(anysubsequentupdatesshouldalsobeapprovedbytheBoard)itisessentialthatthedocumentispublicisedthroughouttheorganisationandmadeavailabletoallstaff.Thiscaninvolveholdingtrainingsessionstailoredtotheneedsofdifferentlevelsofstaffthroughouttheorganisation,sendingoutupdatesbyemailandpublishingthedocumentontheorganisation’sintranet.Oneofthekey
waysofgainingstaffbuy-inisforseniormanagementtopromotetheimportanceofriskmanagement.Thismightinvolveseniormanagementfacilitatingstaffmeetingsanddeliveringriskawarenesssessionstostaff.
Good Practice – Embedding risk management
EmbeddingeffectiveriskmanagementprocessesacrosstheDepartmentforSocialDevelopmentanditssponsoredbodiesisacontinuousprocessratherthanaone-offannualexercise.Ithasinvolvedlookingbelowthesurfaceofpoliciesandprocedurestoidentifywhatisactuallyhappeningontheground.Takingonboardtheprinciplethatthisaffectsawiderangeofpeople,theDepartmenthasadoptedanallinclusiveprocessdrivenbytheBoardandtheAuditCommittee.Peopleareengagedcontinuallythroughongoingsupportandchallengebyadedicatedteamofstaff.Recognisingthebenefitsthataseparatesetofviewscanbring,apeerreviewprocesshasbeenusedtoobtainanexternalperspectiveonriskmanagementarrangements.Toensurecontinualrefreshmentoftheprocess,managersfromacrosstheDepartmentanditssponsoredbodieshavebeenbroughttogetherforaseriesofexternallyfacilitatedworkshopstoprovidetimeforreflection,anopportunitytochallengeeachothers’thinkingandtoassesstheadequacyofcurrentriskmanagementarrangementsinthecontextofidentifiedgoodpracticeoutsidetheNICS.TheworkshopsprovidedaforumforsharingknowledgeandexperienceandtheoutputinformedtheongoingreviewoftheDepartment’sriskmanagementstrategy.Thisincludedtheinvolvementofstaffinthedevelopmentofdefinitionstohelpbuild
Part Two:Risk management framework
Goodpracticeinriskmanagement11
managementstrategywhichdidnot,inourview,dealadequatelywithexternalcommunications.TheDepartmentofHealth,SocialServicesandPublicSafetyhasdevelopedacommunicationsplanasanannextoitsbusinesscontinuityplanwhichfocusesontheexternalaspectsofcommunication.Theplanidentifiesalistofquestionsforconsiderationwhendevisingacommunicationsstrategyinresponsetoaneventthatmayimpactadverselyontheorganisationandasummaryofthekeystepsthatshouldbeapplied.AnextractfromtheplanisprovidedatAppendix4.
Arm’s length bodies
2.13 Riskmanagementisanimportantaspectinthegovernanceofarm’slengthbodies(ALBs).HMTreasuryguidanceindicatesthateffectiveriskmanagementneedstogivefullconsiderationtothecontextinwhichthedepartmentfunctionsandtotheriskprioritiesofpartnerorganisations.Forexample,departmentsdelegateaspectsofservicedeliverytoALBs.IfALBsfailtomanagethesedelegatedrisksappropriatelythiscouldimpactonthedepartment’sachievementofobjectives.Inaddition,anyreputationalriskfacedbyanALBcanalsoimpactonthereputationofthesponsoringdepartment.Itisessentialtherefore,thatdepartmentsseekassurancesthattheirALBsaremanagingriskatanacceptablelevel.ManagingPublicMoneyNorthernIrelandstatesthat‘theAccountingOfficerofadepartmentwhichsponsorsanALBshouldmakearrangementstosatisfyhimself/herself
consistencyintheriskassessmentprocesswhichhashelpedtokeepriskmanagementattheforefrontofdecision-making.
Source: Department for Social Development
Contingency and business continuity plans
2.10 Itisessentialthatpublicservicescanbemaintainedintheeventofadisaster.Contingencyplanningisthereforevitalinensuringthatthenegativeimpactassociatedwithrisksoccurringismanagedandthatthereisminimalinterruptiontoservicedelivery.Contingencyplansshouldbeputinplaceandregularlyreviewedandtestedtoensurethattheyprovideadequatecoverintheeventofadisaster.
2.11 Duetothenatureofthepublicsector,theservicesitprovides,andthewayinwhichitisfunded,publicbodiesmustmanagereputationalrisk.Riskcannothoweverbeeliminatedentirelyandtherewillalwaysbearesidualrisktothereputationofanorganisationintheeventofariskmaturing.Inordertominimisethepotentialimpactthatthismayhave,publicbodiesshouldensurethattheyarewellequippedtodealwiththeevent.Thisinvolvesdevelopingacommunicationsstrategyandprovidingtrainingtorelevantstaffonitsapplication.
2.12 Weaskeddepartmentstocommentonandprovideacopyoftheircommunicationsstrategy.Asignificantnumberofthepublicbodieswereviewedreferredustotheirrisk
12Goodpracticeinriskmanagement
thattheAccountingOfficeriscarryingouthis/herresponsibilities’.
2.14 TheapproachadoptedbydepartmentswillbeinfluencedbythenumberofALBstheyprovidefundingtoandtheriskprofileofthoseALBs.DepartmentsandALBsneedtoworktogethertoidentifysharedrisksanddevelopappropriateefficientriskmanagementapproaches.DepartmentsshouldregularlyreviewtheriskprofileoftheirALBsandensurethatappropriateandeffectiveriskmanagementprocessesareinplace,including:
• structuredprocessesforidentifyingandmanagingrisksassociatedwithdepartmentalsponsorshipresponsibilities;
• regularreviewofprocessesforgainingassurancesonALBs’managementofriskstoensurethatappropriateandeffectivecontrolsareinplace;and
• regularandopendiscussionofriskissuesbetweendepartmentsandtheirALBs.
2.15 DepartmentshavedevelopedanumberoftechniquesforgainingassurancesonthegovernanceandriskmanagementoftheirALBs.
Good Practice – managing risks in arm’s length bodies
• TheAccountingOfficerofeachALBisrequiredtocompleteanannual‘SubsidiaryStatementonInternalControl’confirmingthatriskswithintheirorganisationhavebeenidentified,evaluatedandmanagedappropriately.ThisstatementistimedtosupportthedepartmentalStatementonInternalControlwhichwillreflectanysignificantcontrolfailuresreportedwithinALBs.
• TheheadofInternalAuditineachALBprovidesanannualopinionontheadequacyoftheorganisation’sriskmanagement,controlandgovernanceprocess.ThisreportshouldbetimedtosupporttheAccountingOfficerineachALBpreparehis/herStatementonInternalControl.
• TrainingisprovidedforBoardmembersofALBsontheirrolesandresponsibilities.
• TheDepartmentattendsinanobservercapacityatthemeetingsoftheALB’sAuditandRiskCommitteetoensurealignmentofrisks,monitortheeffectivenessofsystemsinplaceandmaintainawarenessofkeyrisks.
• ALBrepresentativesattendthedepartmentalAuditandRiskCommitteeinanobservercapacityonmatterswhichimpactonboth,toofferreassurancethatappropriategovernancearrangementsareinplaceandworking.
• ProceduresaredocumentedandembeddedtoensurethatnewrisksidentifiedintheALBsareescalatedtotheDepartmentonatimelybasis.
Part Two:Risk management framework
Part Three:Risk management process
14Goodpracticeinriskmanagement
3.1 Thereisnoonesizefitsallapproachtotheriskmanagementprocessforpublicsectorbodies.However,allriskmanagementprocessesshouldincorporatefivecorestagesandtheseshouldbeoutlinedintheriskmanagementstrategy.
Step 1: Risk identification
3.2 Riskidentificationistheprocessofidentifyingriskswhichmayimpacton
Figure 3 - Risk management process
2. Riskassessment
3. Riskappetite
4. Addressingrisk
1. Riskidentification
5. Reviewingand
reporting risk
theorganisation’sabilitytoachieveitsobjectives.Theaimistoidentifywhat,when,where,whyandhoweventscouldprevent,degrade,delayorenhanceachievementofobjectives.Appendix5providesabreakdownofthe3maincategoriesofriskwhichincludes:
• externalrisks;
• operationalrisks;and
• changerisks.
Part Three:Risk management process
Goodpracticeinriskmanagement15
3.3 Riskidentificationshouldbeapproachedinamethodicalwaytoensurethatallsignificantactivitieswithinthedepartmenthavebeenidentifiedandallrisksflowingfromtheseactivitiesdefined.Riskshouldalwaysberelatedtoobjectives.Departmentsuseanumberofmethodsforidentifyingrisksincludingfacilitatedworkshops,brainstorming,usingpastexperience,auditreportssuchasinternalaudit,NIAOandotherauditinstitutions.AspartofitsriskmanagementproceduremanualtheDepartmentforRegionalDevelopmenthascompiledariskchecklistasatooltofacilitatetheconsiderationofriskforanybusinessactivity.Althoughnotexhaustiveitprovidesastartingpointforbusinessareastoassessrisk(seeAppendix6).
3.4 Anumberofdepartmentsalsouseatechniquecalled“horizonscanning”whichidentifiesrisksthatarelikelytoariseinthefuture.HorizonscanningisdefinedbytheGovernmentOfficeforScienceas‘the systematic examination of potential threats, opportunities and likely future developments, including (but not restricted to) those at the margins of current thinking and planning.’
3.5 Theidentificationofriskcanbeseparatedinto2stages:
Initial risk identification shouldbecompletedbythosebodieswhichhavenotpreviouslyidentifiedrisksinastructuredway,neworganisations,orwhenanorganisationundertakesanewprojectoractivity.
Continuous risk identificationisaprocessofreviewtoidentfynewrisksastheyarise,changestoexistingrisks,oreliminateriskswhicharenolongerrelevant.
3.6 Inthecurrenteconomicclimateitisparticularlyimportantthatpublicsectorbodiesareresponsivetochangesintheiroperatingenvironment.Organisationsmustengageintheprocessofcontinuousriskidentificationtoidentifyandmanagethreatstothebusinessthatmayariseasaresultofchangestotheoperatingenvironment.Theprocessshouldnotonlyinvolveidentifyingnewrisks,butshouldincorporateareviewofthedocumentedriskswhichmaynolongerbevalidorwhichmayhavebeenfullyaddressed.Theserisksshouldberemovedfromtheriskregister.Frequently,organisationsaddnewriskstotheregisterbutfailtoremoverisksthathavebeenaddressedandthatarenolongercurrent.Thiscanresultin:
• theriskregisterprovidinganinaccurateprofileoftheorganisation’scorporaterisks;
• theriskregisterbecoming‘cluttered’withrisksthatarenolongercurrent,makingitdifficulttoidentifythemostsignificantstrategiclevelrisksfacedbytheorganisation;and
• theriskregisterbecomingburdensometomaintainandreview.
