information governance strategy and policy...the annual governance statement has highlighted...

APPENDIX A

Information Governance Strategy

2015 - 2017

Version 1.0

Contents 1 Executive Summary ....................................................................................................... 2

2 Introduction .................................................................................................................... 2

3 Annual Governance Statement ...................................................................................... 3

4 The Legislative Framework ............................................................................................ 3

5 The Risks ....................................................................................................................... 4

6 Information Governance Objectives ............................................................................... 4

7 Deliverables ................................................................................................................... 6

8 Information governance roles and responsibilities ........................................................ 11

8.1 The Council........................................................................................................... 11

8.2 Senior Information Risk Owner ............................................................................. 11

8.3 Audit Committee ................................................................................................... 11

8.4 Information Governance Board ............................................................................. 11

8.5 Information Security Officer ................................................................................... 11

8.6 Information Asset Owners (IAO’s) ......................................................................... 12

8.7 Information Governance Consultant and Information Governance Officer ............. 12

8.8 All staff .................................................................................................................. 12

9 The Information Vision ................................................................................................. 12

10 Data Quality ............................................................................................................. 13

11 Monitoring compliance with, and the effectiveness of, the information governance strategy ............................................................................................................................... 14

Version 1.0

1 Executive Summary This strategy describes the council’s information governance objectives and deliverables for the next two years. It confirms the council’s commitment to compliance with information rights legislation. It also confirms our commitment to good practice through the implementation of, and adherence to relevant guidance. The strategy sets out an approach that will deliver all of the essential compliance elements, in a way that also actively enables and supports the delivery of corporate objectives, and exploits opportunities for business benefits. It is an approach that will be flexible and responsive to new or changed operational requirements, and that will enable the organisation to take proportionate risk. It demonstrates how effective information governance can help us to make the best use of our information and, as a consequence, assist in the delivery of our objectives and the improvement of our business processes. It is an approach which will further our corporate objectives to be open and transparent about what we do, and to be accountable for the actions we take. It will give confidence to those who provide personal information to us that their information will be managed appropriately. The Information Governance Board (IGB) led by the Senior Information Risk Owner (SIRO) will set out and communicate our information governance strategy and champion the information governance agenda. Engaging with business areas across the council it will ensure that corporate information governance policy is reviewed and that it properly aligns with business and operational requirements. The Information Governance Board will work with, and provide specialist advice and support to our staff and Information Asset Owners (IAO). The Information Governance Board will actively engage with business areas to share experience and examples of good practice and to ensure that messages conveyed externally are consistent with our internal processes.

2 Introduction This strategy covers the period 2015-2017 and details the continuing development, implementation and embedding of a fully-assured information governance framework needed for the effective management and protection of the council’s information. It includes within its scope:

Management of the lifecycle of the council’s records and information from creation or receipt to disposal;

information Security; and

the collection, management and use of personal information created, received, or obtained by the council.

Information has never been more important to the essential working of government. As the quantity, diversity and nature of government information changes, so will the threats and vulnerabilities it faces.

Version 1.0

Information Governance describes the approach within which accountability, standards, policy and procedures that apply to the protection and handling of information are developed and implemented. It allows organisations and individuals to make sure that information created, obtained or received by the council is accurate, dealt with legally, securely, and efficiently within regulatory and information management standards and frameworks. Information is a key asset with a value to the council similar to its property and financial assets, and must be managed accordingly. By treating information as a business priority and not as an ICT or technical issue, we can ensure that risks are addressed, managed and capitalised upon. The government has instigated several major initiatives including the transparency agenda and the drive to greater use of partnerships to deliver services and solve problems. Public demand for openness and transparency means that information must be easily accessible and capable of being extracted and published. Information governance has important implications for the success or failure of these initiatives. In contrast, with this demand for transparency, however, is the requirement to maintain peoples’ privacy. Training and awareness is essential for managers and staff to be able to balance these requirements and organisations who fail to meet these standards risk severe financial and reputational penalties.

