230621AuCtteePaper7Annex1StrategicRiskRegisterv111 HTML version

Cairngorms National Park Authority Strategic Risk Register

Audit and Risk Committee Paper 7 / Annex 1 21 June 2023

Page 1 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Resources: public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan.	A1	DC	Preventative: Ongoing liaison with Scottish Government highlighting achievements of CNPA. Preventative: Corporate plan prioritised around anticipated Scottish Government budget allocations, taking on Board expectation of funding constraints. Remedial: Focus resource on diversification of income streams to alternate, non-public income generation. Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, Cairngorms Trust in securing inward investment.	Risk escalation reflects Scottish Government’s continued and heightened concerns on forward stability of current financial allocations; risk of in-year adjustments, and risk over future year funding levels. All mitigating actions in place and operational.	⬆️	⬆️	⬆️

Page 2 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Resourcing: future community led local development (CLLD) funding currently delivered through LEADER, together with wider funding previously from EU structural and agricultural sources is lost and creates a significant gap in our capacity to deliver against our development priorities	A12.2	DC	Preventative: prioritise engagement in consultations and events around the future development of structural and community funding. Remedial: continue to support work of Cairngorms Trust in attracting voluntary donations toward community action – although this is likely to remain at a much smaller scale for some time. Remedial: continue to review opportunities for funding bids to other non-governmental funding sources.	Positive movement continuing across policy development areas within Scottish Government around the continuity of some form of CLLD with ²⁰²³⁄₂₄ funding allocations in place, while limited by current in-year spending pressures. However, opportunity to access UK Government funding to replace EU losses still very unclear. Wider changes to agri-environment schemes and impact of change also remains highly uncertain.	➡️	➡️	➡️

Page 3 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Staffing: additional externally funded projects strains staff workload capacity with increased risks of stress and reduced morale.	A9.3	DC	Preventative: Strategic and operational plans for ²⁰²²⁄₂₃ will be developed with externally funded project delivery as intrinsic elements of plans to ensure delivery capacity is considered fully. Importance of staff management and task prioritisation reinforced through leadership meetings. Focus on fewer, larger impact projects.	Additional recruitment in ²²⁄₂₃ to alleviate key staff pressure points complete. Fixed term staff extension in place for current financial year. Likelihood of risk therefore declining and risk profile therefore reducing. Impact of measures and risk profile will continue to be closely monitored through staff management processes.	⬆️	⬇️	⬇️

Page 4 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Resourcing: Role as Lead / Accountable body for major programmes (e.g. LEADER, Landscape Partnership) has risk of significant financial clawback should expenditure prove to be not eligible for funding, while CNPA carries responsibilities as employer for programme staff.	A11.1	DC	Preventative: Ensure financial controls in place for programme management include effective eligibility checks. Test processes with funders if required and also undertake early internal audit checks. Workforce management plans must incorporate programme staff considerations. Ensure TGLP Management and Maintenance contracts are all in place to ensure eligibility of investment. Remedial: Utilise internal audit resources	Work has progressed well on closure of LEADER, Tomintoul and Glenlivet and on Badenoch programmes with no issues arising to date. No local issues arising from external audit work on LEADER. Remove risk at this point.	⬇️	⬇️	⬇️

Page 5 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Technical: Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support.	A17	DC	Preventative: invest in additional staff resource. Deploy timetabled action plan against approved ICT Strategy. Enhance project management approaches supporting ICT. Remedial: New ICT Strategy to be developed to reappraise position on IT dependencies and establish a focus for future digital development across the Authority. Clear action planning to evolve from final ICT strategic direction once agreed.	Added April 2018 Operational Management Group Movement into Microsoft 365 deployment and cloud based systems has involved significant work and some disruption to staff operations. Internal audit work reinforces need to focus on project management of activities both for management of processes and improved organisational communications.	➡️	➡️	➡️