3.7 Riskassessmentandmanagementshouldbearoutineelementofallpolicydevelopmentandimplementation.Risks
16Goodpracticeinriskmanagement
consideredshouldnotonlyincludethosewhichthreatentheachievementofobjectives,butalsothoseoffailingtoidentifyandexploitopportunitiestodothingsdifferentlyorbetter(missedopportunities).
Risk ownership
3.8 PublicbodiesmustestablishappropriateaccountabilityarrangementstoprovideassurancesonriskmanagementtotheBoardandtheAuditCommittee.Thiswillinvolveassigningeachoftherisksidentifiedtoanownerwhowillberesponsibleforensuringthattheriskismanagedandmonitoredovertime.Inordertopromoteaccountability,riskownersshouldbenamedindividualsandnotgroups,forexample‘FinanceDirector’ratherthan‘SeniorManagementTeam’.
3.9 Ownershipofkey strategic risks willusuallybeassignedatseniormanagement/Boardlevel.Theownershipofoperational risks willbeallocatedtoheadofdivisionorheadofbranchleveldependingonthenatureoftheidentifiedriskandthepotentialimpactonbusiness.TheserisksmaynotbeincludedonthecorporateriskregisterorreportedtotheAuditCommittee.Inpromotingtheneedforaccountability,organisationsshouldlinktheownershipofrisktoanindividual’sperformanceobjectives.
3.10 Itisessentialthatriskownersreceivethesupporttheyrequireinordertomanagethoserisksthathavebeenassignedtothemandthattheyhavetheauthorityto
assignresourcestomanagekeyrisks.Theywillberesponsibleforensuringtheriskframeworkisappliedatalllevelsthroughouttheirbusinessarea.
Step 2: Risk assessment
3.11 Thenextstepintheprocessistoassessthe“inherent”risktoaorganisation’sactivity.Inherentriskcanbedescribedastheexposurearisingfromaspecificriskbeforeanyactionistakentomanageit.
3.12 Thisinvolvesassessingthe‘likelihood’ofariskoccuringanditspotential‘impact’ontherelevantbusinessobjective.Theimpactandlikelihoodofrisksoccuringwillbereassessedlaterintheriskmanagementprocess(step4)toreflecthowtheriskexposurehaschangedasaresultoftheriskresponse.Thisisreferredtoas“residual”riskandcanbedescribedastheexposurearisingfromaspecificriskafteractionhasbeentakentomanageitandmakingtheassumptionthattheactioniseffective.
3.13 Asaminimumtheimpactandlikelihoodshouldbeassessedashigh,mediumorlowinasimple3x3riskmatrixasillustratedinfigure4.Amoredetailedanalyticalscalecanbeappliedifappropriate:Appendix7showshowtheDepartmentofEducationhasdevelopeditsownmodel.Eachdepartmentshouldreachajudgementaboutthelevelofanalysisthatismostsuitableforitscircumstances.
Part Three:Risk management process
Goodpracticeinriskmanagement17
3.14 Thisinitialriskassessmentfocusesoninherentrisk.Onceorganisationshavecompletedstep4intheriskmanagementprocesstheriskwillbereassessedto
Figure 4 – Simple 3x3 risk assessment matrix
AMBER RED RED
GREEN AMBER RED
GREEN GREEN AMBER
Likelihood
Impact
High
Medium
Low
Low Medium High
identifytheresidualrisk.Figure5providesanexampleofhowthisinformationmightbepresentedinariskregister.
Figure 5 – Extract from risk register
Risk Inherent Risk Assessment (Impact/ Likelihood)
Risk Response Residual Risk Assessment (Impact/ Likelihood)
Projectdeadlinewillnotbemet.
H H Controls:1. ProjectBoardestablishedand
SeniorResponsibleOwneridentifiedtomanageproject
2. Regularmonitoringofreportedprogressagainstmilestones
3. Contractpenalitesforprojectoverruns
M L
18Goodpracticeinriskmanagement
Step 3: Risk appetite
3.15 Anorganisation’sriskappetiteistheextentofexposuretoriskthatisjudgedtolerableforthatorganisation.Theconceptmaybelookedatindifferentwaysdependingonwhethertheriskbeingconsideredisathreatoranopportunity.
• Whenconsideringthreats,riskappetiteclarifiesthelevelofexposurewhichisconsideredtolerableandjustifiableshoulditberealised.Itisaboutcomparingthecost(financialorotherwise)ofconstrainingtheriskwiththecostoftheexposureshouldtheexposurebecomearealityandfindinganacceptablebalance;or
• Whenconsideringopportunities,riskappetiteclarifieshowmuchoneispreparedtoactivelyputatriskinordertoobtainthebenefitsoftheopportunity.Itisaboutcomparingthevalue(financialorotherwise)ofpotentialbenefitswiththelosseswhichmightbeincurred(somelossesmaybeincurredwithorwithoutrealisingthebenefits).
3.16 Somerisksareunavoidableanditisnotalwayswithintheabilityoftheorganisationtomanagerisktoatolerablelevel–forexample,manyorganisationshavetoacceptthattherearerisksarisingfromterroristactivities,extremeweather,industrialactionetcwhichtheycannotcontrol.Inthiscasetheorganisationneedstomakecontingency planstominimiseanypotentialnegativeimpactofariskmaturing.
Setting the risk appetite
3.17 Riskappetitewillbestbeexpressedasaseriesofboundaries,appropriatelyauthorisedbymanagement,whichgiveeachleveloftheorganisationclearguidanceonthelimitsofriskwhichtheycantake,whethertheirconsiderationisofathreatandthecostofcontrol,orofanopportunityandthecostsoftryingtoexploitit.Riskappetitewillbeexpressedinthesametermsasthoseusedinassessingrisk.Anorganisation’sriskappetiteisnotnecessarilystatic;inparticulartheBoardwillhavefreedomtovarytheamountofriskwhichitispreparedtotakedependingonthecircumstancesatthetime.Riskappetiteshouldbeconsideredatdifferentlevelsincluding:
• corporateriskappetite;
• delegatedriskappetite;and
• projectriskappetite.
Appendix8explorestheseconceptsinmoredetailinamodelofriskappetitethatwasdevelopedbyHMTreasury.
Applications of risk appetite
3.18 AspartofitsproceduremanualtheDepartmentforRegionalDevelopmenthasdevelopedagrid(seefigure7)whichidentifieshowriskappetitewillinfluencethebehaviourofdecisionmakerswhenconsideringthevariouscategoriesofrisk.
Part Three:Risk management process
Goodpracticeinriskmanagement19
Averse Open Hungry
Avoidanceofriskanduncertaintyorforsafeoptionsthathavealowdegreeofinherentriskandmayonlyhavelimitedpotentialforrewardisakeyobjective.
Willingtoconsideralloptionsandchoosetheonethatismostlikelytoresultinsuccessfuldeliverywhilealsoprovidinganacceptablelevelofreward.
Eagertobeinnovativeandtochooseoptionsbasedonpotentialhigherrewards(despitegreaterinherentrisk).
CategoryofRisk Example behaviours when taking key decisions…
Reputation, Political and Societal
•MinimaltoleranceforanydecisionsthatcouldleadtoscrutinyoftheDepartmentorAgencyislimitedtothoseeventswherethereislittlechanceofanysignificantrepercussionshouldtherebeafailure
•AppetitetotakedecisionswithpotentialtoexposetheDepartmentorAgencytoadditionalscrutinybutonlywhereappropriatestepshavebeentakentominimiseexposure
•AppetitetotakedecisionswhicharelikelytobringscrutinyoftheDepartmentorAgencybutwherepotentialbenefitsoutweightherisks
Operational •Defensiveapproachtoobjectives–aimtomaintainorprotect,ratherthantocreate.Innovationsgenerallyavoidedunlessnecessary
•Priorityfortightmanagementcontrolsandoversightwithlimiteddevolveddecisionmakingauthority
•Decisionmakingauthoritygenerallyheldbyseniormanagement
•Generalavoidanceofsystems/technologydevelopments.Occasionaldevelopmentsarelimitedtoimprovementstoprotectionofcurrentoperations
•Innovationsupported,withdemonstrationofcommensurateimprovementsinmanagementcontrol
•Systems/technologydevelopmentsconsideredtoenableoperationaldelivery
•Responsibilityfornon-criticaldecisionsmaybedevolved
•Innovationpursued–desireto‘breakthemould’andchallengecurrentworkingpractices
•Newtechnologiesviewedasakeyenablerofoperationaldelivery
•Highlevelsofdevolvedauthority–managementbytrustratherthantightcontrol
Figure 7: Department for Regional Development: Risk appetite and categories
20Goodpracticeinriskmanagement
CategoryofRisk Example behaviours when taking key decisions…
Financial •Avoidance/limitedfinanciallossisakeyobjective
•Onlywillingtoacceptthelowcostoption
•Resourceswithdrawnfromnon-essentialactivitiesorrestrictedtocoreoperationaltargets
•Preparedtoinvestforrewardandminimisethepossibilityoffinanciallossbymanagingtheriskstoatolerablelevel
•Valueandbenefitsconsidered(notjustcheapestprice)
•Resourcesallocatedinordertocapitiliseonpotentialopportunites
•Preparedtoinvestforthebestpossiblerewardandacceptthepossibilityoffinancialloss(althoughcontrolsmaybeinplace).
•Resourcesallocatedwithoutfirmguaranteeofreturn–‘investmentcapital’typeapproach
Compliance – legal / environmental
•Avoidmostthingswhichcouldbechallenged,evenunsuccessfully
•Limitedtoleranceforstickingneckout.Wouldwanttobereasonablysureofsuccessfuloutcomeofanychallenge
•Playsafe
•Challengewillbeproblematicbutwearelikelytowinitandthegainwilloutweightheadverseconsequences
•Chancesoflosingarehighandconsequencesserious.Butawinwouldbeseenasagreatcoup
Step 4: Addressing the risk
3.19 Therearefourstandardtraditionalresponsestoaddressingrisk(seefigure8).Thechoiceofapproachtaken
willdependonfactorssuchascost,feasibility,probabilityandpotentialimpact.Byaddressingtherisksidentified,organisationscanconstrainthreatsandtakeadvantageofopportunities.
Part Three:Risk management process
Goodpracticeinriskmanagement21
Figure 8: Actions to address risk
Adecisionismadenottotaketheriskorceasetheactivitywhichcausestherisk.Wheretherisksoutweighthepossiblebenefits,riskcanbeterminatedbydoingthingsdifferentlyandthusremovingtherisk,whereitisfeasibletodoso.Thisisnotalwayspossibleintheprovisionofpublicservicesormandatedorregulatorymeasuresbuttheoptionofclosingdownaprojectorprogrammewherethebenefitsareindoubtmustbearealone.For example, DFP took the decision to terminate Procurement for the Workplace 2010 programme when it became apparent in late 2008 that the prevailing conditions in the financial markets meant that it would be extremely difficult for bidders to raise the finance required to fund the project. This, coupled with the fact that the two companies shortlisted to submit best and final offers (BAFOs) announced a possible merger during the BAFO process, meant there was a serious risk that value for money could not be achieved on the project.