3 Annual Governance Statement The Annual Governance Statement has highlighted Information Governance as a key corporate risk. The Authority has the intention to adopt best practice in the field of information management. To achieve this safely and legally, we want all those who handle information:

to routinely meet their legal obligations in the way they respond to people exercising their rights;

to have a high level of awareness of all their wider obligations under information rights law with those obligations routinely met in practice; and

to ensure that good information rights practice is embedded into the culture and day to day processes of organisations and into emerging technologies and systems.

This information governance strategy is a clear statement of the council’s commitment to compliance with information rights legislation and demonstrating good practice. It demonstrates our investment and support for this business priority. The strategy describes our commitment to ensuring effective information governance as a means to enable our business, to ensure we can make the best use of our information and to provide a solid foundation to enable us to be open and transparent about what we do. At the same time it takes account of, and supports the council’s operational objectives and ensures that a balance is struck between operational and compliance objectives.

4 The Legislative Framework

Version 1.0

Some of the current information-related legislation has been around for many years. New legislation in the last few years, though, has placed new obligations on councils. There are regulations which require us to provide information within given time scales, to make information more accessible and, at the same time, safeguard people's rights. In order to comply, we must make sure we manage our information effectively, taking into account these legal requirements. The legal and regulatory framework is outlined below and includes:

Data Protection Act 1998

Freedom of Information Act 2000

Environmental Information Regulations 2004

Privacy and Electronic Communications (EC Directive) Regulations 2003

Public Records Act 1958

Re-use of Public Sector Information Regulations 2005

Computer Misuse Act 1990

Regulation of Investigatory Powers Act 2000 (RIPA)

Other related guidance and codes of good practice includes:

Security Policy Framework (Cabinet Office)

Public Service Network (PSN) Code of Connection

Guidance and codes of practice published by the Information Commissioner’s Office (ICO)

5 The Risks All risks to the council’s information assets will be included in an Information Governance Risk Register and managed by the SIRO. A separate Risk Assessment has been completed and is attached at appendix 1.

6 Information Governance Objectives The council's information governance objectives are outlined here; the resource and financial implications of delivering these will be considered and addressed as projects that support the aim of the objectives develop:

1. Policy. We will implement an information policy framework which is embedded in the day to day operations of the council and which is compliant with relevant legislation, standards and codes of practice and demonstrates good practice. 2. Training and Awareness. To help achieve compliance and to reduce the risk of non-compliance through human error we will ensure that the council’s Information Vision is accepted and widely disseminated through effective communication. We will provide appropriate needs-based training and guidance material for staff, members, partners and third parties, we will monitor and report on its take-up and effectiveness, and develop it where appropriate. We will ensure that training and guidance promotes the Audit Commission’s Standards for Better Data Quality.

http://www.tisonline.net/reference/hmso.asp?legislation=publicact&year=1998&chapter=029&country=


http://www.tisonline.net/reference/hmso.asp?legislation=si&year=2003&number=2426&country=



Version 1.0

We will foster a culture of personal responsibility, ownership and commitment to high standards in information handling to support and enable our business processes. 3. Monitoring and Assurance. We will ensure the appointing to and promotion of key information governance related posts and make sure that there are processes in place to check that policy s being implemented and to measure the effectiveness of the control environment. We will work with business areas and IAOs through the Information Governance Board to share experience and good practice and to prompt feedback about the practical operation of policy. 4. Records and Information Management. We will review our Records Management strategy to ensure we have the mechanisms in place to support information governance principles and to enable us to know what information we have available to us and where it is located. This will allow us to store and retrieve information efficiently, saving time, effort, and electronic and physical storage space. 5. Information Security. We will continue to develop, implement and maintain information security policies which take account of legislative requirements, HMG guidance and the codes of connection we are subject to, but which are appropriate, proportionate, measured and part of business as usual. We will work with business areas to make sure that information security policy is properly aligned with operational requirements and is appropriate to the council’s risk appetite. We will support our staff and members by ensuring our policy and processes are clear and accessible, that help and guidance are available when needed, and by providing appropriate training, minimise the risk of human error. 6. Collection and use of personal information. The council manages and uses the personal information it receives or obtains responsibly, securely, and fairly. We will promote transparency and openness about how we handle and share personal information providing confidence to individuals and third parties who pass information to us.

