200911A&RCteePaper6Annex1BCP Risk Register
CAIRNGORMS NATIONAL PARK AUTHORITY
Audit & Risk Committee Paper 6 Annex 1 | 11/09/2020
CAIRNGORMS NPA: BUSINESS CONTINUITY PLANNING
COVID-19 LOCKDOWN AND EXIT PLANNING: RISK REGISTER
This risk register has been prepared to support the management of the Authority’s Business Continuity Planning (BCP) operations while the Authority remains at stages of “lockdown” as a consequence of our BCP measures implemented to help in control of the COVID19 pandemic.
The risk register sits under the Authority’s existing and remaining strategic risk register, which continues to set out the wider strategic risks around the Authority’s delivery of its strategic objectives. The Authority in deployment of its BCP remains in an emergency situation while reacting to national control of the COVID19 pandemic. However, the Authority has not yet taken the step to entirely reorient its existing strategic objectives. This risk register therefore represents an interim additional layer of risk management focus for senior management in continuing to lead operations while also managing the additional risks to delivery posed by the current BCP led mode of operations.
The following table sets out the identified risks and their assessed impacts, together with an associated score of risk likelihood (L) and impact (I). Risk mitigation measures are identified and residual risk rescores to give likelihood of risk after successful preventative action (ML) and impact of risk after successful remedial action (MI).
Risk appetite is set at a score of 16 or more, or 15 where impact is above 3. At or above such scores, mitigation action is required, otherwise risks will be monitored by management team. Review of the risk register is coordinated by the Management Team and Operational Management Group.
Key to abbreviations:
- L = Likelihood of risk score
- I = Impact of risk score
- ML = Likelihood of risk score after effective implementation and preventative mitigation action.
- MI = Impact of risk score after effective implementation and remedial mitigation action. Scores 1 Low to 5 High
| Owner | Risk | Impact | L | I | Prevent | ML | Remedial | MI |
|---|---|---|---|---|---|---|---|---|
| DC | Unprepared to respond to BCP relaxation opportunities | Opportunities to escalate service delivery lost; inefficient service delivery | 4 | 5 | Establish and manage risks; prioritise senior resource to Government groups and information monitoring; Plan for stages of response | 1 | Pre-establish levels of responsiveness to support quick reaction; | 2 |
| DC | National strategies for exit do not align with assessed Cairngorms priorities | Period of below optimum delivery is extended; delay in assessed key and time sensitive services | 4 | 5 | Prioritise senior resource to Government groups and influence thinking Monitor government responses and map CNPA strategies accordingly | 1 | Promote services to develop service specific operational delivery options fitting varying levels of operations; MT / OMG regular meetings to support quick response / adaptive management; regular governance check ins. | 3 |
| DC | Operational Plans and budget allocations do not fit emerging circumstances and priorities. | Organisational activities are not best directed toward emerging priorities; resources not invested in highest priority areas. | 3 | 5 | Ongoing monthly review of operational plan positioning; ensure staff performance development conversations are a management priority; Committee and Board review. | 2 | Budget review and refinement; establish sectoral response plans | 2 |
| DC | Governance structures do not give adequate leadership / oversight / scrutiny of operations. | Ineffective leadership; lack of challenge and scrutiny over organisational operations. | 5 | 5 | Twice weekly and wider management meetings; daily leadership conversations with Convenor; fortnightly Governance Group meetings; priority investment in maintaining Committee meetings; clarity in governance hierarchy in case of illness. | 2 | Ongoing review of effectiveness of operations and risk management action; review of communications structures; staff surveys for feedback. | 3 |
| DC | Existing and remaining key objectives are obscured by priority of BCP responses. | Key delivery objectives (e.g. TGLP delivery, Heritage Horizons bid) are not achieved. | 4 | 4 | Operational planning review to (re) establish priorities; MT oversight of priority actions; senior leadership of key projects established. | 2 | Establish MT/OMG standing items checklist of key project progress and reprioritise resource if slippage detected. | 3 |
| DC | Lack of coordinated activities resulting from remote operations | Key priorities are missed; work is duplicated by differing staff / groups | 4 | 4 | Coordination through more regular management meetings; increase time and priority to internal communications. | 2 | Establish MT/OMG review of activities and implement further project management controls where required; BCP Steering Group weekly meetings reviews and responds to feedback. | 2 |
| GM | Internal communications with remote working arrangements are ineffective. | Lack of coordination around activities; staff group as a whole are not engaged with organisation and do not | 5 | 4 | Central coordination of communications through more regular, broad based management | 2 | Undertake staff survey and implement bottom up improvement recommendations; | 2 |
| GM / PVB | Reputation of CNPA is impacted by inappropriate external communication / coms which do not fit with National messaging. | Mixed messaging from Authority and Board confuses audiences and damages CNPA reputation. | 4 | 4 | Central coordination of communications through more regular, broad based management meetings; clear responsibility for coordination of coms; clear Board member briefings and lines to take on policy positions. | 2 | Participate in relevant national groups, including UKNP & EELG Communications, and respond / adapt to emerging messaging; regular review of Board messaging and position through Governance Group. | 2 |
| DC | Information Technology and adaptations are inadequate to meet organisational requirements during revised working arrangements. | Ineffective organisational operations through inability to support remote working / communications. | 3 | 5 | Prioritise key systems to ensure adequate investment made in correct operational support areas: email, VC, planning and finance systems; agree ongoing priority action plans (shared workspaces etc.); cloud based solutions to preserve server capacity. IT Strategy in development to support | 2 | Review feedback from MT and through staff groups, adapt, invest where required, and respond. | 4 |
