This document is also available as a pdf file click
here to view it
Risk Strategy
1. Whatever the purpose of an organisation, the delivery of its objectives is surrounded by uncertainty. This poses threats to success and offers opportunity for increasing success. This uncertainty of outcome is defined as risk, and needs to be assessed in terms of the combination of the likelihood of something happening and the impact which arises if it does actually happen. Risk management includes identifying and assessing risks and the responding to them.
2. Risks to the Commission's business can take various forms, risks to our reputation, risks from missed opportunities, risks to stakeholders and financial risks. We need a clear understanding of how risks should be managed to a tolerable level.
3. There is no specific set of standards for risk management in government organisations. In developing this strategy the Commission has used the principles and concepts outlined in guidance issues by HM Treasury, mainly the Orange Book.
4. This strategy outlines how the Commission manages risk. There are four main elements to the risk management model - identifying, assessing, addressing, and reviewing and reporting risks.
Risk Management Model (simplified) - from the Orange Book
- Reviewing & reporting risk
- Identifying risks
- Addressing risks
- Assessing risks
Identifying risks
5. In order to manage risk, the Commission needs to identify the risks it faces. There are two distinct phases, firstly the initial identification of risk. This was undertaken in March 2002 and a risk register drawn up.
6. The second stage is that of continuous risk identification which is necessary to identify new risks which did not previously arise, changes in existing risks, or risks which did exist ceasing to be relevant to the Commission. This is a routine element of the conduct of the business and key staff meet twice a year to carry out this process. The risk register is updated each time. The Commission recognises that all commissioners and staff have a part to play and all are invited to contribute to the risk management process.
7. A risk is something which may have an impact on the achievement of our objectives and may come from inside or outside the Commission. The successful delivery of our objectives depends partly on successful relationships with stakeholders.
8. The Commission has identified four groups of stakeholders: Parliament and ministers, both UK and devolved, to whom the Commission is charged to report; the user community; those who create statistics and are responsible for quality control, ie the National Statistician and her colleagues in government; and those called on to supply raw data eg business and citizens.
9. Individual risks identified are not independent of one another but from natural groupings. We have grouped the risks identified according to the business processes with each risk linked to the objectives in the business plan.
Assessing risks
10. The Commission aims to manage risks effectively, and to do this we need to be able to assess the risks we have identified.
11. There are three important principles for assessing risk:
- Ensure that both the likelihood and impact are considered for each risk
- Record the assessment of risk in a way which facilitates monitoring and identification of risk priorities
- Be clear about the difference between inherent and residual risk.
12. Many organisations use numerical risk evaluation tools to calculate the relative importance of each risk. The Commission is too small for the use of these to be effective. The Commission has adopted a simple framework which categorises risks according to whether they are high, medium or low, based on an assessment of the likelihood and impact of the risk occurring. The risk rating matrix shows how the likelihood and impact assessment are combined to arrive at an overall risk assessment.
Likelihood High Medium Low
High H H M
Medium H M M
Low M M L
13. The risk register records the risk assessment in terms of likelihood and impact for each risk identified.
Addressing risks
14. When addressing a risk we aim to prevent it becoming an issue such that the potential threat would be realised. Using the Orange Book we select one of the following approaches:
- Transfer
- Tolerate
- Treat
- Terminate
15. For some risks we may need to use both treat and tolerate options where we have identified some controls or action to contain the risks but we also accept some level of risk must be tolerated where our ability to take effective action is limited or the cost of taking effective action outweighs the potential benefit gained.
16. In addressing risks we will seek to adopt a proportionate response to reduce risk to as low a level as is reasonably practicable in the circumstances.
Contingency arrangements
17. Any risk could suddenly be realised due to unforeseen events and cause disruption to the business. We have prepared business continuity/disaster recovery plans to help keep the business running during times of major disruption. Disaster recovery arrangements are tested annually.
Reviewing and reporting risks
18. Reviewing and reporting arrangements need to be effective to reinforce our risk management activities. Risk management is a dynamic process - new risks will be identified, some terminated, our assessment of likelihood and impact will need to be reviewed and controls and actions will be updated in response to internal and external events.
19. The senior staff of the Commission meet twice a year to undertake a formal review of the risks faced by the Commission. The risk register is then updated. However, all staff are encouraged to contribute to the risk review process and new or fundamental changes to risks can be raised at any time. Results of each review are reported to the Audit Committee, and the chair of the Audit Committee reports to the Commission annually.
20. The risk management system is subject to audit by internal and external audit which provides assurance to commissioners and to the chief executive in his role as Accounting Officer.
Roles and responsibilities
21. In order to deliver a robust corporate governance and risk management framework, commissioners and staff commitment to the process is critical, and roles and responsibilities must be clearly defined.
Commissioners
22. The commissioners have ultimate responsibility for deciding how much risk can be tolerated and for managing the Commission's risks, in particular for:
- conveying their attitude towards risk management to the chief executive
- making decisions which affect the Commission's risk profile or exposure and
- reviewing at least annually the Commission's approach to risk management and the risk register.
Chief executive
23. The commissioners have delegated to the chief executive the day-to-day responsibility for managing risk within the Commission. The chief executive (as informed by senior managers) is responsible for assessing and reporting risk to the commissioners and the Audit Committee.
Head of resources
24. The head of resources will support the chief executive by:
- providing guidance on risk issues
- co-ordinating risk management activity throughout the Commission
- arrange regular meetings to discuss and review key risks
- update the risk register twice a year
- submit risk reports to the commissioners and the Audit Committee at least once a year.
Staff
25. All staff can report new, or changes to existing risks to the chief executive or head of resources.
Internal audit
26. Internal audit responsibilities include:
- conducting audits in accordance with the agreed audit plan based on the Commission's risk priorities
- providing an annual report to the chief executive as to the adequacy and effectiveness of the Commission's system of internal control and
- examining and reporting annually on the Commission's risk management and corporate governance.
Audit Committee
27. The Audit Committee will
- review whether the risk management procedures within the Commission are appropriate and operating effectively
- consider the risk progress report and
- report to the commissioners.
One or more Documents linked to from this article require the Adobe Acrobat Reader to view.
Acrobat Reader is free to download and if you do not have it already installed,
please
click here to download it.