Version 1.0

7 Deliverables Policy

No. Deliverable Delivering Compliance Business benefits and opportunities

Pol.1 A review of the council’s Information Governance Organisational Structure with roles promoted across the council and included in job descriptions.

Supports compliance with legislative framework and demonstrates council’s commitment to Information Assurance

Provide assurance to Chief Exec that dedicated oversight for information governance and information risk is being provided.

Pol.2 A review of all information governance policy and a resourced action plan for incorporating the review’s findings and recommendations.

Policies which achieve legal compliance, demonstrate good practice, and are in accordance with published guidance

Opportunity for business areas to contribute to the review process and to ensure that the revised information governance policy is clear and fully aligned with business and operational requirements

Awareness


Aws.1 Communication and promotion of the revised information governance policies to IAO’s, staff, members and third parties who work with the council

High levels of awareness to minimise risks of non-compliance through human error

Information tailored to job roles and business processes

Aws.2 Developed and implemented needs-based training plan for SIRO, IAOs, staff, and members together with a practical deadline for completion and a refresher programme.

High levels of awareness to minimise risks of non-compliance through human error. Local ownership and accountability for information governance issues driving compliance

Reduced risk of data breaches by staff and promotion of a culture of security awareness to citizens and partners Development opportunity for individuals and the opportunity to develop an IAO/staff forum to discuss and share experience and good practice

Aws.3 Designated information security and records management events to raise awareness and prompt discussion

Increasing awareness to minimise risk of human error and non-compliance

Opportunity to raise issues, share experience and seek clarification

Version 1.0

Aws.4 Identify, procure and mandate IG awareness training for staff and elected members


Reduced risk of data breaches by staff and promotion of a culture of security awareness to citizens and partners

Monitoring and Assurance

No. Action Delivering Compliance Business benefits and opportunities

Mon.1 A developed and embedded integrated assurance framework as part of business as usual with twice yearly self-assessments.

A tool to provide assurance to the SIRO, Information Governance Board and Audit Committee and to monitor compliance

Structured opportunity for IAO’s to consider information governance compliance. An opportunity to identify and address corporate issues identified by IAO’s

Mon.2 A review of the pre-employment personnel security check process and the adoption of any recommendations.

Appropriate organisational measures in place to satisfy the requirements of data protection principle 7

Reduced risk of employing inappropriate staff potentially saving time and costs

Mon.3 A review of IT processes including taking and storing IT back up media and the disposal of IT equipment and the adoption of any recommendations.


Confidence that information will be available to the business when required and information will be securely disposed of when no longer required

Mon.4 Physical security measures are tested, validated and assured by audit.


Reassurance to staff about their safety in the workplace and minimising the risk of security incidents interrupting business continuity

Mon.5 The adequacy of training is monitored and reported.


More effective training leading to increased security awareness across the organisation and the reduced risk of data breaches by staff

Records and information management


Rec.1 Review of the Records Management Strategy and the adoption of any recommendations

Supports compliance with all data protection principles and FOIA

Will help to promote awareness of records management and handling across all business areas. Could identify cost-saving and service improvement opportunities.

Version 1.0

Rec.2 Compliance with the retention and disposal schedule for records and information assets

Supports compliance with data protection principles 3,4 and 5 and the code of practice issued under s46 of FOIA

Easier, quicker access to current records and information saving time and effort and making best use of electronic and physical space.

Rec.3 Embedded new Government Classification Scheme (GCS) with good awareness of and implementation of the handling guidance for all types of the council’s information

Satisfying the requirements of data protection principle 7 and the Security Policy Framework

Clear straightforward baseline controls reducing complexity

Rec.4 Project Plan for procedures to be developed for the archiving of information

Meeting our obligations under the Public Records Act

Promotes our commitment to transparency and openness. Easier, quicker access to current records and information saving time and effort and making best use of electronic and physical space.

