201127AuCtteePaper2Annex1BCP Risk Register v13
CAIRNGORMS NATIONAL PARK AUTHORITY
Audit & Risk Committee Paper 2 Annex 1 | 27/11/2020
CAIRNGORMS NPA: BUSINESS CONTINUITY PLANNING
COVID-19 LOCKDOWN AND EXIT PLANNING: RISK REGISTER
This risk register has been prepared to support the management of the Authority’s Business Continuity Planning (BCP) operations while the Authority remains at stages of “lockdown” as a consequence of our BCP measures implemented to help in control of the COVID19 pandemic.
The risk register sits under the Authority’s existing and strategic risk register, which continues to set out the wider strategic risks around the Authority’s delivery of its strategic objectives. The Authority, in deployment of its BCP, remains in an emergency situation while reacting to national control of the COVID19 pandemic. However, the Authority has not yet taken the step to entirely reorient its existing strategic objectives and the existing strategic risk register therefore remains a valid ongoing approach to risk management in support of existing strategic objectives. This COVID19 Lockdown and Exit Planning risk register therefore represents an interim additional layer of risk management, providing focus for senior management in continuing to lead operations while also managing the additional risks to delivery posed by the current BCP led mode of operations.
The following table sets out the identified risks and their assessed impacts, together with an associated score of risk likelihood (L) and impact (I). Risk mitigation measures are identified and residual risk rescores to give likelihood of risk after successful preventative action (ML) and impact of risk after successful remedial action (MI).
Risk appetite is set at a score of 13 or more. At or above such scores, mitigation action is required, otherwise risks will be monitored by management team. Review of the risk register is coordinated by the Management Team and Operational Management Group. Movement in risk management assessment is indicated in the body of the risk register by upward and downward arrows.
Key to abbreviations:
- L = Likelihood of risk score
- I = Impact of risk score
- ML = Likelihood of risk score after effective implementation and preventative mitigation action.
- MI = Impact of risk score after effective implementation and remedial mitigation action.
Scores 1 Low to 5 High
| Owner | Risk | Impact | L | I | Prevent | ML | Remedial | MI |
|---|---|---|---|---|---|---|---|---|
| DC | Unprepared to respond to BCP relaxation opportunities | Opportunities to escalate service delivery lost; inefficient service delivery | 4 | 5 | Establish and manage risks; prioritise senior resource to Government groups and information monitoring; Plan for stages of response | 1 | Pre-establish levels of responsiveness to support quick reaction; | 2 |
| DC | National strategies for exit do not align with assessed Cairngorms priorities | Period of below optimum delivery is extended; delay in assessed key and time sensitive services | 4 | 5 | Prioritise senior resource to Government groups and influence thinking | 2 | Promote services to develop service specific operational delivery options fitting varying levels of operations; MT / OMG regular meetings to support quick response / adaptive management; regular governance check ins. | 3 |
| DC | Operational Plans and budget allocations do not fit emerging circumstances and priorities. | Organisational activities are not best directed toward emerging priorities; resources not invested in highest priority areas. | 3 | 5 | Ongoing monthly review of operational plan positioning; ensure staff performance development conversations are a management priority; Committee and Board review. | 2 | Budget review and refinement; establish sectoral response plans | 2 |
| DC | Governance structures do not give adequate leadership / oversight / scrutiny of operations. | Ineffective leadership; lack of challenge and scrutiny over organisational operations. | 5 | 5 | Twice weekly and wider management meetings; daily leadership conversations with Convenor; fortnightly Governance Group meetings; priority investment in maintaining Committee meetings; clarity in governance hierarchy in case of illness. | 2 | Ongoing review of effectiveness of operations and risk management action; review of communications structures. | 3 |
| DC | Existing and remaining key objectives are obscured by priority of BCP responses. | Key delivery objectives (e.g. TGLP delivery, Heritage Horizons bid) are not achieved. | 4 | 4 | Operational planning review to (re) establish priorities; MT oversight of priority actions; senior leadership of key projects established. | 2 | Establish MT/OMG standing items checklist of key project progress and reprioritise resource if slippage detected. | 3 |
| DC | Lack of coordinated activities resulting from remote operations | Key priorities are missed; work is duplicated by differing staff / groups | 4 | 4 | Coordination through more regular management meetings; increase time and priority to internal communications. | 2 | Establish MT/OMG review of activities and implement further project management controls where required; BCP Steering Group weekly meetings reviews and responds to feedback. | 2 |