Accepttherisk.Thismaybewheretheriskisexternalandthereforetheopportunitytocontrolitislimited,orwheretheprobabilityorimpactissolowthatthecostofmanagingitwouldbegreaterthanthecostoftheriskbeingrealised.Thisoptionmaybesupplementedbycontingencyplanningforhandlingtheimpactsthatwillariseiftheriskisrealised.For example, cuts in departments’ budgets presents a serious risk to the delivery of some services. However, cuts to budgets are outside the control of public bodies and departments must accept the cuts and develop a plan for dealing with the loss of resources.
Whereanotherpartycantakeonsomeoralloftheriskmoreeconomicallyormoreeffectively.Forexample,throughanotherorganisationundertakingtheactivityorthroughobtaininginsurance.Itisimportanttonotethatsomerisksarenot(fully)transferable-inparticularitisgenerallynotpossibletotransferreputationalriskevenifthedeliveryoftheserviceiscontractedout.Therelationshipwiththethirdpartytowhichtheriskistranferredneedstobecarefullymanagedtoensuresuccessfultransferofrisk.For example, PPP projects such as the Roads Service Westlink project and the Department of Education’s Pathfinders project are examples of where risk has, to some extent, been transferred to third parties.
Mitigatetherisk.Inpractice,thisisthemostcommonresponsetorisk.Itisachievedbyeliminatingtheriskorreducingittoanacceptablelevelbypreventionoranothercontrolaction.Case Studies 3 and 4 illustrate the steps taken by Invest NI to reduce risk to an acceptable level when supporting two manufacturing projects.
Terminate
Tolerate
Transfer
Treat
22Goodpracticeinriskmanagement
3.20 Organisationsmayalsowanttoexploittheopportunitythatariskpresentsandprovidedthisismanagedwell,itshouldbeencouraged.Therearetwoaspectstothis:
• atthesametimeasmitigatingthreats,anopportunityarisestoexploitpositiveimpact.Forexample,ifalargesumofcapitalfundingistobeputatriskinamajorproject,aretherelevantcontrolsjudgedtobegoodenoughtojustifyincreasingthesumofmoneyatstaketogainevengreateradvantages;and
• circumstancesarisewhich,whilstnotgeneratingthreats,offerpositiveopportunitiesforexample,adropin
Part Three:Risk management process
thecostofgoodsorservicesfreesupresourceswhichcanberedeployed.
3.21 InvestNorthernIreland’s(InvestNI)roleistogrowtheeconomybyhelpingnewandexistingbusinessestocompeteinternationally,andbyattractingnewinvestmenttoNorthernIreland.InordertodeliveronitsbusinessobjectivesandsupporteconomicgrowthinNorthernIreland,InvestNImustembracerisktoagreaterextentthanotherpublicsectorbodies.Therefore,InvestNIwillhaveagreaterappetiteforriskthanotherpublicsectorbodies.WhileInvestNIhasauniqueoutlookonriskasaresultofitsoperatingenvironment,therearelessonsthatcanbelearntbyotherpublicsectorbodies.
Case Study 3Invest NI - Risk management in a successful project
Background: InvestNIprovidedapproximately£3.5millionofa£10millioninvestmenttosupportahightechnologymanufacturingcompanyinBelfastwhoseparentcompanyhadwithdrawnitssupport.Theprojectproposedthecreationof52newposts,manyofwhichwouldbefilledbyhighlyskilledPhDengineersandscientists.
Risk assessment: InvestNIundertookariskassessmentoftheprojectandidentifiedtheprojectashighriskforthefollowingreasons:• Salesachievability-afunctioningprototypehadnotachievedcommercialisation;• Aspecifictechnicalissueinthemanufacturingprocessrequiredresolution;• Therewasadependencyoncustomerstoincorporatethecompany’sproductintotheirown
products;and• Therewasarelianceonasmallnumberofkeyindividuals.
Rationale for proceeding:Whilsttheprojectwasregardedashighrisk,theappraisalidentifiedthepotentialforsignificantcommercialreturns.Themanagementteamwasassessedtobecredible;aclearmarketopportunityhadbeenidentifiedandverifiedbyadetailedmarketappraisal;anexternaltechnicalappraisalidentifiedtherewasareasonableexpectationthattheResearchandDevelopment
Goodpracticeinriskmanagement23
requiredtodeveloptheproductwasachievable;anditwascheckedandconfirmedthatthepromotershadownershipoftheintellectualpropertyunderpinningtheirproduct.
How Invest NI ensured that risk was reduced to an acceptable level: Reflectingthebalancebetweenprojectriskandthepotentialcommercialreturn,InvestNI’sfinancialassistancecontainedasignificantelementofordinarysharecapitalofferingareturntothetaxpayershouldtheprojectbeimplementedsuccessfully.
Useofpre-conditions(tobesatisfiedinfullbeforeanyassistancecouldbepaid)andgeneralconditionsofferedclarityandsuretyaround:
• accessto,andrightsover,intellectualproperty;• evidenceofintroductionofcashbyotherinvestors;• timelyprovisionofmanagementandyearendaccountstoInvestNI;• restrictionsonmakingloans,payingdividendsandremunerationlevelstodirectorsandsenior
managers;and• paymentoffinancialassistancedependentontheachievementofspecifiedmilestonesincludingthe
introductionofadditionalcapitalbythepromoters.
Outcome of this project: Theproject,whichwasinitiatedin2005,iscurrentlythesubjectofaPostProjectEvaluation.Whilstlossmaking,manufacturingoperationscontinueatthepremises,employmentisinlinewithprojectionsandtheResearchandDevelopmentobjectivesoftheprojecthavebeenlargelymet.Onthebasisofthelatestfundinground,thereisevidencetosuggestthatthevalueofInvestNI’sshareholdinghasincreasedmeasurablyandthereisthepotentialthatInvestNI’sinvestmentcanbere-coupedeitherbyadditionalexternalinvestmentorfurtherinvestmentbyexistingshareholders.
How risk management contributed to the outcome: Theriskelementofthisprojectwasmanagedbymaintainingacloserelationshipwiththecompany;byensuringthatallpre-conditionsweremetbeforeanypaymentofgrantwasmade;thatallgeneralconditionswerefullyappliedandmet;andbyregularmonitoringofperformanceagainsttargetsandmilestones,includingreceiptofcopiesofpapersrelatedtothecompany’sBoardmeetings.
Source Invest NI
24Goodpracticeinriskmanagement
Case Study 4Limiting exposure in an unsuccessful project through risk management
Background:AsmallandtechnicallyskilledmanagementteamestablishedacompanyhavingpreviouslyworkedattheNorthernIrelandsiteofalargeinternationalorganisation.Thepromotershadidentifiedanumberofcomplexsoftwaresolutionsforglobalmarkets.Anestimated80jobsweretobecreated.
InvestNIprovidedgrantsupportofsome£85,000andpreferencesharecapitalofapproximately£1.2mtothenewventuretoassistinthedevelopmentofanumberofsoftwareapplicationstoamarketablepoint.
Risk assessment: AsastartupventurewithnotrackrecordandsubstantialResearch&Developmenttocarryout,theprojectwasregardedashighrisk,forthefollowingreasons:
• whilstsomeapplicationsweretechnicallyfeasibleandmarketready,nosaleshadbeenachievedtodate;
• furtherproductsrequiredsubstantialdevelopment;• relianceon3rdpartyjointventuresandalliancestodevelopmarketopportunities;• timeslippage;• management–technicallyablebutlackingincommercialexperienceandacumen;and• cashflowandfunding–thecompanyrequiredskilledandexpensiveengineerstodevelopand
supportthesoftwareapplications.
Rationale for proceeding: Whilsttheprojectwasregardedashighrisk,independentcommercialappraisalidentifiedacrediblemarketopportunity.
Thecompanyhadsecuredventurecapitalfundingandanumberofproductsweremarketready.ThemanagementteamhadbeenstrengthenedandInvestNIhadstructureditsinvestmenttominimiserisks.
How Invest NI ensured that risk was reduced to an acceptable level:InvestNIsupportedtheprojectbyconvertibleredeemablepreferencesharesofferingareturntothetaxpayerandanoptiontoconverttoordinarysharecapital.InvestNIfundswerereleasedintranchesagainstspecifiedmilestonessuchastheintroductionofmatchfundingfromthepromotersandsecuringadditionalbankfunding.
Themanagementteamwasstrengthenedbytheintroductionofmarketingexpertiseandanexperiencedcompanychairman.
InvestNImadeitsinvestmentpaymentsintranchesinordertoensurethatsufficientprogresshadbeenmadeagainstproductdevelopmentobjectives.
Part Three:Risk management process(paragraph 1.4)
Goodpracticeinriskmanagement25
avoidacultureofblamebutshouldtaketheopportunitytoidentifylessonsthatcanbeappliedinthefuture.
• Thecasestudiesoutlinedaboveillustratethatprojectsmayhaveentirelydifferentoutcomesdespitemanagingrisksinaconsistentmanner.Thisisbecauseitisnotpossibletoentirelyeliminaterisk;therewillalwaysbealevelofresidualriskthatcannotbeaddressed.Itisessential,therefore,thatpublicbodiesidentifytheirriskappetiteandminimiserisktoanacceptablelevel.
• Allprojectsshouldbesubjecttoapostprojectevaluationtoidentifyandpromulgateanylessonslearnt.
Good Practice - Pursuing opportunities
• Organisationsshouldgivecarefulconsiderationtotheopportunitythatrisksmaypresentwhendesigningtheirriskresponses.TheprojectidentifiedinCaseStudy1wasconsideredtobehighriskhowever,thiswasoutweighedbythepotentialopportunitythattheprojectpresentedfortheNIeconomy.Theprojecthasbeenverysuccessfultodatedespitetheinitialriskassessmentandthisisduelargelytoriskbeingmanagedwell.
• Itisimportanttorecognisethatalthoughriskmaybemanagedwell,aprojectmaynotachievethedesiredoutcomes.Providedthereissufficientevidencethatriskhasbeenmanagedappropriately,organisationsshould
Outcome of this project: Theprojectdidnotsucceedasplanned.Saleswereslowerthanexpected,cashflowbecamecriticalandthecompanywasunabletocompleteafurtherfundinground.
ThecompanywentintoadministrationapproximatelythreeyearsafterInvestNI’sinitialfunding.InvestNIsoughttorecovermoniespaidtothecompany,buttherewereinsufficientassets.
How risk management contributed to the outcome:InvestNIrecognisedthatthisprojectpresentedsignificantchallenges.Thetechnicalskillsofthepromotersandemployeeswereimpressiveandindependentappraisalshadconfirmedthepotentialmarketopportunity.Theprojectwascloselymonitored,whichallowedInvestNItolimititsexposurewhentherisksbecametoogreattoaddto.
Thecompany’stechnologyandbusinessweresubsequentlytakenonbyanewlyestablishedcompanyundernewcontrol.Thiscompanycontinuestotradesuccessfullywithanumberofemployeesfromtheoriginalcompany.