Rec.5 Paper files are being stored and managed in accordance with the council’s policy

Supports the implementation of S46 guidance (FOIA) and satisfies the requirements of data protection principles 3,4,5 and 7

Ease of access to information and prompt retrieval when required. Making best use of physical space.

Rec.6 Document and file naming conventions are consistently applied to the council’s records and information

Supports implementation of S46 guidance (FOIA) and supports the handling of information requests

Information can be located promptly when required and best use can be made of the information we hold

Rec.7 The role of Local Records Officers is investigated and implemented

Supports delivery of compliance with all relevant legislation

Opportunity for staff to develop new skills, to share experience and good practice and to promote the benefits of good information management at the local level.

Rec.8 Promote transparency and openness through the timely publication of the council’s information

Supporting the principles of openness and transparency set out in the FOIA and the Government’s Transparency Agenda.

Helps to manage the expectations of stakeholders, provide information and insight into our operational activities and save time by avoiding repeat information requests

Version 1.0

Information Security


Sec.1 Review of current arrangements for secure mobile working

Satisfying the requirements of data protection principle 7

New opportunities to consider and improve the business experience of mobile working.

Sec.2 A physical security review of the all off- site storage facility with any recommendations adopted


Ensuring business continuity with information being available when required

Sec.3 A fully tested secure IT disaster recovery solution to ensure the continued availability of the council’s information in the event of an incident


Ensures the continued availability of the council’s information in the event of an incident.

Sec.4 Successful annual PSN code of connection return

Satisfying the requirements of data protection principle 7 and the PSN code of connection

Continuity of secure external email and essential PSN services such as CIS

Sec.5 Processes for ensuring that IT access is provided on a need to know basis are working effectively


Licence costs could be reduced, opportunities for improved productivity if staff only have access to applications and software required to carry out their role.

Sec.6 A review of information security incident policy and management with any recommendations adopted.

Satisfying the requirements of data protection principle 7 and the PSN code of connection

Develop a open and honest incident reporting culture. Identify any weaknesses in information security across all business areas.

Collection and use of personal information


Per.1 Information governance requirements are considered in any new or changed IT systems, business processes or new initiatives which involve the collection and use of personal information and privacy impact assessments are


An opportunity to build in information governance considerations at an early stage saving time and costs and giving confidence to data subjects by ensuring that privacy impact assessments have been carried out where

Version 1.0

carried out where necessary

necessary

Per.2 The council is clear about how it uses and manages the personal information captured as a consequence of carrying out its statutory and non-statutory functions


Gives confidence to individuals and third parties that the council is properly managing and protecting the personal information which it handles

Per.3 A review of personal data sharing arrangements and contracts with data processors currently in operation to ensure that formal agreements are in place and are fit for purpose


Gives confidence that the council is complying with legislation and enable opportunities to be identified for more effective sharing of information with partners

Version 1.0

8 Information governance roles and responsibilities IGB Organisational Structure Chart]

8.1 The Council Overall responsibility for the efficient administration of Information Governance lies with the council’s Chief Executive.

8.2 Senior Information Risk Owner The council’s SIRO is the Director of Resources who is a member of the council’s Corporate Management Team. The SIRO has responsibility for sponsoring and promoting information governance policy.

8.3 Audit Committee The Audit Committee is made up of elected members of the council and is responsible for corporate governance, accounts and audit, the council’s regulatory (assurance) framework, and ethics and standards. The full Terms of Reference for the Audit Committee are detailed in the council’s Constitution.

8.4 Information Governance Board

Scope

To monitor and have oversight of Information Management and Governance (IMG) issues. IMG includes, but is not exhaustively limited to Information Management, Information Governance, Records Management, DPA, EIR and FOI issues. Terms of Reference

1) Review and recommend for approval information management policies 2) Review and monitor IMG incidents

3) Approve and monitor developments to improve IMG

4) Promote information security

5) Receive and consider results of independent reviews and industry best practice

6) Act as advocate for good IMG practices

7) Provide promotional material to raise awareness and encourage best practice

8.5 Information Security Officer

Version 1.0

The Information Security Officer (ISO) manages security across the council’s IT platform with the aim of identifying, understanding and controlling any information risks in line with the council’s information risk appetite. The ISO is responsible for:

managing the ICO’s accreditation activities including compliance with the PSN Code of Connection;

monitoring recorded information risks and the implementation and effectiveness of associated controls;

monitoring IT security incidents;

approving the council’s code of connection with third party suppliers and partners; and

advising on the council’s system and network developments and providing security input to projects and programmes.