Page 6 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Technical: Cyber security is inadequate to address risk of cyber-attack on systems	A18	DC	Preventative: Implementation of Scottish Government Cyber Security Action Plans and internal audit recommendations on IT security. Ongoing review of systems and procedures in tandem with LLTNPA. Rescope arrangements through IT Strategy. Invest in cyber security software Renewed staff training	Added by MT / OMG April 18. Additional cyber security measures invested in and implemented. Aware of increased risks highlighted by national agencies during COVID response. Cyber security plus accreditation being reapplied for. Reviewing options for further increased security measures.	➡️	⬆️	⬆️

Page 7 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Resourcing: CNPA IT services are not sufficiently robust / secure / or well enough specified to support effective and efficient service delivery.	A13	DC	Preventative: We will develop and consult on the forward plans for ICT service development to ensure these meet service requirements. Commissioned external review of our IT and data management processes to be implemented to give assurance, with recommendations arising acted upon.	Retained as a risk rather than merged into other IT risks following May 2022 ARC review. Internal audit report on IT Strategy sets out key actions in this area of risk management around IT Strategy development, project management and costing of IT action plans to be implemented.	➡️	➡️	➡️

Page 8 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Reputation: One-off, high profile incidents and / or vociferous social media correspondents have an undue influence on the Authority’s positive reputation.	A14.1	GM	Preventative: Engagement and communications strategy, and stakeholder engagement will seek to take the front foot on managing the Authority’s positive, public reputation. Preventative: proactive communications initiated to address any potential incidents Remedial: involvement in emerging NPUK collective communications strategy and campaigns which will produce additional high profile positive reputational impact Remedial: Social media profile represents an opportunity to boost reputation.	Declining assessed risk profile over course of last year. Remove from strategic level risk register at this point.	➡️	⬇️	⬇️

Page 9 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Resourcing: scale of asset responsibilities such as for paths, outdoor infrastructure is not adequately recognised and does not secure adequate forward maintenance funding.	A16	DC	Remedial: Review of accounting procedures and asset recognition policy; review of forthcoming accounting technical guidance. Ensure full consideration is given in budget reviews. Preventative: Capital bids to government; alternate funding sources such as voluntary giving to be explored more actively. Work on Strategic Tourism Visitor Infrastructure Plan to focus action.	Added by MT / OMG April 18. Significant increase in capital allocation has allowed scope for increased programming of maintenance over 2021 to 2025. Potential to remove from strategic risk oversight at this time?	➡️	➡️	⬇️

Page 10 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Resources: change in financing IT services and the switch from capital to revenue provision places an unmanageable pressure on the Authority’s budget capacity.	A20	DC	Remedial: Monitor pattern of IT Investment costs as regards the capital and revenue split of resourcing requirements; build impacts into ongoing budget deliberations with Scottish Government.	Added by Audit Committee 8 March 2019 following “deep dive” IT risk review. Risk remains live as we implement a refreshed ICT Strategy and move to more cloud / service solutions. While there was sufficient budget cover for the initial implementation of cloud based services in ²¹⁄₂₂, the final position will crystallise over ²²⁄₂₃ and into the ²³⁄₂₄ budget.	➡️	➡️	⬇️

Page 11 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Reputation: the Authority is not perceived to be appropriately addressing the potential for conflict between 4 statutory aims.	A21	GM	Preventative: Ensure Board policy papers and Planning Committee papers are explicit in recognising strategic policy conflicts between 4 statutory aims and in addressing the evaluation of any potential conflict. Preventative: ensure clarity on this matter is established through high level NPPP and Corporate Plan documents	Added by Audit Committee 8 March 2019 following internal audit report on strategic planning processes. NPPP development process now complete. Considered as part of ongoing national parks consultation where this can also be underpinned. Remove on basis of declining risk profile.	➡️	⬇️	⬇️