Source: Invest NI
26Goodpracticeinriskmanagement
3.22 Theoptionto“treat”inaddressingriskcanbefurtheranalysedintofourdifferenttypesofcontrols:
Preventative controlsaredesignedtolimitthepossibilityofanundesirableoutcomebeingrealised.Themajorityofcontrolsimplementedbelongtothiscategory.Examplesincludepasswordaccesstocomputers,supervisorychecksandindependentauthorisationsonpaymentsmadetosuppliers.
Directive controls aredesignedtoensurethataparticularoutcomeisachieved.Examplesincludearequirementthatprotectiveclothingbewornduringtheperformanceofdangerousduties,orthatstaffaretrainedbeforebeingallowedtoworkunsupervised.
Corrective controls (reversibility) aredesignedtocorrectundesirableoutcomeswhichhavebeenrealised.Appliedaftertheevent,thesemayconsistofcontractualremediestorecoveroverpaymentsorobtaindamagesoradetailedcontingencyplanthatwillbetriggeredbyanevent(e.g.disasterrecoveryorbusinesscontingencyplans).
Detective controlsaredesignedtoidentifyoccasionsofundesirableoutcomeshavingbeenrealised.Bydefinitiontheseareaftertheevent,sotheyareonlyappropriatewhenitispossibletoacceptthelossordamageincurred.Examplesofdetectivecontrolsincludestockorassetchecks,reconciliations,postimplementationreviews.
3.23 HMTreasury’s‘OrangeBook’3emphasisesthatindesigningcontrols,“it is important that the control put in place is proportional to the risk. Apart from the most extreme undesirable outcome (such as loss of human life) it is normally sufficient to design controls to give reasonable assurance of confining likely loss within the risk appetite of the organisation. Every control action has an associated cost and it is important that the control action offers value for money in relation to the risk that it is controlling. Generally speaking the purpose of control is to constrain risk rather than eliminate it.”
3.24 Takingaccountofthecontrolsthathavebeenputinplaceorganisationsshouldrepeattheearlierriskassessmentintermsoflikelihoodandimpacttoidentifythe“residual”risk.Thisriskassessmentwillgenerallyresultinalowerratingforlikelihood.Theimpactofariskmaturingcanbereducedbyputtinginplaceacontingencyplanthatwilladdresshowtheriskwillbedealtwithintheeventofitmaturing.
Step 5: Recording and reviewing risk
3.25 Theriskmanagementprocessisevidencedthroughthemaintenanceofriskregisters.Riskregistersshouldbemaintainedthroughouttheorganisationatbothoperationalandstrategiclevel.Theaimoftheriskregisteristocapture,maintainandmonitorinformationontherisktorealisationofaspecificobjectiveandtheassociatedcontrolactionsthathavebeenputinplacetomitigatethat
3 TheOrangeBook:ManagementofRisk–PrinciplesandConcepts,HMTreasury,October2004.
Part Three:Risk management process
Goodpracticeinriskmanagement27
risk.Althougheachdepartmentwilldevelopitsowntemplateforrecordingrisk,thekeycomponentsareasfollows(seeAppendix7forillustration):
• thebusiness/corporateobjectiveaffected;
• detailsofrisk(s);
• inherentriskassessment–impactandlikelihood;
• riskresponse;
• residualriskassessment–impactandlikelihood;
• plannedaction;
• targetdate;and
• riskownership.
Riskregistersarelivingdocumentswhichshouldbeupdatedregularly.
Good Practice – Use of Information Technology
ManypublicbodiesuseMicrosoftExceltorecordandmonitortheirriskregisters.TheDepartmentofFinanceandPersonnel(DFP)hasdevelopedandimplementedabespokeInformationTechnologysystemwhichrecordsthedepartment’stargets,objectivesandassociatedrisksandisusedtoprovidequarterlyinformationtotheBoardandtheAuditandRiskCommittee.Theapplicationenablesindividualbusiness
areastoupdatedepartmentaltargetsandrisksandcanalsobeusedtomonitorprogressagainstbusinessplans.
DFPidentifiedanumberofbenefitsofusingthisapplication:
• Itprovidestheabilitytolinkriskstobusinessplantargets;
• Itprovidestheabilityforbusinessareastoupdatetheriskstatusandthecontrolsandmanagementactionsthathavebeenputinplacetomitigateagainsttherisks;
• Itassignsriskownersatdepartmentalboardlevelforcorporaterisks;
• Riskscanbeescalatedtodivisional,directorateanddepartmentallevelsasappropriate;and
• ItproducesthecorporateriskregisterwhichisprovidedtoboththeBoardandtheAuditandRiskCommittee.
Fraud risk assessment
3.26 Allorganisationsaresubjecttofraudrisksandthereforeshouldcompleteafraudriskassessmentonaperiodicbasis.Adetailedfraudassessmentneedstobeperformedbydivisionand/orfunction.Functionsandservicesthatneedtobeincludedintheassessmentarefinanceandaccounting,humanresourcesmanagement(payroll),purchasingandcontracting,andinformationtechnology.Asapartoftheassessment,organisations
28Goodpracticeinriskmanagement
needtolookatthecontrolenvironmentandinformationtechnology,asbothhaveasignificanteffectonfraudriskformostfunctions.
3.27 Aneffectivefraudriskmanagementassessmentshouldidentifywherefraudmayoccurandwhotheperpetratorsmightbe.Controlactivitiesshouldalwaysconsiderbothinternalandexternalfraud.
3.28 Afraudriskassessmentwillincludethesamethreekeyelementsofanyotherriskassessment:
• Identify inherent fraud risk —Gatherinformationtoobtainthepopulationoffraudrisksthatcouldapplytotheorganisation.Includedinthisprocessistheexplicitconsiderationofalltypesoffraudscenarios;incentives,
pressures,andopportunitiestocommitfraud;andITfraudrisksspecifictotheorganisation;
• Assess likelihood and significance of inherent fraud risk —Assesstherelativelikelihoodandpotentialsignificanceofidentifiedfraudrisksbasedonhistoricalinformation,knownfraudschemes,andinterviewswithrelevantstaff,includingbusinessprocessowners;and
• Respond to reasonably likely and significant inherent and residual fraud risks —Decidewhattheresponseshouldbetoaddresstheidentifiedrisks.
Appendix9providesapracticalexampleofafraudriskassessment.
Part Four:Accountability
30Goodpracticeinriskmanagement
Responsibilities
4.1 Withtherightcultureriskmanagementshouldbecomeinherentintheorganisation’soperationsandintherolesandresponsibilitiesofstaff.Inordertopromoteandembedsuchariskmanagementcultureorganisationsshouldfocusonthefollowingkeydrivers:
• Communication:Everyoneshouldbeawareoftheorganisation’sriskappetite,alongwiththecorrespondingpolicy,strategyandprocesses.Staffshouldbeawareoftheprocesstoraiseriskrelatedissueswhichshouldbeclearlydocumentedandcommunicated.Itisimportantthatstafffeelconfidentinraisingriskrelatedissuesevenwhenthismaypresentnegativeimpactsfortheorganisation.Staffmustalsobeconfidentthatanyissuesorconcernsthattheyraisewillbeconsideredatanappropriatelevelandwill,wherenecessary,beactedupon;
• Leadership: TheAccountingOfficerandseniormanagershaveakeyroleinembeddingtheriskmanagementculture.Theyshouldpromoteriskmanagementthroughtheirownbehavioursandactionsbyencouragingothers;
• Resource:Riskownersshouldhavethenecessaryresourcesattheirdisposaltoimplementriskresponses.Theyshouldalsobewellequippedandsupportedtomanagerisk.Thiswill
involveprovidingtherelevanttrainingandaccesstoriskmanagementadviceandexpertise;and
• Ownership and responsibility:Riskmanagementresponsibilitiesshouldbeclearlylinkedtopersonalobjectivesandtotheperformanceappraisalsystem.Relevantstaffshouldbeempoweredtotakewellmanagedrisksintheknowledgethattheywillnotbeblamedforanynegativeoutcomesprovidingriskhasbeenmanagedinawaywhichisconsistentwiththeorganisation’sriskappetite.
Governance
4.2 Apublicbody’sBoardandAuditandRiskCommitteehavevitalrolestoplayinthegovernanceofriskmanagement(seefigure2).Inlinewithgoodgovernance,theBoardshouldincludenon-executivedirectorsandtheAuditandRiskCommitteeshouldbechairedbyanon-executivedirector.Thisshouldcontributetoanindependentreviewoftheriskmanagementstrategyandthecorporateriskregister.
Good Practice – Risk review group
TheDepartmentofAgricultureandRuralDevelopment(DARD)establishedaRiskReviewGroup(RRG)inJune2007asacommitteetocoordinateandchampionriskmanagementandreportingofrisk.TheRRGisasubgroupoftheCorporateGovernanceAuditCommittee
Part Four:Accountability
Goodpracticeinriskmanagement31
4 AGoodPracticeGuidetotheStatementonInternalControl,NationalAuditOffice,20105 DAO(DFP)02/10TheStatementonInternalControlaGuideforAuditCommittees
(CGAC),ischairedbyanon-executivedirectorandcomprisesrepresentativesofallbusinessgroupswithinthedepartment.ItmeetsfourtimesperyearandreportsbacktotheCGAC.
4.3 ThepublicbodiesthatwereviewedindicatedthattheriskregisterwasastandingitemontheagendaoftheAuditandRiskCommitteeandinmostcasesthefullBoardreviewedthecorporateriskregistereithermonthlyorquarterly.
Good Practice – Provision of information to the Board
DARDcurrentlypreparesariskcommentarywhichispresentedtoandreviewedbytheBoardonamonthlybasis.TheriskcommentaryiscoordinatedbytheHeadofFinancialPolicyandcommentaryissoughtfromacrossallbusinessareas.ThisprocessassiststheBoardinconductingahighlevelreviewofthecorporateriskregisteronaregularbasis.
Reporting
4.4 Anorganisation’ssystemofinternalcontrolisdesignedtomanagerisktoanacceptablelevel.InaccordancewithManagingPublicMoneyNorthernIreland,theAccountingOfficermustreportannuallyonthesystemofinternalcontrolbypreparingandsigningaStatementonInternalControl.TheStatementonInternalControlshouldreflectonthesystemofinternalcontrolinoperationinthedepartmentanditsALBsthroughoutthe
year,andshouldhighlightanysignificantinternalcontrolweaknessesorfailures.
4.5 InordertoassisttheAccountingOfficerinfulfillinghisorherresponsibilities,departmentsindicatedthattheyhaveputinplaceaprocessforstewardshipreporting.Inmostcasesthisinvolvestheheadofeachdivisioninthecoredepartment,andtheAccountingOfficerineachALBsubmittingastewardshipstatementtotheAccountingOfficeratleastbiannually(insomecasesquarterly).ThestewardshipstatementsshouldreflectanysignificantinternalcontrolissuesintherelevantALBordivisionandshouldbetimedtosupporttheAccountingOfficerinhis/herpreparationoftheStatementonInternalControl.TheNationalAuditOfficehasproducedguidanceonthearrangementsfortheproductionoftheStatementonInternalControl4,5.