8.6 Information Asset Owners (IAO’s) IAOs have responsibility for the information being created, received or obtained by their departments or teams. Their responsibilities include:

ensuring that the council’s policy is implemented in the business processes for which they are responsible;

ensuring that their staff are aware of the information governance policies that affect them and that they attend or complete training as required;

fostering a culture of personal responsibility and commitment related to information governance matters in their department; and

completing and submitting bi annual self-assessments which measure their levels of assurance against a range of control measures.

8.7 Information Governance Consultant and Information Governance Officer These posts manage and carry out development of policies and day to day activities such as providing advice, dealing with incidents, providing awareness materials, administering training, and progressing tasks, instructions and actions agreed at management and group meetings.

8.8 All staff All the council’s staff have a personal responsibility to:

handle information in accordance with information governance policy;

attend security induction training and continue to attend or complete training as required;

understand that failure to comply with information governance policy is treated seriously and can lead to disciplinary action; and

report security incidents or weaknesses.

9 The Information Vision Information is at the heart of the way in which we deliver services to the public. It can be a building block of our corporate memory, which enables us to discharge our responsibilities for public accountability. If we do not have consistent and accurate information we cannot optimise our efficiency or measure improvement. To achieve this, our information will be:

Version 1.0

a. Available - Our information will be available to those who need it when they need it and have the right to view or use it. This will include improving responsiveness to requests for information. We will avoid information overload and target information where it is needed.

b. Accessible - Our information will be clearly identified and easily found when it is needed, and in a timely fashion, by anyone with authority who needs to access it. We will maintain a clear information structure using a corporate file plan. We will share and exchange information efficiently where necessary.

c. Electronic - Our information and documents will be stored electronically. Over time, we will evolve our policies such that we will endeavour to only keep paper records where there is a legal requirement to do so.

d. Secure - We will make sure that there are controls in place when we store and transfer information so that the information itself is protected and any risks associated with inappropriate disclosure are reduced. We will record the confidentiality of information. Non confidential information will be openly published. A revised IT security policy is being produced.

e. Managed throughout its lifecycle - It is essential that information is only kept for as long as necessary, whether it is through a legal requirement or a business need. Information when it is no longer required will be disposed of in a secure manner in line with our retention and disposal policy.

In addition, we will:

a. Use our information assets efficiently- make full use of our information assets where we are legally allowed to.

b. Generate an information culture – Information will be managed in a common structured system to encourage collaborative working and reduce duplication of work.

c. Implement training - Implement a compulsory training programme to encourage staff and members to manage, share, and work with information in a corporate way to guarantee all of the above.

In summary, the vision is about connecting people with the information they need whilst also keeping it safe and secure over its life-cycle. Achieving it is critical to the success of our organisation.

10 Data Quality Information and intelligence we derive from data will always be flawed if that data is of poor quality. The Audit Commission has issued guidance in the form of “Standards for Better Data Quality”. In summary these are:

• Accuracy – data should be sufficiently accurate for their intended purposes. • Validity – data should be recorded and used in compliance with relevant

requirements, including the correct application of any rules or definitions. • Reliability – data should reflect stable and consistent data collection processes

across collection points and over time.

Version 1.0

• Timeliness - data should be captured as quickly as possible after the event or activity and be available for the intended use quickly and frequently enough to support information needs and to influence service or management decisions.

• Relevance – data should be relevant to the purposes for which they are used. This entails periodic review of requirements to reflect changing needs.

• Completeness – Data requirements should be clearly specified based on the information needs of the organisation and data collection processes matched to these requirements.

We will ensure that these principles are incorporated and promoted in our business processes and associated training and guidance.