| GM | Internal communications with remote working arrangements are ineffective. | Lack of coordination around activities; staff group as a whole are not engaged with organisation | 5 | 4 | Central coordination of communications through more regular, broad based management | 2 | Undertake staff survey and implement bottom up improvement recommendations; | 2 |
| GM | Reputation of CNPA is impacted by inappropriate external communication / coms which do not fit with National messaging. | Mixed messaging from Authority and Board confuses audiences and damages CNPA reputation. | 4 | 4 | Central coordination of communications through more regular, broad based management meetings; clear responsibility for coordination of coms; clear Board member briefings and lines to take on policy positions. | 2 | Participate in relevant national groups, including UKNP & EELG Communications, and respond / adapt to emerging messaging; regular review of Board messaging and position through Governance Group. | 2 |
| DC | Information Technology and adaptations are inadequate to meet organisational requirements during revised working arrangements. | Ineffective organisational operations through inability to support remote working / communications. | 3 | 5 | Prioritise key systems to ensure adequate investment made in correct operational support areas: email, VC, planning and finance systems; agree ongoing priority action plans (shared workspaces etc.); cloud based solutions to preserve server capacity. IT Strategy in development to focus decision making in | 3 | Review feedback from MT and through staff groups, adapt, invest where required, and respond. | 4 |
| DC | Resources become over-stretched through seeking to both maintain services while working to recover position through BCP response levels. | Key requirements / priorities are not achieved through staff over-stretch. | 5 | 5 | Operational planning review to (re) establish priorities; MT oversight of priority actions; senior leadership of key projects established including clear terms of reference to highlight competing priorities and to resolve on behalf of staff. | 3 | Establish MT/OMG standing items checklist of key project progress and reprioritise resource if slippage detected. Ensure SCF and HR feedback loops are in place, while ensuring these do not replace management structures. | 3 |
| DC/KC | Mental health impacts on staff caused by BCP actions have impacts on organisational effectiveness over medium to long term. | Impacts on staff wellbeing and mental health lead to long term impacts on effectiveness through absence; reduced motivation; burn-out | 4 | 4 | Proactive focus on mental health; leadership on balance to private and work life; leadership on taking regular breaks, exercise and leave. Adapt HR policies. Regular internal communications. Proactive work through SCF; and HR policy adaptation. | 3 | Put in place feedback mechanisms across organisation (staff survey) and within teams and respond to feedback; review and adapt policies and coms where needed. | 3 |
| DC | Cyber security arrangements become compromised through adaptations to facilitate extended period of remote working. | Increased risk of hacking, data loss, corruption of key systems and data, network loss | 3 | 5 | Minimise any adaptations to systems and procedures; monitor impacts of actions on security and prioritise remedial actions on IT protocols as part of staff return to office; monitor updates from central government teams. IT Strategy development to focus medium to long term development | 2 | Ensure back up arrangements continue to function as planned. | 5 |
| DC | Integrity of records management is lost as a consequence of high volumes of data and records being stored on dispersed hardware and without integration into central network. | Incomplete records held by Authority; loss of key information either as a loss from hardware failure and data not able to be recovered or loss of storage devices which cannot be accounted for. | 5 | 4 | Design and implement data management guidance for management of information while working remotely; implement secure shared working platform; prioritise records management actions for staff return to office. | 4 | Establish ‘overlap’ record storage in remote devices pending safe storage in central systems (i.e. multiple owners of records store the same information pending safe and secure central filing.) | 3 |
| DC | Board loses coherence / focus on key objectives through extended periods of remote operations (added by ARC Sep 2020) | Loss of collective understanding of priorities and frequent divergence from decision making on consensus basis with wider governance consequences around collective responsibility. | 3 | 5 | More frequent Board meetings as required on key milestone decisions; more frequent discussions on emerging and future issues | 2 | Board performance self-assessment to identify and act on areas of less developed Board operations; Convener development discussions with members | 2 |