Good Practice - Stewardship reporting
TheOfficeoftheFirstMinisterandDeputyFirstMinister(OFMDFM)recentlyredesignedandexpandeditsstewardshipreportingprocesstoaddressawiderrangeofgovernanceandcontrolissuesandissuedguidanceoncorporate/businessareariskframeworkstostaff.Theframeworkprovidesachecklistforcompletionofquarterlystewardshipstatementswhichcoverselevenkeyareasofrisk(OFMDFM’sproformastewardshipstatementisprovidedatAppendix10).
Incompletingthestewardshipstatements,directorsandAccountingOfficersreflecton:
32Goodpracticeinriskmanagement
• anyfindingsemergingfromrecentinternalauditreviewsundertakeninthebusinessarea;
• findingsemergingfromtheyear-endauditofthedepartment’sResourceAccountsbyNIAO;
• anycontrolandapprovalissueshighlightedbytheDepartmentofFinanceandPersonnel’sannualreviewofconsultancyspend;
• mattersarisingfromin-yearassetverificationexercises;and,
• anyissuesthatmayhaveemergedinrelationtothesponsorshipofNon-departmentalPublicBodies.
Significantinternalcontrolissuesshouldbeidentifiedandcommentedoninthestatement,includingproposedremedialactiontominimisetheimpactofidentifiedrisksmaterialising.
Assurance
4.6 HMTreasuryGuidancestatesthat“assurance draws attention to the aspects of risk management, governance and internal control that are functioning effectively and the aspects which need to be given attention to improve them. Assurance helps a Board to judge whether or not its agenda is focussing on the issues that are most significant in relation to achieving the organisation’s objectives and whether best use is being made of resources”.6Thereareanumber
ofwaysinwhichorganisationsmightseekassurancesthattheriskmanagementstrategyandproceduresinplaceprovideanadequatelevelofassurancetotheirBoardandauditcommittee:
• InternalAudit–conductandreportonanannualprogrammeofwork.TheHeadofInternalAuditwilladoptariskbasedapproachtoplanningitswork,referringtoorganisationalriskregistersinidentifyingtopicsforreview.InadditiontoindividualauditreportsthattheHeadofInternalAuditwillproducetorecordtheauditfindingsofindividualauditassignments,he/shewillprepareanannualreportgivinghis/heropiniononriskmanagement,controlandgovernancewhichisgenerallytimedtosupportandinformtheAccountingOfficer’sStatementonInternalControl.Theannualreportwillprovideanoverviewoftheinternalauditworkundertakenthroughouttheyearandwillhighlightanylimitedassuranceratings.HMTreasuryGuidancehighlightsthat,“the work of Internal Audit is likely to be the single most significant resource use by the Audit Committee in discharging its responsibilities. This is because the Head of Internal Audit, in accordance with the Government Internal Audit Standards, has a responsibility to offer an annual audit opinion on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes”.
Part Four:Accountability
6 HMTreasury–AuditCommitteeHandbook
Goodpracticeinriskmanagement33
Good Practice - Internal Audit review of the risk management process
AspartoftheDepartmentofCulture,ArtsandLeisure’srecentreviewofitsriskmanagementframeworkithasintroducedarequirementforInternalAudittoperformanannualreview,withtheobjectiveofprovidingtheBoardandtheAuditandRiskCommitteewithanopinionontheDepartment’sriskmanagementprocessandriskregisters.ThisreviewwillbetimedtosupporttheAccountingOfficerinsigningtheStatementonInternalControl.
• Externalaudit–willissueareporttothosechargedwithgovernanceaspartoftheyear-endauditofthefinancialstatements.Thisreportwillhighlightanyinternalcontrolorgovernanceissuesthathavebeenidentifiedduringtheexternalauditprocedures.
• Otherauditandverificationexercises–publicbodiesmaybesubjecttoarangeofadditionalaudit,inspectionandverificationexercisesasaresultofthenatureoftheirbusinessandthefundingthathasbeenreceived.TheseexercisesmayresultinotherauditbodiesbringinginternalcontrolissuestotheattentionoftheAuditandRiskCommitteeandtheBoard.
• StatementonInternalControl–shouldbereviewedbytheAuditCommitteetoensurethattheinformationpresentedinthestatementiscompleteandaccuratelyreflectsotherinformationrelatingtorisk
andinternalcontrolthathasbeenpresentedtothecommitteethroughouttheyear.NationalAuditOfficepublishedguidancein‘TheStatementonInternalControl:AGuideforAuditCommittees’in2010.
• Self-assessment–itisrecognisedthatitisgoodpracticeforAuditandRiskCommitteestoconductaselfassessmentannually.NationalAuditOfficepublished‘TheAuditCommitteeSelf-AssessmentChecklist’inNovember2009andthisincludesasectiononinternalcontrol.
Good Practice - National Audit Office
Audit Committee self-assessment – Internal control issues for consideration
• DoestheAuditCommitteeconsiderwhethercorporategovernanceisembeddedthroughouttheorganisation,ratherthantreatedasacomplianceexercise?
• DoestheAuditCommitteeconsiderwhetherthesystemofinternalreportinggivesearlywarningofcontrolfailuresandemergingrisks?
• DoestheAuditCommitteeconsiderwhethertheStatementonInternalControlissufficientlycomprehensiveandmeaningful,andtheevidencethatunderpinsit?
• DoestheAuditCommitteesatisfyitselfthatthesystemofinternalcontrolhasoperatedeffectivelythroughoutthereportingperiod?
34Goodpracticeinriskmanagement
• Doestheauditcommitteeconsiderwhetherfinancialcontrol,includingthestructureofdelegations,enablestheorganisationtoachieveitsobjectivesandachievegoodvalueformoney?
• Doestheauditcommitteemonitorwhethertheorganisation’sproceduresforidentifyingandmanagingbusinessriskhaveregardfortherelevantlegislationandregulation?
• Third-partyreview–publicbodiesmayseekindependentassurancefromthirdpartiesontheirriskmanagementprocessandriskregisters.
Good Practice – Third party reviews
Aspartofawiderreviewofitsriskmanagementprocesses,theDepartmentforSocialDevelopmentrecentlyengagedanotherNICSdepartmenttoconductareviewofitscorporateriskregister.Thisworkedwellinpracticeasitprovidedanindependentassessmentoftheriskregister.Duetothesimilarnatureofthebodyundertakingthereviewtherewasacommonunderstandingofhowriskmanagementshouldbeappliedinthepublicsectorenvironment.
TheDepartmentforRegionalDevelopmentemployedconsultantstoundertakeaperformanceassessmentofitsriskmanagementstrategy.Thisexerciseprovidedvaluablelessonsonhowtoapplybestpractice.
4.7 Theassuranceprovidedbythevariousmethodsidentifiedaboveshouldassisttheauditandriskcommitteeinidentifyingwhereriskis:
• managedadequatelyandappropriately;
• controlledinadequately;or
• controlledexcessively.
Whererisksaremanagedadequatelyandappropriatelynofurtheractionisrequiredotherthantomonitorandreviewtherisk.However,whereariskiscontrolledinadequately,measurestoimprovetheriskresponsemustbeimplemented.Inthecurrenteconomicclimatethereisanincreasingpressureonresources.Itisthereforeessentialthatpublicbodiestakeameasuredapproachinmanagingriskandconsiderthecost/benefitthatcontrolsrepresent.Duetothetraditionallyriskaversenatureofthepublicsectoritisnotuncommontofindexcessivecontrolsinoperation.Thiscanresultinsignificantwasteandbyidentifyingsuchmeasuresitmaybepossibletoidentifycostsavings.TheroleoftheAuditCommitteeistoadvisetheBoardonsuchmatters,toenableittomakeaninformeddecision.TheAuditCommitteemust,however,ensurethatitmaintainsindependencetoavoidbecominginvolvedinexecutiveriskmanagementresponsibilities.
Part Four:Accountability
Appendices
36Goodpracticeinriskmanagement
Appendix 1Risk management checklist(paragraph 1.4)
1. Risk Management Framework Response
1.1 Doestheorganisationhaveanestablishedriskmanagementfunction,e.g.ariskchampion,riskmanager,riskmanagementdepartment,riskcommittee?
1.2 HowisriskmanagementsponsoredbytheAccountingOfficer,andresponsibilitysharedwiththeBoardandtheSeniorManagementteam?
1.3 Istheorganisation’sapproachtoriskfullydocumentedandwidelydistributed?(i.e.riskappetite)
1.4 Howhasriskmanagementbeenembeddedinthefollowingprocesses:–Performancemanagement–Operationalmanagement–Financialmanagement–Businessplanning
1.5 Howhavethefollowingcontributedtothedevelopmentofriskmanagementwithinyourorganisation?–HMTreasuryOrangeBook–InternalAudit–ExternalAudit–Other(pleasedetail)
1.6 Doestheorganisationhaveariskmanagementstrategyand/orpolicy?
1.7 Hastheriskmanagementstrategy/policybeenendorsedbytheAccountingOfficer/Board/AuditandRiskCommittee?
Goodpracticeinriskmanagement37
1.8 Howhastheriskmanagementstrategy/policybeenpromulgatedtostaff?
1.9 Howoftenistheriskmanagementstrategy/policyreviewed?Whenwasthestrategy/policylastreviewed/updated?
1.10 Howdoestheriskmanagementstrategypromotetheneedforeffectivecommunicationtoallrelevantstakeholders?
1.11 Howdoestheriskstrategy/policyoutlinehowriskshouldbeconsideredateachlevel,(strategicandoperational),throughouttheorganisation?
1.12 Whatprocessisinplaceforescalatingrisksthroughouttheorganisation?
1.13 Isthereacontingencyorbusinesscontinuityplaninplace?Ifso,howoftenisittested?
1.14 IsthereanITrecoveryplaninplaceIfso,howoftenisittested?
1.15 Isthereacommunicationsstrategyinplacethatcanbeappliedintheeventofriskmaturing?
2. Risk Management Process2.1 Aretheresponsibilitiesofallstaff
clearlydefinedandregularlyreviewed?
38Goodpracticeinriskmanagement
2.2 Doriskregistersrecordthefollowinginformation:–Identifiedrisks–Inherentriskassessment (impactandlikelihood)–Responsetorisk–Residualriskassessment (impactandlikelihood)–Riskownership–Timescaleforactionsrequired
2.3 Isthereariskregisterinplacewhichhasidentifiedtheriskstotheorganisationatastrategic(organisational)level?
2.4 Areriskregistersmaintainedatanoperational(divisional)level?
2.5 Areriskregistersmaintainedataprojectlevelordoesevidenceexistthatrisksareassessedforprojectsindividually?
2.6 Howoftenareriskregistersreviewed?
2.7 Whattechniquesareusedbytheorganisationinidentifyingrisks?
2.8 Howhavetherisksidentifiedbeenlinkedtotheobjectivesoftheorganisation?
2.9 Howhaverisksbeenrankedandprioritisedforaction?
2.10 Howregularlyaretheresponsestokeyrisksmonitored?
2.11 Whoisresponsibleformonitoringtherisks?
Appendix 1Risk management checklist(paragraph 1.4)
Goodpracticeinriskmanagement39
2.12 Isthereanyearlywarningsysteminplacetoidentifyanythreatsthatmaycontributetotherealisationofkeyrisks?
2.13 Isthereapolicyinplaceformanagingtherisksassociatedwithworkingwithpartnersatprojectlevel?
2.14 Howarerisksassociatedwithworkingwithpartnersatprojectlevelidentifiedandmanaged?
2.15 Whatistheprocessinplaceforreviewingtheriskassessmentthroughouttheprojectlifecycle?
2.16 Howdoestherigourofthisprocessvaryaccordingtothesize/duration/profileoftheproject?
2.17 WhatITsoftwaredoestheorganisationuseinitsriskmanagementprocess?
2.18 Howisriskmanagementincorporatedintotheorganisation’strainingprogramme?Isriskmanagementincludedininductiontrainingforallnewstaff?
