201127AuCtteePaper1Annex1Strategic Risk Register v61 Cttee Version
CAIRNGORMS NATIONAL PARK AUTHORITY STRATEGIC RISK REGISTER
Audit and Risk Committee Paper — Annex — 27th November 2020
| Risk | Ref | Resp | Mitigation | Comments | Trend Feb 20 | Trend Aug 20 | Trend Nov 20 |
|---|---|---|---|---|---|---|---|
| Cross-over risks | |||||||
| Resources: public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan. | A1 | DC | Preventative: Ongoing liaison with Scottish Government highlighting achievements of CNPA. Preventative: Corporate plan prioritised around anticipated Scottish Government budget allocations, taking on Board expectation of funding constraints. Remedial: Focus resource on diversification of income streams to alternate, non-public income generation. Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, LAG and OATS in securing inward investment. | Work with Scottish Government has successfully secured resources adequate to cover Corporate Plan expectations into the third year of the current 4 year Corporate Plan period. We also continue to take forward ideas for alternate income streams to support future investment, including collective work with all UK National Parks and now supporting work on charitable activities through Cairngorms Trust. Balanced budget for 20⁄21. Some risk escalation recognising varied COVID19 and EU Exit uncertainties into 21⁄22 Financial year. | ⬇️ | ⬇️ | ➡️ |
| Resourcing / Staffing / Policy: extended impacts of COVID19 to organisation impacts core strategic objectives and requires early strategic plan review. | A23 | DC | Remedial: separate COVID19 operations risk register established to help identify and mitigate specific risks. | Management of specific COVID strategic and operational risks are set out in the separate risk register document. Evidence over last quarter of COVID mitigation being effective and focus remaining on strategic objectives. | ⬇️ | ➡️ | ➡️ |
| Government and Policy: wider national political changes and policy direction force change away from current objectives. | A2 | GM | Preventative: Invest time in maintaining key government contacts and relationships gaining notice of potential policy shifts. Work to get full government backing to NPPP which gives longer term strategy commitment. | Spending Review settlement for 2018⁄20 favourable for CNPA, therefore increasing confidence around capacity to deliver existing Corporate Plan objectives to 2022 and also on Government commitment to CNPA Strategic goals. NPPP and 18⁄22 Corporate Plan now approved. Monitoring ongoing potential impacts of EU Exit and COVID 19 response budget and policy developments, although no escalation at present. Conscious of forthcoming Scottish elections in Spring 21 which may impact over final months of current corporate plan period. | ⬇️ | ⬇️ | ⬇️ |
| Resourcing: UK vote to leave EU disrupts project delivery and financing plans and exposes Authority to longer term financial liabilities as a result of loss of EU funds. | A12 | DC | Remedial: Risk management analysis of specific EU funded activities – particularly of Authority’s exposure as Accountable Body for LEADER. Instructions issued on timetable for funding commitments to be covered by CNPA. Remedial: Invest management time in opportunities to engage in new funding programmes designed to replace EU funding programmes. | LEADER funding contracts tailored to meet expected EU exit timetable. Greater clarity on Scottish Government position now in place. LEADER Programme delivery now extended until March 21 with some potential for further extension into 21⁄22 financial year. However, continued uncertainty around basis of EU exit and security of access to supply lines and data holdings now escalating risk. | ⬇️ | ⬇️ | ➡️ |
| Resourcing: future community led local development funding currently delivered through LEADER is lost and creates a significant gap in our capacity to deliver against our community development priorities | A12. 2 | DC | Remedial: prioritise engagement in consultations and events around the future development of structural and community funding. Preventative: continue to support work of Cairngorms Trust in attracting voluntary donations toward community action — although this is likely to remain at a much smaller scale for some time. | Good access to other project funding for current strategic delivery period. This strategic risk begins to look beyond current corporate plan period. Engaged in Rural Economy Stakeholder Group with potential for future community led local development funding policy. However, significant uncertainty arising from lack of clarity from UK Government on Shared Prosperity Fund and distribution of funds into devolved administrations. | ➡️ | ➡️ | ⬆️ |
| Staffing: additional externally funded projects strains staff workload capacity with increased risks of stress and reduced morale. | A9.3 | DC | Preventative: Ongoing review of Operational Plan with explicit identification of projects which can/must slip to accommodate successful funding bids. Importance of staff management and task prioritisation reinforced through leadership meetings. | Initial 2019 staff survey suggests some ongoing matters on workload management to be addressed while wellbeing results improving. Recent months of COVID response have escalated workloads and some increased risk assessed as consequence. | ➡️ | ➡️ | ➡️ |
