Login

Fillable Printable Risk Management Policy and Procedures

Fillable Printable Risk Management Policy and Procedures

Risk Management Policy and Procedures

Risk Management Policy and Procedures

Risk Management Policy and Procedures
Contents
1. Introduction and overview
2. Completion of the Corporate Risk Register
3. Roles and responsibilities
Annexes
Annex A – Risk probability / impact setting
Annex B – Aid to identifying risks
Annex C – Risk Register template
Peter Bloomfield
Corporate Support Unit
Version 1.1.8 January 2011
1
1. Introduction and overview
Aim of this document
1.1 To detail the ICO’s corporate risk management policy and
procedure. It should be read by ET members and their direct reports
who intur shoudlexplain the policy and procedure to their staff.
What is “risk”?
1.2 “Risk” is:
An event or cause leading to uncertainty in the outcome of the
ICO’s operations.
For example, service standards are based on expected numbers of
complaints. If more complaints are received, service delivery will fall
unless staff are moved from other tasks to help. Conversely, if
complaint numbers fall there is an opportunity to improve customer
service. Risks represent opportunities as well as threats.
Why we need to manage risk
1.3 Daily we manage risk without describing this as “risk
management”. We consider what might go wrong and take steps to
reduce the impact if things do go wrong. However, the ICO cannot
rely on informal processes. Also, as a public body, we must provide
assurance to the Commissioner, auditors, the Audit Committee (AC)
and the Ministry of Justice that we are managing risk correctly. We
do need to formally identify corporate risks and mitigating actions.
Who should think about risk?
1.4 The main responsibility for identifying corporate risks lies with
ET. Members should consider both existing risks and think about
any new corporate risks. ET input is important as members are well
placed to identify and monitor corporate risks.
1.5 MB, AC, and other committees also have a role. Because of this,
the risk register will be brought to relevant groups as appropriate.
1.6 Staff too have a role in identifying corporate risks. The
corporate risk register is available on ICON and staff are
encouraged to contribute.
2
When to consider risk
1.7 Risk needs to be considered when decisions are made. In
particular, as corporate aims develop during the planning round, ET
members and managers need to consider afresh existing corporate
risks; looking at what we want to do over the next few years and
identifying risks which may arise. Timing is important if mitigating
actions are to be included in business plans.
Project and departmental risks
1.8 Individual ICO projects may have their own risk registers.
Where a project risk is considered high priority it should be included
in the corporate risk register. The project manager or steering
group should advise Corporate Governance and relevant ET
members of any such risks. The regular highlight reports to ET arer
a good way of doing this.
1.9 Individual managers may also identify risks to their
department’s aims. Mitigating actions should be included in business
plans if considered serious enough. If it is thought that the risks
might be “corporate”, again the manager should advise Corporate
Governance and relevant ET members of this.
Risk appetite
1.10 “Risk appetite” is an expression of how much risk an
organisation is prepared to take. It can vary over time and from
work area to work area. If the ICO’s risk appetite is clearly
articulated staff can take this into account when making their
decisions. ET should therefore, when considering risk, discuss and
express the risk appetite as they see it.
1.11 The risk register steers risk owners into considering risk
appetite when updating a risk entry. They need to consider not only
the risk status before and after existing mitigating action but also
the final tolerable risk status; ie what they are aiming for in terms
of status for that particular risk.
Options for dealing with risk
1.12 There are various options for dealing with risk.
Tolerate – if we cannot reduce the risk in a specific area (or
if doing so is out of proportion to the risk) we can decide to
tolerate the risk; ie do nothing further to reduce the risk.
Tolerated risks are simply listed in the corporate risk register.
3
If the risk is shown as “green” after existing mitigating actions