2.19 Isthereanyformofongoingriskcommunicationacrosstheorganisation?
2.20 Doestheorganisationmaintainariskdatabase?
3. Accountability3.1 Haveresponsibilitiesforidentifying,
managingandreportingriskbeenestablished?Howregularlyaretheseresponsibilitiesreviewed?
40Goodpracticeinriskmanagement
3.2 Areresponsibilitiesinrelationtoriskreflectedinpersonalobjectivesandtheperformanceappraisalsystem?
3.3 WhatmeasureshavetheexecutivedirectorsputinplaceforreportingontheriskmanagementprocesstotheBoardandtheAuditandRiskCommittee?
3.4 HowfrequentlydoesriskmanagementappearontheBoardagenda?
3.5 HowdoestheBoard/SeniorManagementteamassurethemselvesthattheyhaveidentifiedalloftheorganisation’srisks?
3.6 Whatreferenceshavebeenmadetotheriskmanagementprocessintheannualreport?
3.7 HaveanysignificantinternalcontrolissuesrelatingtoidentifiedrisksbeenhighlightedintheStatementonInternalControlinrecentyears?
3.8 HowdoestheInternalAuditServiceusetheriskmanagementframeworkwhenplanningtheirwork?
3.9 Howdoestheorganisationensurethatsystemsofinternalcontrolareoperatingrobustly?
3.10 Howdoestheorganisationgainindependentassuranceontheeffectivenessofitsriskmanagementprocess?
Appendix 1Risk management checklist(paragraph 1.4)
Goodpracticeinriskmanagement41
Appendix 2Participants(paragraph 1.4)
Thefollowingpublicsectorbodiesassistedourreviewbycompletingtheriskmanagementchecklist.
1. DepartmentofAgricultureandRuralDevelopment
2. DepartmentofCulture,ArtsandLeisure
3. DepartmentofEducation
4. DepartmentforEmploymentandLearning
5. DepartmentofEnterprise,TradeandInvestment
6. DepartmentofFinanceandPersonnel
7. DepartmentofHealth,SocialServicesandPublicSafety
8. DepartmentoftheEnvironment
9. DepartmentofJustice
10. DepartmentforRegionalDevelopment
11. DepartmentforSocialDevelopment
12. InvestNorthernIreland
13. NorthernIrelandAssembly
14. NorthernIrelandOmbudsmanandCommissionerforComplaints
15. OfficeoftheFirstMinisterandDeputyFirstMinister
16. PublicProsecutionService
42Goodpracticeinriskmanagement
On the strategic processes for risk, control and governance, how do we know:
• thattheriskmanagementcultureisappropriate?
• thatthereisacomprehensiveprocessforidentifyingandevaluatingrisk,andfordecidingwhatlevelsofriskaretolerable?
• thattheRiskRegisterisanappropriatereflectionoftherisksfacingtheorganisation?
• thatappropriateownershipofriskisinplace?
• thatmanagementhasanappropriateviewofhoweffectiveinternalcontrolis?
• thatriskmanagementiscarriedoutinawaythatreallybenefitstheorganisationorisittreatedasaboxtickingexercise?
• thattheorganisationasawholeisawareoftheimportanceofriskmanagementandoftheorganisation’sriskpriorities?
• thatthesystemofinternalcontrolwillprovideindicatorsofthingsgoingwrong?
• thattheAccountingOfficer’sannual‘StatementonInternalControl’ismeaningful,andwhatevidenceunderpinsit?
• thattheStatementonInternalControlappropriatelydisclosesactiontodealwithmaterialproblems?
• thattheBoardisappropriatelyconsideringtheresultsoftheeffectivenessreviewunderpinningtheStatementonInternalControl?
Appendix 3HM Treasury Audit Committee HandbookKey questions for an Audit Committee to ask(paragraph 2.5)
On risk management processes, how do we know:
• howseniormanagementandMinisterssupportandpromoteriskmanagement?
• howwellpeopleareequippedandsupportedtomanageriskwell?
• thatthereisaclearriskstrategyandpolicies?
• thatthereareeffectivearrangementsformanagingriskswithpartners?
• thattheorganisation’sprocessesincorporateeffectiveriskmanagement?
• ifrisksarehandledwell?
• ifriskmanagementcontributestoachievingoutcomes?
Goodpracticeinriskmanagement43
Devising a Communications Strategy
ThefollowingstrategicquestionsaretobeconsideredwhendevisingtheCommunicationsStrategy.
• Whatisthenatureoftheeventorincidentthathasoccurredandhasacommonlyunderstoodpictureoftheincidentbeenreached?
• DoestheincidentpointtoadeeperissueorproblemthatcouldimpactuponthereputationoftheDepartment?
• Hastheincidentfinishedoristherepotentialformoretocomeandifsowhatarethetimescales?
• Howbadcouldthisgetandwhatisthemostrealisticworst-casescenario?
• Whatwillourstakeholders(internalandexternal)makeofthissituation?
• WhatdoestheDepartmentstandtolosebecauseofthisincident?
• WhatalliescantheDepartmentinvolve?
Key Message Checklist
Thefollowingshouldbeconsideredinrelationtomessagecontentandtone:
• Provideasmuchinformationontheincidentthatisavailableandverifiedasfactual.
• ProvideahumanfacethatshowstheDepartmentcares.
Appendix 4Department of Health, Social Services and Public SafetyExtract from communications plan(paragraph 2.12)
• Providereassurancethatanyriskshavepassed,orthatactionisunderwaytomitigateanyrisksandtellpeoplewhattheytoocando.
• Outlineasolidhistoryinregardstoincidentsandincidentmanagement.
• Providedetailsofwhenandhowfurtherinformationwillbemadeavailable.
• ProvidewrittenbackgroundbriefsontheDepartmentoutliningtheroleoftheDHSSPSanditsmainservices.
• Providedetailedevidencetobackanyclaimsmade.
44Goodpracticeinriskmanagement
The following steps form a useful guide for Communications Planning:
Design andissue a holding
Starement
Assess thesituation
Select acommunications
strategy and targetaudiences
Implement thecommunications
plan
Inform staff andensure information
is centralised &coordinated
Select the mostappropriate
messages andmeans of delivery
When askedprovide
information andreassurance
Avoidconfrontation and
remain flexible
Consider the longterm strategicimplications
Appendix 4Department of Health, Social Services and Public SafetyExtract from communications plan(paragraph 2.12)
Goodpracticeinriskmanagement45
External (arising from the external environment, not wholly within the organisation’s control, but where action can be taken to mitigate it)
Political Changeofgovernment;crosscuttingpolicydecisions;machineryofgovernmentchanges(egdevolution)
Economic Abilitytoattractandretainstaffinthelabourmarket;exchangeratesaffectcostsofinternationaltransactions;effectofglobaleconomyonNIeconomy
Socio-cultural Demographicchangesaffectsdemandforservices;stakeholdersexpectationschange
Technological Obsolenceofcurrentsystems;costofprocuringbesttechnologyavailable;opportunityarisingfromtechnologicaldevelopment
Legal/regulatory EUrequirements/lawswhichimposerequirements(suchashealthandsafetyoremploymentlegislation)
Environmental Buildingsneedtocomplywithchangingstandards;disposalofrubbishandsurplusequipmentneedstocomplywithchangingstandards
Operational (relating to existing operations – both current delivery and building and maintaining capacity and capability)
Service/productfailure Failtodelivertheservicetotheuserwithinagreed/setterms
Projectdelivery Failtodeliverontime/budget/specification
Resources Financial(insufficientfunding,poorbudgetmanagement,fraud)HR(staffcapacity,skills,recruitmentandretention)Information(adequacyfordecisionmaking,protectionofprivacy)Physicalassets(loss,damage,theft)
Relationships Deliverypartners(threatstocommitmenttorelationship,clarityofroles)Customers/serviceusers(satisfactionwithdelivery)Accountability(particularlytotheAssembly)
Operations Overallcapacityandcapabilitytodeliver
Reputation Confidenceandtrustwhichstakeholdershaveinanorganisation
Governance Regularityandpropriety/compliancewithrelevantrequirements/ethicalconsiderations
Scanning Failuretoidentifythreatsandopportunities
Resilience Capacityofsystems/accomodation/ITtowithstandadverseimpactsandcrises(includingwarandterroristattack)Disasterrecovery/contingencyplanning
Security Ofassetsandinformation
Appendix 5HM Treasury Orange BookCategories of risk(paragraph 3.2)
46Goodpracticeinriskmanagement
Change (risks created by decisions to pursue new endeavours beyond current capability)
PSAtargets NewPSAtargetschallengetheorganisation’scapacitytodeliver/abilitytoequiptheorganisationtodeliver
ChangeProgramme Programmesfororganisationalorculturalchangethreatencurrentcapacitytodeliveraswellasprovidingopportunitytoenhancecapacity
Newprojects Makingoptimalinvestmentdecisions/prioritisingbetweenprojectswhicharecompetingforresources
Newpolicies Policydecisionscreateexpectationswheretheorganisationhasuncertaintyaboutdelivery
Appendix 5HM Treasury Orange BookCategories of risk(paragraph 3.2)
Goodpracticeinriskmanagement47
Ariskchecklistisanin-houselistofrisksthatwereidentifiedoroccurredduringpreviousorganisationalactivities.Theypermitmanagerstocapturelessonslearnedandassesswhethersimilarrisksarerelevanttocurrentactivities.
Thischecklistshouldbeusedasameansofkickstartingandfacilitatingdiscussionsonriskswhich
Appendix 6Department for Regional Development – Risk checklist(paragraph 3.3)
mayimpactontheachievementofbusinessobjectives.Itshouldbenotedthattheserisksarenotexhaustiveanditisexpectedthatbusinessareaswilldevelopandtailorthistomeettheirownneedsasspecificbusinessrisksareidentified.ThechecklistwillbeupdatedannuallyfollowinginputfromDepartmentalRiskCoordinators.