| Resourcing: Role as Lead / Accountable body for major programmes (e.g. LEADER, Landscape Partnership) has risk of significant financial clawback should expenditure prove to be not eligible for funding, while CNPA carries responsibilities as employer for programme staff. | A11. 1 | DC | Preventative: Ensure financial controls in place for programme management include effective eligibility checks. Test processes with funders if required and also undertake early internal audit checks. Workforce management plans must incorporate programme staff considerations. Ensure TGLP Management and Maintenance contracts are all in place to ensure eligibility of investment. Remedial: Utilise internal audit resources | Very positive movement in resolution of monitoring and eligibility issues over summer 2018. Enhanced by full acceptance of all CNPA interpretations during 2019 with no eligibility issues outstanding at programme level. Residual risk around dispute resolution processes and uncertainty over eligibility judgements and interpretation made by SG audit. Some work on TGLP needed to ensure management and maintenance agreements are all in place. | ➡️ | ➡️ | ➡️ |
| Resourcing: the end of major programme investments (Tomintoul and Glenlivet, LEADER) requires significant ongoing staffing to manage audit and legacy which the Authority finds difficult to resource. | A11. 2 | DC | Preventative: Early identification of post-programme audit and legacy management and resourcing requirements and planning for those. Early engagement with Cairngorms Trust for LEADER and Landscape Partnership Programme Board to identify and finalise long term management arrangements. | Added by Management Team November 2019 An internal working group has been established to progress preventative mitigation actions. This area of work remains under review and risk status level. | ➡️ | ➡️ | ➡️ |
| Technical: Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support. | A17 | DC | Remedial: New ICT Strategy to be developed to reappraise position on IT dependencies and establish a focus for future digital development across the Authority. Clear action planning to evolve from final ICT strategic direction once agreed. | Added April 2018 Operational Management Group review. Cyber security and wider ICT functionality reviews completed. Some ongoing delays around IT elements of project delivery. IT has held up well over COVID response although wider infrastructure developments are delayed | ➡️ | ➡️ | ➡️ |
| Technical: Cyber security is inadequate to address risk of cyber-attack on systems | A18 | DC | Preventative: Implementation of Scottish Government Cyber Security Action Plans and internal audit recommendations on IT security. Ongoing review of systems and procedures in tandem with LLTNPA. | Added by MT / OMG April 18. Cyber security plus accreditation received. Work underway to complete residual internal audit actions. Aware of increased risks highlighted by national agencies during COVID response. | ➡️ | ➡️ | ➡️ |
| Resourcing: CNPA IT services are not sufficiently robust / secure / or well enough specified to support effective and efficient service delivery. | A13 | DC | Preventative: We will develop and consult on the forward plans for ICT service development to ensure these meet service requirements. Commissioned external review of our IT and data management processes to be implemented to give assurance. | Risk added through staff consultation with Staff Consultative Forum Sep 2016. Actions implemented on Cyber Security. Very high levels of service availability. Risk escalation noted as a consequence of rapidly evolving service requirements as project delivery evolves and remote working becomes more entrenched. | ➡️ | ➡️ | ➡️ |
| Reputation: the Authority’s reputation is impacted by a small number of vociferous social media opinion leaders | A14 | GM | Preventative: Staff and Board training on use of social media to best support organisational aims in communications and reputation management. Ongoing delivery of communications strategy. Remedial: Social media profile also represents an opportunity to boost reputation. Remedial: involvement in emerging NPUK collective communications strategy and campaigns which will produce additional high profile positive reputational impact. | Implementation of communications strategy and wider organisational delivery, including promotion of recent successes, effective in maintaining organisational profile. Ongoing downward trend in risk. However, maintain on register for time being recognising some ongoing pressures being managed. | ⬇️ | ⬇️ | ⬇️ |
| Reputation: high profile incidents or one off stories, such as those associated with wildlife crime, mountain hares, affordable housing can have an undue influence on the Authority’s wider reputation. | A15 | GM | Remedial: Maintain good balance of traditional and social media releases. Remedial: Close partnership working to seek to balance incident reporting and appropriately reflect Authority’s position and work. | Wildlife crime initiative now launched. Other positive media around Snow Roads and Cairngorms as a destination. This risk diminishing in impact as wider balancing information becomes more widespread. | ⬇️ | ⬇️ | ⬇️ |
| Resourcing: scale of asset responsibilities such as for paths, outdoor infrastructure is not adequately recognised and does not secure adequate forward maintenance funding. | A16 | DC | Remedial: Review of accounting procedures and asset recognition policy; review of forthcoming accounting technical guidance. Ensure full consideration is given in budget reviews. Preventative: Alternate funding sources such as visitor giving to be explored more actively. | Added by MT / OMG April 18. Infrastructure maintenance issues exacerbated by end of existing agreement over Speyside Way Long Distance Route and end of maintenance period for some large scale investments – East Cairngorms Access Project (ECAP) for example. | ➡️ | ➡️ | ➡️ |