are taken it can probably be tolerated.
Treat – if we can reduce the risk in a sensible way by
identifying mitigating actions and implementing them, we
should do so. For most of the risks on the corporate risk
register this is what we are doing.
Transfer – here risks might be transferred to other
organisations, for example by use of insurance or transferring
out an area of work.
Terminate – this applies to risks we cannot mitigate other
than by not doing work in that specific area. So if a particular
project is very high risk and these risks cannot be mitigated
we might decide to cancel the project.
4
2. Completion of the Corporate Risk Register
Completing the register
2.1 The risk register template is below.
Risk owner:The Executive Team member
responsible for the risk and its mitigation
1.1 Risk area: The
generic area with
which the risk is
associated with
Corp aim:The aim associated with the risk.
Risk description
The identified risk should be described clearly as below:
Event/cause – Increase in FoI complaints received due to increased
public awareness of their rights...
Result – results in increase in clearance times and backlogs
Probability Impact Overall Risk status before
existing mitigation
See “risk status”
below from para 2.3
Existing mitigating actions
Existing assurances
These are mitigating actions
(controls) which are in place and
happening.
Eg CRB checks for all new staff.
An assurance is a process that
ensures that mitigation is working.
Eg Managers reviews the CRB
checks and signs them off.
Probability Impact Overall Acceptable Risk status after
existing mitigation
See “risk status”
below from para 2.3
If “yes”
tolerate the
risk. If “no”
there needs
to be further
action.
Future mitigating
actions
Owner Due Notes
Planned actions
which have not yet
happened designed
to help reduce the
risk even further.
Manager
responsible
for the
mitigating
action.
Expected
clearance
date.
Any relevant notes
ProbabilityImpactOverallRisk status after
future mitigating
actions
See “risk status”
below from para 2.3
5
Risk Status
2.2 “Risk status” is an assessment of the risk’s seriousness and is
based on:
The probability of the risk actually arising; and
The impact on the ICO if a risk does actually arise.
We assign a status so that risks can be prioritised. A high impact
high likelihood risk should be given more attention than a high
impact low likelihood risk; for example a meteorite strike on
Wilmslow.
2.3 A traffic light and numerical indicator is used to show the risk
status. Annex A provides advice on setting probability and impact.
2.4 Three assessments of risk status are needed.
Risk status before existing mitigation – an assessment of
the risk happening and its impact if no action is taken; eg
what is the risk that we receive an increase in complaints
without taking any action to address increasing backlogs?
Risk status after existing mitigation – an assessment of
the risk happening and its impact, taking account of existing
actions aimed at reducing the risk. For example, we receive
an increase in complaints and streamline procedures to make
the process faster; what do we now think the risk status is?
Risk status after future mitigation – an assessment of the
risk level we will reach after allthe mitigating actions identified
have been done.
2.5 If after existing mitigation we think this the risk status is
acceptable then the risk should be tolerated; there is nothing more
we can do. But if the status remains unacceptable (bearing in mind
our risk appetite) then we should identify further mitigating actions.
Management summary
2.6 The risk register includes a one page management summary
listing all of the risks and the various risk statuses. In addition it
indicates whether or not the risk status after existing mitigation is
improving.
6
7
3. Roles and responsibilities
3.1 Executive Team
Identification of corporate risks.
Detailed review of corporate risks and mitigating
actions.
Consider risk when making decisions.
Articulate a risk appetite when making decisions.
3.2 Management Board
Quarterly high level review of the risk register and
mitigation of risks, ensuring that the risk management
process works properly.
Identification of additional corporate risks.
3.3 Audit Committee
The provision of advice on the strategic process for risk,
control and governance and the Statement on Internal
Control.
Identification of additional corporate risks.
3.4 ET direct reports