Page 12 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Technical: Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure.	A22	DC	Preventative: Overhaul of BCP developed in 2014 with reporting on development of plans through Management Team and Audit and Risk Committee. Test BCP arrangements once plan in place and communicated. Remedial: internal audit review of COVID19 over winter ²⁰⁄₂₁ will lead into lessons learned on wider BCP.	Added by Audit Committee May 2019 following internal audit review of BCP. Delay in finalisation of BCP documentation itself as we focus on establishment of hybrid working arrangements post COVID. However, work on BCP has considerably assisted in roll out of initial and ongoing responses to Coronavirus pandemic with evidence, including very positive staff feedback, that BCP implementation has been effective.	➡️	➡️	➡️

Page 13 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Strategic Delivery: the Authority’s range of powers combined with strategic partnerships is insufficient to deliver outcomes on wildlife crime	A24	AF	Remedial: use NPPP development processes to explore partnership attitudes, engagement and powers which they may add to the current controls. Preventative: explore potential for licencing or other regulatory arrangements to contribute to more effective control framework; Tracker / satellite monitoring deployment;	Added by SMT risk review May 2021 Licencing schemes coming into operation and trackers in place for some raptors. Declining risk profile.	⬆️	⬆️	⬇️

Page 14 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Strategic Delivery: The Authority’s Peatland Programme outcomes may be adversely impacted by a lack of contractor capacity and / or lack of land manager engagement	A25	AF	Preventative: interaction with skills and economic development agencies to highlight the problems of contractor capacity and scale of future programme; Preventative: close liaison with land management community around programme and participation. Design of support. Remedial: phasing of works to act on more straightforward, less technical areas to assist new contractors enter market and develop skills and understanding; reprofile capital expenditure to recognise more expensive, more complex projects coming toward end of funding period.	Added by SMT risk review May 2021 Recent evidence suggests increased level of response to peatland tenders and evidence of some new entrants to this market. Some ongoing evidence of success of risk mitigation measures, with programme on target for delivery of area of restoration for second year in succession.	➡️	⬇️	⬇️

Page 15 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Reputational: key communications activities, messaging and (in some cases) brand awareness raising can be dependent on partner collaboration rather than under direct control, with potential for ineffective or disjointed communication outcomes.	A26	GM	Preventative: agree partnership frameworks that explicitly set out expectations and outcomes of collaborative activities and establish adequate control mechanisms; Preventative: specifically monitor and feedback on communications effectiveness where there are partnership dependencies Remedial: conduct review meetings which track and document progress and escalate and issues arising to appropriate governance groups. Remedial: review brand management and approaches to partnership linkages through brand	Added by SMT risk review May 2021. Identified as a stable risk at present rather than escalating, while recognised that work remains to be undertaken around these preventative and remedial mitigation measures.	➡️	➡️	➡️

Page 16 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Strategic delivery: approaches to conservation and protection of endangered species may be insufficient to achieve associated strategic outcomes	A27	AF	Remedial: review current approaches in context of relevant data sources to determine adequacy of current approaches. Remedial: use NPPP delivery processes to test potential for enhanced / revised approaches to conservation and protection of endangered species	Added by SMT risk review May 2021. Identified as a stable risk at present rather than escalating, while recognised that work remains to be undertaken or is ongoing around these preventative and remedial mitigation measures.	➡️	➡️	➡️
Staffing: delivery of key outcomes is impacted by staff turnover, particularly in project teams.	A28	DC	Preventative: consider HR solutions to encourage retention Remedial: ensure succession planning and operational risk registers cover this strategic risk	Added following Board reflection on impact of turnover in TGLP Project. Fixed term contracts extended through financial year ²⁰²³⁄₂₄ with longer term review pending following funding and budget decisions in late 2023.	➡️	⬇️	⬇️

Page 17 of 22

Risk	Ref	Resp	Mitigation	Comments	Trend May 22	Trend Nov 22	Trend May 23
Staffing: increasingly competitive and restricted recruitment climate prevents staff with the required experience and skill sets being secured	A29	DC	Preventative: focus on training and development and internal succession planning, in turn bringing recruitment into less experienced / less highly skilled markets; consider job design and flexibility of offer regarding part-time / job share. Remedial: contingency planning for example around out-sourcing of aspects of delivery.	Added by SMT review 18 Jan 22. Evidence of reducing number of applicants and candidate lists for vacancies ongoing, while trend in unsuccessful recruitment exercises has been acted on with no recent unsuccessful recruitment.	➡️	➡️	⬇️

18 live strategic risks (previously 18); 3 risks identified for closure on consistent downward risk trend; 2 further risks recommended for closure given significant downward trend in last 6 months.