| Resources / Staffing: failure to effectively manage staffing numbers with a view to the long term business need will reduce the capacity for the Authority to deploy adequate financial investment toward priority projects in the National Park. | A19 | DC | Preventative: Workforce Management Strategy developed and in place. Analysis of staffing contract position over three year period completed with actions established. Review of all vacancies as they arise. Consider staff management schemes available. | Staff contract position now established and subject to ongoing monitoring through HR, with review at point of any vacancies arising. Ongoing management of staff numbers underway with some highlighted areas now resolved. Budget 20⁄21 shows positive picture on staffing. | ⬇️ | ⬇️ | ➡️ |
| Resources: change in financing IT services and the switch from capital to revenue provision places an unmanageable pressure on the Authority’s budget capacity. | A20 | DC | Remedial: Monitor pattern of IT Investment costs as regards the capital and revenue split of resourcing requirements; build impacts into ongoing budget deliberations with Scottish Government. | Added by Audit Committee 8 March 2019 following “deep dive” IT risk review. 2020⁄21 budget estimates give balanced position between capital and revenue costs. | ⬇️ | ⬇️ | ⬇️ |
| Reputation: the Authority is not perceived to be appropriately addressing the potential for conflict between 4 statutory aims. | A21 | GM | Preventative: Ensure Board policy papers and Planning Committee papers are explicit in recognising strategic policy conflicts between 4 statutory aims and in addressing the evaluation of the conflict. | Added by Audit Committee 8 March 2019 following internal audit report on strategic planning processes. May have to increase profile of this moving forward. | ➡️ | ➡️ | ➡️ |
| Technical: Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure. | A22 | DC | Preventative: Overhaul of BCP developed in 2014 with reporting on development of plans through Management Team and Audit and Risk Committee. Test BCP arrangements once plan in place and communicated. Remedial: internal audit review of COVID19 over winter 20⁄21 will lead into lessons learned on wider BCP. | Added by Audit Committee May 2019 following internal audit review of BCP. Some delay in finalisation of BCP documentation itself. However, work on BCP has considerably assisted in roll out of initial and ongoing responses to Coronavirus pandemic with evidence, including very positive staff feedback, that BCP implementation has been effective. | ➡️ | ➡️ | ➡️ |
Notes:
- Aiming to keep strategic risk register to around 12 to 15 high-level strategic risks.
- Cross-cutting risks impact potentially throughout all priorities.
- Strategic Risks around corporate priorities focus on risk impacts throughout each of the three themes – hence require a coordinated overview at Director / MT level. Not expecting a strategic risk against each specific Corporate Plan priority.
- More specific risks are expected to be captured in more operational risk registers – e.g. risk management around delivery of office extension.
- Full risk register is the collective responsibility of the full MT to manage; however, each risk is allocated to one specific member of the team to take lead responsibility.
- Aim through mitigation to reduce Likelihood (LL) multiplied by Impact (IM) risk score to below 10 as acceptable risk value.
- Reference key: “A” items are risks impacting on all aspects of the Corporate Plan; “C” items are Conservation only risks; “V” risks relate specifically to Visitor Experience; “L” risks relate to Land Management; “R” risks relate to Rural Development risks.
Key:
- Managed risk (green downward arrow in greyed-out field): Risk assessment that risk is effectively managed and no longer a strategic risk posing potential to inhibit achievement of corporate strategic objectives. Risk can be removed from risk register.
- Lowering risk (green downward arrow): Risk impact and / or likelihood is declining resulting in overall strategic risk assessment of mitigation actions effective with ongoing monitoring of risk environment still required.
- Static risk (amber horizontal arrow): Risk impact and likelihood is stable. Overall strategic risk assessment is stable indicating that strategic risk remains, requiring ongoing management and continued implementation of proposed mitigation and controls.
- Increasing risk (red upward arrow): Risk impact and / or likelihood is increasing resulting in increasing risk of achievement of strategic objectives being inhibited. Management action, and possibly resource investment, required to address risk environment and possibly introduce new mitigation action, in order to reduce risk impact and / or likelihood.
Version Control
- 3 Board Cycle December 2019
- 3.0 Board adopted version June 2019 for MT / OMG review
- 3.1 Audit Committee review 6 September 2019
- 3.2 Management Team November 2019
- 4 Board Cycle Jan to Jun 2020
- 4.0 Draft following Board consideration December 2019
- 4.1 To Audit and Risk Committee March 2020
- 5 Board Cycle July to Sep 2020
- 5.1 Sep 20 Board meeting draft for MT / OMG review
- 5.2 Sep 20 Board meeting following MT / OMG edits (WBW)
- 6 Board Cycle October 20 to March 21
- 6.1 ARC November 20 first draft