To identify risks to the achievement of their unit’s
business plan which might also be corporate risks, and
to advise ET and Corporate Governance of such risks.
To identify any relevant mitigating actions, to include
these within their unit’s business plan, and to ensure
the business plan is met
To be alive to other risks that might develop in year.
3.5 Corporate Governance
To manage the risk management process ensuring that:
the Corporate Risk Register is presented to
corporate governance groups as appropriate;
the risk register is placed on ICON and staff are
encouraged to contribute;
inconsistencies in the Corporate Risk Register
are questioned; and
to ensure that the Corporate Risk Management
Policy is kept up to date.
3.6 All staff
To be alert to possible corporate risks and to raise risks
they have identified with their managers.
Peter Bloomfield Corporate Governance
Annex A
Risk Probability setting
Probability Criteria
Very low 0-5% - extremely unlikely or virtually
impossible
Low 6-20% - low but not impossible
Medium 21-50% - fairly likely to occur
High 51-80% - more likely to occur than not
Very high 81-100% - almost certainly will occur
Risk Impact setting
Impact Criteria
Very low Likely to have minor impact in one or a
few areas of the ICO.
Low Likely to have minor impact in many
areas of the ICO.
Medium Likely to have major impact in one or a
few areas of the ICO.
High Likely to have major impact in many
areas of the ICO.
Very high Likely to have major impact on the
whole ICO.
Traffic light scoring
Probability
Very Low
(1)
Low
(2)
Medium
(3)
High
(4)
Very High
(5)
Amber
(5)
Amber
(10)
Red
(15)
Red
(20)
Red
(25)
Very High
(5)
Green
(4)
Amber
(8)
Amber
(12)
Red
(16)
Red
(20)
High
(4)
Green
(3)
Amber
(6)
Amber
(9)
Amber
(12)
Red
(15)
Medium
(3)
Green
(2)
Green
(4)
Amber
(6)
Amber
(8)
Amber
(10)
Low
(2)
Green
(1)
Green
(2)
Green
(3)
Green
(4)
Amber
(5)
Very Low
(1)
Impact
8
Annex B
Aid to identifying risks
Step Action Example
1 Identify individual / unit /
ICO aims, objectives and
targets
Develop and implement cost-effective
programmes to tackle organisations which
have not notified in accordance with their
obligations, aiming to increase the register
to 285,000.
2 Think about what might stop
the aims etc from being
achieved and describe them
in terms of “event/cause”
and “result”.
Lack of staff to develop and implement
programme due to difficulties in recruiting
result in shortfall in numbers registered
and in Data Protection Fee Income.
3 For each “risk” score its
impact and likelihood and
prioritise accordingly.
Impact “medium” as it could result in
failure of the programme.
[Impact could rise to “high” if shortfall in
notification fee income was going to
impact on office expenditure plans.]
Likelihood “medium” on assumption that
Notifications team are slightly understaffed
and are already facing some difficulties in
recruiting.
[This could raise to “high” if these staffing
and recruitment problems were more
severe.]
4 Identify mitigating actions
and include these in
business plans if
appropriate. Mitigation
should be specific and time
limited.
1. Identify any shortfall in numbers of staff
required by December.
2. Identify existing staff who can be used
on the programme by January and agree
transfers and start dates.
3. Initiate recruitment of new staff to fill
any remaining shortfall by February and
plan to have staff in post by June.
4. Monitor income shortfall and agree point
at which ICO budget would need to be
revised to take account of any shortfall.
5 Agree risk status after
mitigating action.
Assuming reasonably successful staffing of
the programme the probability would fall
to “low”. Impact would remain at
“medium” as this has not been addressed
by mitigation.
9
10
Annex C
Risk register template
Status Trend
Current risks (summary)
Before
existing
mitigation
After
existing
mitigation
After
future
mitigation
actions
Risk area:Risk owner:
Corp aim:
Risk description
Probability Impact Overall Risk status before
existing mitigation
Existing mitigating actions
Existing assurances
Probability Impact Overall Acceptable Risk status after
existing mitigation
Future mitigating
actions
Owner Due Notes
ProbabilityImpactOverallRisk status after
future mitigating
actions
Login to HandyPDF
Tips: Editig or filling the file you need via PC is much more easier!
By logging in, you indicate that you have read and agree our Terms and Privacy Policy.