11 Monitoring compliance with, and the effectiveness of, the

information governance strategy

To ensure we maintain a consistently high level of Information Assurance that instils confidence in our customers and partners that we are a safe and reliable custodian of information and personal data, we will measure the success of this strategy. While we recognise that perfect information assurance is impossible and that we can only hope to minimise the risk of losses and breaches happening there are a number of measures we can use to demonstrate how effective those mitigations are:

Audit Findings. By instructing Audit to consider data quality and information security when conducting audits and by striving to achieve full assurance for our Information Security Management System and eliminating the number of high and medium audit recommendations.

Accreditations and Compliance Certification. By maintaining or improving our compliance positions with regard to, for instance, the Public Service Network Code of Connection (PSN CoCo).

Data Breaches. By engendering a culture of honesty towards, and a presumption to report, data breaches and then responding effectively to the investigation findings we can significantly reduce the number of incidents over time.

Training. By measuring the effectiveness of our training by testing.

Risk Management. By reducing the number of high and medium information risks outstanding on the Information Governance Risk Register.

Appendix 1

Version 1.0

CITY OF LINCOLN COUNCIL RISK IDENTIFICATION AND ASSESSMENT

STEP 1. BECOMING RISK AWARE : IDENTIFYING RISKS AND SCORING (THE RISK REGISTER)

Lik

elih

oo

d

A Guidance and explanation on using this template:

Risk management: is about controlling, transferring and living with risks so the focus is on becoming risk aware not risk averse. This

will put you in an informed position to make the right decisions and enable you to manage risk. Brainstorm with your colleagues what might go wrong in relation to your key objectives / projects . It can sometimes help to think about

risk categories, such as social, reputation, environment, competitive, customer, technology, legislative, partnership, contract, political, physical, managerial, financial, legal, economic. Documenting risks: Each risk is documented using the table below and is then mapped on to the matrix opposite (by risk number). Objectives: Use this section to cross reference to your specific Corporate, Directorate or service area objectives. Risk Owner: Record the person or group who is responsible for the risk and who will ensure that any action needed is undertaken. Risk (Cause and Event): Describe the existing or potential threat to objectives. Ensure the cause of risk is included. Risk Consequences: Describe the potential effects on the Council and others if the risk were to materialise (loss, adverse publicity etc) Likelihood Score (This is the likelihood of the risk materialising / happening. The following information will help you to assess:

A) Very high (probability >90%) B) High ( probability 55% to 90%) C) Significant (probability 15% to 55%) D) Low (probability (5% to 15%) E) Very low (probability 1% to 5% ) F) Almost impossible (probability 0% to 1%)

Also consider when this event / risk may occur. If the risk may occur sooner then it may warrant a higher score. Impact Score (This is the estimated effect of the risk happening. The following information will help you to assess: IV - Negligible Other impacts quickly managed or little or no effect. III -Marginal Some work to manage impacts, limited effect. II - Critical Significant work to manage impacts, noticeable effect on the Council or its services. I Catastrophic Major long term impact and service suspension or severe disruption When considering impact, issues such as Service provision, Health and Safety, Morale, Reputation and Govt relations should be evaluated. Avoid managing every risk. It may be possible to cluster risks. Tolerance: If your risk is RED or AMBER then you will need to complete STEP 2 – Risk Management Action Plan. AND REMEMBER to Include these Risk Management identification and assessment forms as part of your annual service plans

strategies, policies.

B

C

D

E

F

IV III II I Impact

The area highlighted RED are those risks that we are most concerned about and MUST be assessed. Risks in the AMBER area are those which we may need to review and monitor closely. Risks in the GREEN area are relatively low risk and should be managed accordingly.

Appendix 1

Version 1.0

Risk No.