| DC | Resources become over-stretched through seeking to both maintain services while working to recover position through BCP response levels. | Key requirements / priorities are not achieved through staff over-stretch. | 5 | 5 | Operational planning review to (re) establish priorities; MT oversight of priority actions; senior leadership of key projects established including clear terms of reference to highlight competing priorities and to resolve on behalf of staff. | 4 | Establish MT/OMG standing items checklist of key project progress and reprioritise resource if slippage detected. Ensure SCF and HR feedback loops are in place, while ensuring these do not replace management structures. | 3 |
| KC | Mental health impacts on staff caused by BCP actions have impacts on organisational effectiveness over medium to long term. | Impacts on staff wellbeing and mental health lead to long term impacts on effectiveness through absence; reduced motivation; burn-out | 4 | 4 | Proactive focus on mental health; leadership on balance to private and work life; leadership on taking regular breaks, exercise and leave. Adapt HR policies. Regular internal communications. proactive work through SCF; and HR policy adaptation. | 3 | Put in place feedback mechanisms across organisation (staff survey) and within teams and respond to feedback; review and adapt policies and coms where needed. | 3 |
| DC | BCP responsiveness creates an overly short term focus with sight of long term implications on organisation and also the staff group lost. | Long-term impacts and revisions to direction are not identified as a consequence of short-term BCP recovery focus; long term impacts on | 2 | 5 | Regular Board reporting and adaptation to feedback; Close involvement with a range of stakeholder | 1 | Review feedback from stakeholder groups and fora to identify any gaps in long term focus. | 2 |
| DC | Cyber security arrangements become compromised through adaptations to facilitate extended period of remote working. | Increased risk of hacking, data loss, corruption of key systems and data, network loss | 3 | 5 | Minimise any adaptations to systems and procedures; monitor impacts of actions on security and prioritise remedial actions on IT protocols as part of staff return to office; monitor updates from central government teams. Longer term IT strategy in development to meet future organisational IT needs. | 2 | Ensure back up arrangements continue to function as planned. | 5 |
| DC | Integrity of records management is lost as a consequence of high volumes of data and records being stored on dispersed hardware and without integration into central network. | Incomplete records held by Authority; loss of key information either as a loss from hardware failure and data not able to be recovered or loss of storage devices which cannot be accounted for. | 5 | 4 | Design and implement data management guidance for management of information while working remotely; implement secure shared working platform; prioritise records management actions for staff return to office. | 4 | Establish ‘overlap’ record storage in remote devices pending safe storage in central systems (i.e. multiple owners of records store the same information pending safe and secure central filing.) | 3 |
| DC | Preparedness for Infectious Disease | Workplace transmission of infectious disease. RIDDOR | 4 | 5 | Office protocols established reflecting | 2 | Supplier for deep clean of premises sourced and | 2 |
| outbreak among staff group. | reportable transmission. Unnecessary exposure leading to staff illness and potentially death. Reputational risk for volunteering groups and community activities led by CNPA. | public health advice in relation to social distancing and hygiene measures. Limited numbers with office access for business critical reasons only. Community and volunteering guidance developed and activities undertaken in line with government guidance and national lead organisations. Testing of organisational response planned. | contingency established. Protocols for managing outbreak or staff member with positive test in development. Government guidance for non-essential offices due prior to phase 4 of lockdown road map being implemented. Staff aware of and supported to adhere to isolation procedures for themselves and household members. | |||||
| DC / KC | Disproportionate impact of pandemic response on Equality and Socio-economic Groups within staff group and local community. | Failure to meet statutory responsibilities under equality act 2010. Further widening of equality gap, potential generational impact. | 3 | 4 | Established Equality Advisory Forum during BCP response period. Remit to include review and support mitigation of impact of pandemic from an equalities perspective. Management direction and training to focus on staff wellbeing and equalities considerations over autumn | 2 | Green recovery fund to offer support to local economy with equalities focus integrated. Regular staff survey to review impact on range of areas including some equality strands. Support and 1:1 discussion with staff highlighted as high risk and/or shielding. Flexible application of leave and carers policy | 2 |
Risks Under Monitoring
The risks in this section of the risk assessment either have initial risk scores of under 15, or 15 where impact is 3. Risks falling into these risk scores will continue to be monitored by management and any escalation will require remedial action to be taken. At present, risks are accepted without the need for immediate (within the next 3 to 6 month period) remedial action being taken.
| Risk | Impact | L | I | Prevent | ML | Remedial | MI |
|---|---|---|---|---|---|---|---|
| Dispersed records holding results in inability to meet FOISA responsibilities. | Commitment to meet or exceed FOISA responsibilities not upheld. | 5 | 3 | Monitor – to date FOISA requests able to be met | 4 | Monitor | 3 |
| Equalities impact assessments are not undertaken prior to implementation as a consequence of speed of policy development during phases of BCP | Commitments to equalities duties not discharged. | 5 | 3 | Monitor Work ongoing in developing a new Equalities Forum | 3 | Monitor | 3 |
| Loss of high numbers of staff at one time through illness due to COVID19 | Loss of key services; significant service delivery objectives missed; breakdown in staff communication systems | 5 | 2 | Revised to Monitor Remote working in line with government guidelines; ensure back up arrangements are identified; prioritisation of activities to ensure completion with maximum likelihood of staff complement in place. | 3 | Revised to Monitor Ongoing review and reprioritisation of tasks / objectives as monitoring of staff situation directs | 4 |
Version Control
- 0 Drafting
- 0.1 DC first draft position statement as at 11 May 2020
- 0.2 DC Board communications elements in external communications following Governance Group discussions 12 May 2020
- 0.3 DC Updates from multiple discussions prior to A&R Committee
- 1 September 2020 Audit and Risk Committee / Board Cycle
- 1.1 DC Review and update 25 August.
- 1.2 VW edits and additional risks 27 August 2020.