• Willthebusinessareahavethepersonnelinplacetomeetbusinessobjectives?• Doeseveryoneknowandunderstandtheirrolesandresponsibilities?• DowehaveclearJobDescriptions,PPAsandPDPs?• Dowehavetheprocessesandproceduresinplacetofacilitaterecruitment?• Doweknowtheknowledge,skillsandexperiencerequiredtodothejob?• Arestaffappropriatelytrainedtodeliverbusinessobjectives?• ArestaffappropriatelytrainedinnavigatingtheHRConnectsystem?
• Hastheachievementofthebusinessobjectivesbeeneffectivelybudgetedforinterms
offinancialresources?• Arecontrolsinplacetomonitorfinancialperformanceagainstbusinessobjectives?• Doesthebusinessareahaveappropriatesystemsinplacetoreportonfinancial
performance?• ArestaffappropriatelytrainedonAccountNIprocedures?
• Canthebusinessareabeassuredthatpersonaldetailsofstaffand/orthepublicaresufficientlysafeguarded?
• Doesthebusinessareahavesuitabledatamanagement/ICTsystemsinplace?• Howdoesthebusinessareastoreandtransportconfidential/sensitiveinformation?• Arepasswordsregularlychangedandupdated?• IseveryoneawareoftheDepartmentalDataManagementandSecurityarrangements?• ArestafftrainedinusingtheTRIMsystem?
People
Finance
DataManagement
48Goodpracticeinriskmanagement
• Doesthesponsoringdivisionhaveappropriategovernancearrangementswithitssponsororganisation?
• IsperformanceoftheArmsLengthBodymonitoredandreportedtoSeniorManagementintheDepartment?
• AretheobjectivesoftheALBinlinewithDepartmentalobjectives?
• IsthebusinessareacontentthatitscontractsandSLAswithserviceprovidersareadequateandreflecttheneedsoftheDepartment?
• IsthebehaviourandperformanceofServiceProvidersmonitoredandreportedtoSeniorManagement?
• Areprojectmanagementarrangementsinplacetoensuretheeffectiveandtimelydeliveryofpolicy?
• Doesthebusinessareahavepoliticalagreementforanypolicydecisions?• Havetheviewsofstakeholdersandthepublicbeenfactoredintothedecision
makingprocess?
• Doesthebusinessareahaveadequatecontingencyplanningarrangementsinplaceintheeventofanemergency?
• Arestaffand/orthepublic(whereappropriate)awareoftheemergencyarrangements?
Arms LengthBodies
Service Providers
Policy Issues
EmergencyPlanning
Appendix 6Department for Regional Development – Risk checklist(paragraph 3.3)
Goodpracticeinriskmanagement49
Category Minor (low) Moderate (low-medium)
Significant (medium)
Major(medium-high)
Critical(high)
Achievement of Objectives
NorisktoDEdemonstratingachievementofitskeyobjectives(todeliverontime,withinbudgetetc.).
FailuretodelivermorethanoneDirectorate/Programmelevelobjective.
Oneormorekeyobjectiveisonlyjustdelivered(eg.significantdelayoradownwardtrend).
Failuretodeliveronekeyobjective.
Failuretodelivermorethanonekeyobjective.
FailuretodeliverthemajorityofDEkeyobjectives(PSA’s/MinisterialPriorities)
Operational Delivery
Nointerruptiontoservice.Minorindustrialprotest.
Somedisruptionmanageablebyalteredoperationalroutine.
Disruptiontoanumberofoperationalareaswithinalocationandpossibleflowontootherlocations.
Alloperationalareasofalocationcompromised.Otherlocationsmaybeaffected.
Totalsystemdysfunction.Totalshutdownofoperations.
Financial Financialloss,lossoffundingorinescapableunfundedpressuresunder£20K
+/-1%variancetobudget.
Financialloss,lossoffundingorinescapableunfundedpressuresunder£100K
+/-2%variancetobudget.
NIAOcriticism
Financialloss,lossoffundingorinescapableunfundedpressuresunder£250K
+/-5%variancetobudget.
NIAOqualificationofaccounts
Fraud,corruptionandseriousirregularitybelowSCSorwithinNDPBs.
Financialloss,lossoffundingorinescapableunfundedpressuresunder£500k
+/-10%variancetobudget.
NIAOqualificationofaccounts
Fraud,corruptionandseriousirregularityatSCSorNDPBSeniorManagementlevel.
Financialloss,lossoffundingorinescapableunfundedpressuresover£1m
+/-15%variancetobudget.
NIAOqualificationofaccounts
Fraud,corruptionandseriousirregularityatMinisterial/BoardorNDPBCElevel.
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
Risk Evaluation - Impact
50Goodpracticeinriskmanagement
Category Minor (low) Moderate (low-medium)
Significant (medium)
Major(medium-high)
Critical(high)
Compliance/Regulatory/Legal
Breachoflocalproceduresnotrequiringexternalintervention/sanction.
BreachofNationalProcedures/Standards.
PotentialforminorlegalchallengetoDE.
Breachofsubordinatelegislation.
Failuretocomplywithrelevantguidanceresultsinexpenditurebeingdeemedirregular.
PotentialformoderatelegalchallengetoDE.
PotentialformoderatelegalchallengetoDE.
BreachofPrimarylegislation.
PotentialforsignificantlegalchallengetoDE.LikelihoodthatdamageswillbeawardedagainstDEorchangeswillberequiredtosubordinatelegislationtoensurecompliance
Breachofnationalorinternationalstatutoryduties.
Legalchallengewhichhaltsdeliveryofpolicy.
MajordamagesawardedagainstDEorchangeswillberequiredtoprimarylegislationtoensurecompliance
Security Non-notifiableorreportableincident.
Localisedincident.
Noeffectonoperations.
Localisedincident.
Significanteffectonoperations.
Significantincidentinvolvingmultiplelocations.
Extremeincidentseriouslyaffectingcontinuityofoperations.
Health & Well-being
Isolatedincident–nosignificanthealthimpact.
Smallnumberofminorinjuriesrequiringfirstaidtreatment.
Compensatableinjury/stress.
Seriousinjury/stressresultinginhospitalisation.
Possiblefatalities.
LocalChildProtectionissue.
Fatality
WidespreadChildProtectionIssue
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
Goodpracticeinriskmanagement51
Category Minor (low) Moderate (low-medium)
Significant (medium)
Major(medium-high)
Critical(high)
Reputational Minoradversepublicityinlocalmedia
Eventthatwillleadtopubliccriticismbyexternalstakeholdersasanticipated.
Significantadversepublicityinlocalmedia
IncreasedAssembly/Westminsterscrutiny.
Eventthatmayleadtowidespreadpubliccriticism.
SignificantAssembly/Westminsterscrutiny
Formalcommunicationrequiredwithpublic.
Significantadversepublicityinnationalmedia
Incompetence/maladmin-istrationorothereventthatwillunderminepublictrustorakeyrelationshipforashortperiod.
OralStatementRequiredinAssembly
Sustainedadversepublicityinnationalmedia.
Incompetence/maladmin-istrationorothereventthatwillunderminepublictrustorakeyrelationshipforasustainedperiodoratacriticalmoment.
Ministerial/Board/CE(NDPB)/SeniorManagementresignation/removal
Incompetence/maladmin-istrationorothereventthatwilldestroypublictrustorakeyrelationship.
52Goodpracticeinriskmanagement
Descriptor Detailed Description
1.Unlikely(low)
>10%chanceofoccurrence.Mayoccuronlyinexceptionalcircumstances.HasneveroccurredbeforewithintheremitofDEoranyotherDepartment.Unlikelytooccurduringthelifespanofthepolicy/programme/project/operation.
2.Remote(low-medium)
11-30%chanceofoccurrence.Mightconceivablyoccuratsometime.Morelikelynottooccurthantooccur.HasnotoccurredrecentlywithintheremitofDEoranyotherDepartment.Thereisasmallchancethatthismayoccuratsomestageduringthelifespanofthepolicy/programme/project/operation.
3.Possible(medium)
31-59%chanceofoccurrence.Couldoccuratsometime.HasoccurredrecentlywithintheremitofanotherDepartment.Mightoccuratsomestageduringthelifespanofthepolicy/programme/project/operation.
4.Probable(medium-high)
60-84%chanceofoccurrence.Willprobablyoccurinmostcircumstances.Morelikelytooccurthannottooccur.HasoccurredrecentlywithintheremitofDEoranotherDepartment.Likelytooccurwithinthenext1-2yearsorduringthelifespanofthepolicy/programme/project/operation.
5.AlmostCertain(high)
85%chanceofoccurrence.Isexpectedtooccurinmostcircumstances.Thisisknowntooccurinsimilarprojectsandprogrammes.HappensfrequentlywithintheremitofDEorotherDepartments.Highlylikelytooccurwithinthefinancialyearorlifespanofthepolicy/programme/project/operation–probablyearlyonandpossiblymorethanonce.
Risk Evaluation - Likelihood
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
Goodpracticeinriskmanagement53
Escalation Triggers Inordertoensurethatrisksarebeingmanagedatanappropriatelevel,thereareanumberoftriggerpointswhererisksshouldbeescalatedtospecifiedlevelsofmanagementastheyapproachorexceedtheiragreedriskappetite.Thesearesetoutbelow.However, in all cases where a risk is assessed as ‘Orange’, it should be brought to the attention of the DE Board. In all cases where a risk is assessed as ‘Red’, it should be brought to the attention of the DE Board and Minister.
Impa
ct
Critical 55 10 15 20 25
Major 4 4 8 12 16 20
Significant 3 3 6 9 12 15
Moderate 2 2 4 6 8 10
Minor 1 1 2 3 4 5
Unlikely (>10%)
Remote (11-30%)
Possible (31-59%)
Probable (60-84%)
Almost Certain (85%+)
1 2 3 4 5
Likelihood
Risk Assessment Matrix
54Goodpracticeinriskmanagement
Escalation Triggers
Risk Category Risk Appetite Acceptable Range
(Up to and including)
Escalation
Health and Well-being
Averse Green RisksshouldbeelevatedtoDirectorlevelforconsiderationifassessedasAmberorhigher.
Financial/VFM Risks
Compliance/ Legal/
Regulatory Risks
Information and Security
Modest / Cautious
Amber RisksshouldbeelevatedtoDirectorlevelassessedasAmberorhigher.
Operational and Policy Delivery
Risks
Reputation and Credibility
Open/Hungry Orange Regardlessoftheriskappetite,DEBoardshouldbemadeawareofanyDirectorateRisksassessedasOrangeandcontingencyplansshouldbedeveloped.
Red Regardlessoftheriskappetite,DEBoardandMinistershouldbemadeawareofanyDirectorateRisksassessedasredandadvisedimmediatelyofanyearlywarningsignalsthattheriskmayberealised.
Contingencyplansshouldalsobedevelopedandtested.
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
Goodpracticeinriskmanagement55
Example
• TeamAidentifiesarisktohealthandwell-beingthatisassessedashavingaresidualriskscoreof12.Ontheriskassessmentmatrix,12=Orange.