Objective. Risk Owner /service

Risk (Cause and Event) Risk Consequences

Likelihood Score

Impact Score

Tolerance (colour)

1 Comply with relevant legislation

Breach of Legislation:

The Freedom of Information Act 2000

The Human Rights Act 1998

The Electronic Communications Act 2000

The Regulation of Investigatory Powers Act 2000

The Data Protection Act 1998 (DPA)

The Copyright Designs and Patents Act 1988

The Computer Misuse Act 1990

The Environmental Information Regulations 2004

The Re-use of Public Sector Information Regulations 2005

* Authority fined by the ICO * Civil legal action for damages taken against the Authority * Individual fined through civil proceedings * Criminal prosecution against individual * Reputational damage to the Authority

B II Red

2 Protect Authority’s and other agency’s data

Data disclosed inappropriately either inadvertently or maliciously Data lost –business operations impacted

As above B III Amber

3 Share data effectively with other bodies/individuals

Information shared without permission, either inadvertently or maliciously

As above

C III Amber

4 Retain access to services e.g. PSN compliance

Code of connections breached through not having appropriate controls in places e.g. policies, technical infrastructure

As above C III Amber

5 Process data fairly and lawfully (Data Protection Principle)

Breach of DPA As above E III Green

6 Process data for specified lawful purpose (Data


Appendix 1

Version 1.0

Protection Principle)

7 Process data which is adequate, relevant and not excessive to the purpose which it is processed for (Data Protection Principle)


8 Process data which is accurate and kept up to date (Data Protection Principle)

Breach of DPA As above B III Amber

9 Do not keep data for longer than is necessary for the purpose (Data Protection Principle)

Breach of DPA As above A II Red

10 Protect staff from liability Loss of information or inadvertent disclosure of information

As above

Appendix 1

Version 1.0

CITY OF LINCOLN COUNCIL RISK MANAGEMENT ACTION PLANNING

STEP 2. ASSESSING INDIVIDUAL RISKS Owned By: Date: Date Updated:

Lik

elih

oo

d

A Using this template:

Once we have identified our key risks, we need to assess them. This involves looking at current controls / actions in place and deciding if there is anything further that should be done. When responding to risks, also be aware that we can deal with risks in different ways. We can accept, manage, modify, eliminate, transfer the risk or a combination of these. These options may help you to decide what action you need to take. It may also help you to compare the risks to the benefits of the objective / project. If the risks significantly outweigh the potential benefits you may need to re-consider the options available. In general you should be trying to drive the high impact / high likelihood risks down to what you consider to be a more acceptable level, bearing in mind that RED risks will normally be considered unacceptable. This is your target risk score.

B

C

D

E

F

IV III II I Risk Number Current Risk Score

Target Risk Score

Risk Description

Impact

Action/controls already in place (actions / controls already being done that relate to this risk / cluster)

Adequacy of action/control to address risk (how effective are the actions / controls already in place)

Required management action/control (New actions/ controls required to manage the risk down to its target score)

Responsibility for action ( the person responsible for this action plan being carried out)

Key dates and

Frequency of reviewing this action

Critical success factors & KPI’s & Opportunities (what will success look like?, how will performance indicators improve?)

Status at Review Date

Appendix 1

Version 1.0

Action/controls already in place (actions / controls already being done that relate to this risk / cluster)

Adequacy of action/control to address risk (how effective are the actions / controls already in place)

Required management action/control (New actions/ controls required to manage the risk down to its target score)

Responsibility for action ( the person responsible for this action plan being carried out)

Key dates and

Frequency of reviewing this action

Critical success factors & KPI’s & Opportunities (what will success look like?, how will performance indicators improve?)

Status at Review Date

Staff training Staff awareness on intranet Manager training Induction process Posters in stairwells IT Security controls –see GCSX controls Policies Guidance Senior Officers available to advise on these issues DP Officer and FOI Officer Information inventory collection

Weak Limited Limited Good Effective Good Fair Fair Good Good In progress

Information Management Strategy to be developed to prioritise the following:- Review and distribution of the retention and disposal schedules Archiving software Sharepoint of similar solution for version control/management Email archiving Electronic storage of documentation Further training for all staff. Review of the IM policies and guidance and the distribution thereof Finalise and keep up to date the information inventory

DOR

information governance strategy and policy...the annual governance statement has highlighted...

Documents