| DC | Preparedness for infectious disease outbreak amongst staff group | Work related transmission of infectious disease. RIDDOR reportable transmission of disease. Unnecessary exposure leading to staff illness and potentially death. Reputational risk for volunteering groups and community activities led by CNPA | 4 | 5 | Office protocols established reflecting public health advice in relation to social distancing and hygiene measures. Limited numbers with office access for business critical reasons only. Community and volunteering guidance developed and activities undertaken in line with government guidance and national lead organisations. Testing of organisational response planned. | 2 | Supplier for deep clean of premises sourced and contingency established. Protocols for managing outbreak or staff member with positive test in development. guidance for non-essential offices due prior to phase 4 of lockdown road map being implemented. Staff aware of and supported to adhere to isolation procedures for themselves and household members. | 2 |
| DC | Significant disruption to CNPA Activities, Staff and partners due to multiple SG tiers across park area. | Loss or disruption to projects and activities and disproportionate effect on areas within a tier 3 or Tier 4 category. Destabilising effect on CNPA Partners. | 4 | 4 | CNPA guidance developed on Tier system and assessment undertaken possible impact on work. | 3 | Channels established to feedback impact to Scottish Government. Regular review at management team. | 2 |
Risks Under Monitoring
The risks in this section of the risk assessment either have initial risk scores of under 15, or 15 where impact is 3. Risks falling into these risk scores will continue to be monitored by management and any escalation will require remedial action to be taken. At present, risks are accepted without the need for immediate (within the next 3 to 6 month period) remedial action being taken.
| Owner | Risk | Impact | L | I | Prevent | ML | Remedial | MI |
|---|---|---|---|---|---|---|---|---|
| DC | Dispersed records holding results in inability to meet FOISA responsibilities. | Commitment to meet or exceed FOISA responsibilities not upheld. | 5 | 3 | Monitor | 5 | Monitor | 3 |
| KC | Equalities impact assessments are not undertaken prior to implementation as a consequence of speed of policy development during phases of BCP | Commitments to equalities duties not discharged. | 5 | 3 | Monitor | 5 | Monitor | 3 |
| DC / KC | Loss of high numbers of staff at one time through illness due to COVID19 | Loss of key services; significant service delivery objectives missed; breakdown in staff communication systems | 5 | 2 | Revised to Monitor | 3 | Revised to Monitor Ongoing review and reprioritisation of tasks / objectives as monitoring of staff situation directs | 4 |
| DC | Board does not adapt strategic plans to meet new and emerging priorities, or understand the key variations required to existing priorities (added by ARC Sept 2020) | Resources are not adequately directed to required strategic aims; strategic aims themselves not adequately revised / updated | 2 | 4 | Monitor | 1 | Monitor | 2 |
| DC | BCP responsiveness creates an overly short-term focus with sight of long term implications on organisation and also the staff group lost. | Long-term impacts and revisions to direction are not identified as a consequence of short-term BCP recovery focus; long term impacts on staff group (e.g. burnout / leave balances) missed. | 2 | 5 | Regular Board reporting and adaptation to feedback; Monitor | 1 | Review feedback from stakeholder groups and fora to identify any gaps in long term focus. Monitor | 2 |
| DC / KC | Disproportionate impact of pandemic response on Equality and Socioeconomic Groups within staff group and local community. | Failure to meet statutory responsibilities under equality act 2010. Further widening of equality gap, potential generational impact. | 3 | 4 | Established Equality Advisory Forum during BCP response period. Remit to include review and support mitigation of impact of pandemic from an equalities perspective. Management direction and training to focus on staff wellbeing and equalities considerations over autumn Monitor | 2 | Green recovery fund to offer support to local economy with equalities focus integrated. Regular staff survey to review impact on range of areas including some equality strands. Support and 1:1 discussion with staff highlighted as high risk and/or shielding. Flexible application of leave and carers policy Monitor | 2 |
Version Control
0.1 DC first draft position statement as at 11 May 2020 0.2 DC Board communications elements in external communications following Governance Group discussions 12 May 2020 0.3 DC Updates from multiple discussions prior to A&R Committee 1.0 Following September 2020 ARC Review 1.1 DC Updates from ARC 1.2 VW Update new risk 1.3 DC review and submission to November ARC