• TheDepartment’sriskappetiteforriskstoHealthandWell-beingisdescribedas‘Averse’.RiskstoHealthandWell-beingarethereforeonlyatanacceptablelevelwhentheyareassessedas‘Green’.AnyrisksinanareaforwhichtheDepartment’sriskappetiteis‘Averse’andwhichareassessedashigherthan‘Green’shouldthereforebereferredtotheDirectorforconsideration.
• Inaddition,anyrisksontheDirectorateRiskRegisterwhichareassessedas‘Orange’shouldbedrawntotheattentionoftheDEBoard.
56Goodpracticeinriskmanagement
Riskappetitecanbefurtheranalysedintothefollowingcategories:
Corporate risk appetiteistheoverallamountofriskjudgedappropriateforanorganisationtotolerate(pointA).Thismaynotbejustonestatement:TheOfficeofGovernmentCommerce(OGC),forexample,lookat5keyriskareas(policy/guidancerisk;peopleandinternalsystemsrisk;propriety,regularity,financeandaccountabilityrisk;reputationrisk;externalrisk)andmakeastatementonriskappetiteforeach.TheBoardandseniormanagersshouldjudgethetolerablerangeofexposurefortheorganisationandidentifygeneralboundariesforunacceptablerisk(oratleastforrisksthatshouldalwaysbereferredto/escalateduptotheBoardfordiscussionanddecisionwhentheyarise).IndoingthistheBoardmaywanttotakeMinisterialviewsonrisk-takingintoaccount.
Delegated risk appetite Theagreedcorporateriskappetitecanthenbeusedasastartingpointforcascadinglevelsoftolerancedowntheorganisation,agreeingriskappetiteindifferentlevelsoftheorganisation(pointB).Theanticipatedeffectisthatwhatisconsideredahighlevelofriskwillbecomealowerlevelofrisktoahigherlevelofmanagement.Thisfacilitatesbothariskescalationprocessforthetakingofrisk
Appendix 8HM Treasury Orange BookModel of risk appetite(paragraph 3.17)
Strategic
Programme
Operational
A. Define risk appetite
B. Identify responses to manage risks
C. Report risks (outside tolerance level)
D. Agree responses potentially including reviewing risk appetiteSet and communicate
general tolerances forrisks
decisionswhendelegatedboundariesaremetandempowerspeopletoinnovatewithintheirdelegations.
Project Risk AppetiteProjectsthatfalloutsideofday-to-daybusinessofanorganisationmayneedtheirownstatementofriskappetite.Differenttypesofprojectsmayrequiredifferentlevelsofriskappetite,forexampleanorganisationmaybepreparedtoacceptahigherlevelofriskforaprojectthatwouldbringsubstantialreward.
Differenttypesofprojectcouldbe:
• Speculative(akintoventurecapitalisminthecorporatesector):withhighrisksbutpotentiallyhighrewards,e.g.InvesttoSaveBudgetprojects;Pilotprojects.Itmaybethatthebulkoftheseprojectsareunsuccessfulbutimportantlessonsarelearnt;
• Standarddevelopmentprojects:forexampleIT,procurement,construction,etc;and
• Missioncriticalprojects:whereorganisationsneedtobesureofsuccess.
Thelevelofriskappetitewillobviouslyvary,withaspeculativeprojectpreparedtotakeonhigherlevelsofriskthana“MissionCritical”project.
Goodpracticeinriskmanagement57
Effectivemanagementandapplicationofdelegatedriskappetiterequiresescalationprocesses.Itispossibletoset‘triggerpoints’whereriskscanbeescalatedtothenextlevelofmanagementastheyapproachorexceedtheiragreedriskappetitelevels(pointC).Thenextlevelupinthehierarchywouldthentakeappropriateaction,whichmaymeanmanagingtheriskdirectly,orcouldmeanadjustingthelevelofriskthattheyarehappyforthelevelbelowtomanage(pointD).Itisalsooftenthecasethatahigherlevelofmanagement,withawiderportfolioofrisktomanage,hasmorescopetoaccepthigherrisksinparticularareasastheycanoffsetthemagainstotherlowerrisksintheirportfolio.
58Goodpracticeinriskmanagement
ID Risk Impact Countermeasures Notes
1 Suppliersmaysubmitfraudulentinvoices.
HIGH Requirementforpaymentauthorisationbyresponsibleadviser/manager.Requirementforapprovedbusinesscasestosupportallexpenditure.
Paymentsauditedannually.SystemsubjecttointernalauditinSept2008.
2 Financestaffmayabusesystemsforpersonalgain.
HIGH Dualauthorisationsofallpayments.Separationofduties.Rotationofstaff.InsistenceonFinanceStafftakingfullleaveentitlement,includingatleastonebreakofmorethanoneweek’sduration.
Systemsauditedannually.
3 Temporaryworkerssubmitimproperlycompletedtimesheets.
LOW ChecksmadeagainstMyHoursandITSystemlog-inandlog-outrecords.Timesheetsauthorisedbysupervisor.RatescheckedbyHRManager.InvoicescheckedbyFinancestaff.
4 Improperclaimsfortravelandsubsistence.
LOW Allclaimsrequireauthorisation. Claimsauditedannually.InternalAuditReport2008
5 Improperovertimeclaims.
LOW Requirementforpriorapprovalfromlinemanager.Allclaimsrequirelinemanagementapproval.ChecksmadebyHRManageragainstMyHoursandITSystemlog-inandlog-outrecords.
Onlyadministrativestaffcanclaimforpaidovertime.
6 Staffmayabusecorporatecreditcards.
LOW Fullyitemisedexpenseclaimsrequiredforallexpenditureusingcorporatecreditcards.Lowexpenditurelimits.
InternalAuditReport2008
Appendix 9Strategic Investment Board – Fraud risk assessment(paragraph 3.28)
Goodpracticeinriskmanagement59
Business area:
Report period:
Scope of responsibility
Asthe[SeniorOfficer]responsiblefor[ ]Directorate/Division,IhaveresponsibilityformaintainingarobustsystemofinternalcontrolthatsupportstheachievementofOFMDFM’spolicies,aimsandobjectives,whilstsafeguardingthepublicfundsandDepartmentalassetsforwhichIamresponsible.
TheOFMDFMsystemofinternalcontrolhasbeeninplaceandadheredtofortheperiodofthisreportinthebusinessareaforwhichIamresponsibleandaccordswithDepartmentofFinanceandPersonnelguidance.
Capacity to handle risk
MyDirectorate/Divisioniscarryingoutappropriateprocedurestoensurethatitidentifiesitsobjectivesandrisksandacontrolstrategyhasbeendevisedforeachofthesignificantrisks.Asaresult,riskownershiphasbeenallocatedtoappropriatestaff.
Acknowledgement of ownership
IacknowledgemyresponsibilityformanagingcorporateandkeyDirectorate/Divisionalrisksandformonitoringthoserisksassignedtomembersofmymanagementteam.Thisstatementhasbeeninformedfollowingathorough
Appendix 10OFMDFM stewardship statements pro forma(paragraph 4.5)
assessmentofriskandcontrolinmybusinessareaundertakenbyeachHeadofDivision/Branchagainsteachofthefollowingriskfactorsasappropriate(outlinedinOFMDFMguidance):
• businessplanning;
• legislativeandotherauthorities;
• businesscases(includingeconomicappraisal,postprojectevaluationandconsultancy);
• consultancy;
• forecastingandmonitoringofexpenditure;
• procurement;
• informationassurance;
• staff(includingabsence,gifts&hospitality);
• ALBs,NDPBsandThirdPartyOrganisations;
• internal&externalauditreports;and
• othersignificantIssues.
Risk management status
IamsatisfiedthatthecontrolsinplacetomanagerisksforwhichIamresponsibleareappropriate.Theyprovidereasonableassurancethattheriskwillnotoccurorifitdoesoccurthatitwillbedetectedandcorrectedinsufficienttimetoreducetheimpactoftherisktotolerableornegligiblelevels.
60Goodpracticeinriskmanagement
Significant internal control problems
[Insert details of significant internal control problems of which the signatory is aware and the action taken to rectify these]
Head of Directorate / Division
Date:
Appendix 10OFMDFM stewardship statements pro forma(paragraph 4.5)
Goodpracticeinriskmanagement61
Title Date Published
2010
CampsieOfficeAccommodationandSynergye-BusinessIncubator(SeBI) 24March2010
OrganisedCrime:developmentssincetheNorthernIrelandAffairs 1April2010CommitteeReport2006
MemorandumtotheCommitteeofPublicAccountsfromtheComptrollerand 1April2010AuditorGeneralforNorthernIreland:Combatingorganisedcrime
Improvingpublicsectorefficiency-Goodpracticechecklistforpublicbodies 19May2010
TheManagementofSubstitutionCoverforTeachers:Follow-upReport 26May2010
MeasuringthePerformanceofNIWater 16June2010
Schools’ViewsoftheirEducationandLibraryBoard2009 28June2010
GeneralReportontheHealthandSocialCareSectorbytheComptroller 30June2010andAuditorGeneralforNorthernIreland–2009
FinancialAuditingandReporting-ReporttotheNorthernIrelandAssemblyby 7July2010theComptrollerandAuditorGeneral2009
SchoolDesignandDelivery 25August2010
ReportontheQualityofSchoolDesignforNIAuditOffice 6September2010
ReviewoftheHealthandSafetyExecutiveforNorthernIreland 8September2010
CreatingEffectivePartnershipsbetweenGovernmentandtheVoluntaryand 15September2010CommunitySector
CORE:Acasestudyinthemanagementandcontrolofalocaleconomic 27October2010developmentinitiative
ArrangementsforEnsuringtheQualityofCareinHomesforOlderPeople 8December2010
ExaminationofProcurementBreachesinNorthernIrelandWater 14December2010
GeneralReportbytheComptrollerandAuditorGeneralforNorthern 22December2010Ireland-2010
NIAO Reports 2010-2011
62Goodpracticeinriskmanagement
Title Date Published
2011
CompensationRecoveryUnit–MaximisingtheRecoveryofSocial 26January2011SecurityBenefitsandHealthServiceCostsfromCompensators
NationalFraudInitiative2008-09 16February2011
UptakeofBenefitsbyPensioners 23February2011
SafeguardingNorthernIreland’sListedBuildings 2March2011
ReducingWaterPollutionfromAgriculturalSources: 9March2011TheFarmNutrientManagementScheme
PromotingGoodNutritionthroughHealthySchoolMeals 16March2011
ContinuousimprovementarrangementsintheNorthernIrelandPolicingBoard 25May2011
NIAO Reports 2010-2011
PrintedintheUKfortheStationeryOfficeonbehalfoftheNorthernIrelandAuditOfficePC296205/11
Published by TSO (The Stationery Office) and available from: Onlinewww.tsoshop.co.uk
Mail, Telephone, Fax & E-mailTSOPO Box 29, Norwich, NR3 1GNTelephone orders/General enquiries: 0870 600 5522Fax orders: 0870 600 5533E-mail: [email protected] 0870 240 3701
TSO@Blackwell and other Accredited Agents
Customers can also order publications from: TSO Ireland16 Arthur Street, Belfast BT1 4GDTel 028 9023 8451 Fax 028 9023 5401