Notes:

Aim to keep strategic risk register to around 15 strategic risks
Cross-cutting risks impact potentially throughout all priorities
Strategic Risks around corporate priorities focus on risk impacts throughout each of the three themes – hence require a coordinated overview at Director / Executive level. Not expecting a strategic risk against each specific Corporate Plan priority.
More specific risks are expected to be captured in more operational risk registers – e.g. risk management around delivery of office extension.
Full risk register the collective responsibility of full MT to manage, however each risk allocated to one specific member of the team to take lead responsibility.

Page 18 of 22

Aim through mitigation to reduce Likelihood (LL) multiplied by Impact (IM) risk score to below 10 as acceptable risk value. Reference key: “A” items are risks impacting on all aspects of the Corporate Plan; “C” items are Conservation only risks; “V” risks relate specifically to Visitor Experience; “L” risk relate to Land Management; “R” risks relate to Rural Development risks.

Page 19 of 22

Key

Managed risk (green downward arrow in greyed-out field): risk assessment that risk is effectively managed and no longer a strategic risk posing potential to inhibit achievement of corporate strategic objectives. Risk can be removed from risk register.
Lowering risk (green downward arrow): risk impact and / or likelihood is declining resulting in overall strategic risk assessment of mitigation actions effective with ongoing monitoring of risk environment still required.
Increasing risk low to medium: Strategic risk previously assessed as low now assessed as escalating, with increased likelihood and / or impact as a consequence of change in strategic environment and / or identification of new risk implications. May merit revised mitigation action.
Static risk (amber horizontal arrow): risk impact and likelihood is stable. Overall strategic risk assessment is stable indicating that strategic risk remains, requiring ongoing management and continued implementation of proposed mitigation and controls.
Decreasing risk from High to medium level (amber downward arrow). Strategic risk previously assessed as high now assessed as having reduced likelihood and / or impact as a consequence of risk mitigation action.
Increasing risk (red upward arrow): risk impact and / or likelihood is increasing resulting in increasing risk of achievement of strategic objectives being inhibited. Management action, and possibly resource investment, required to address risk environment and possibly introduce new mitigation action, in order to reduce risk impact and / or likelihood.

Page 20 of 22

Version Control

3.0 Board Cycle December 2019
3.0 Board adopted version June 2019 for MT / OMG review
3.1 Audit Committee review 6 September 2019
3.2 Management Team November 2019
4.0 Board Cycle Jan to Jun 2020
4.0 Draft following Board consideration December 2019
4.1 To Audit and Risk Committee March 2020
5.0 Board Cycle July to Sep 2020
5.1 Sep 20 Board meeting draft for MT / OMG review
5.2 Sep 20 Board meeting following MT / OMG edits (WBW)
6.0 Board Cycle October 20 to December 20
6.1 ARC November 20 first draft
7.0 Board Cycle January to June 2021
7.0 ARC April 2021 and SMT May 2021
7.1 Board June 2021
8.0 Board Cycle December 2021
8.0 To SMT 24 Aug 21
8.1 SMT 24 Aug 21 Updates
8.2 SMT 18 Jan 22 review and updated
8.3 ARC review 11 Feb 22
9.0 Board Cycle March 2022
9.0 Draft for Board following ARC review
9.1 SMT Review May 22

Page 21 of 22

10.1 SMT review Nov 22 prior to ARC 5 Dec.
10.2 ARC presentation following SMT review 22 Nov.

Page 22 of 22

(Blank page)

230621AuCtteePaper7Annex1StrategicRiskRegisterv111

Cairngorms Nation­al Park Author­ity Stra­tegic Risk Register

We want your feedback

Cairngorms National Park Authority Strategic Risk Register