Audit and Risk Com­mit­tee Paper 1

22 Septem­ber 2023 Page 1 of 2

For Decision

Title: Intern­al Audit Plan ²⁰²³⁄₂₄: Risk Management

Cov­er Paper pre­pared by: Dav­id Camer­on, Deputy Chief Executive

Report sub­mit­ted by: Eliza­beth Young, Stephanie Hume, Azets

Pur­pose

This paper presents the review of the Cairngorms Nation­al Park Author­ity approaches to and con­trols in place for Risk Man­age­ment. The review has been under­taken as part of the agreed Intern­al Audit Plan for ²⁰²³⁄₂₄.

Recom­mend­a­tions

The Audit and Risk Com­mit­tee is asked to:

a) Con­sider the intern­al aud­it­ors’ report and find­ings; b) Endorse the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

Exec­ut­ive Summary

1. Azets have com­pleted their intern­al audit review of the Cairngorms Nation­al Park Authority’s approach to risk man­age­ment. The review comes at a time when the Park Author­ity is aware of the need to trans­ition the Stra­tegic Risk Register toward the new Cor­por­ate Plan envir­on­ment and also take a lead from the Board’s newly estab­lished stra­tegic risk appet­ite. The intern­al audit report is a wel­come con­tri­bu­tion to sup­port­ing the Park Authority’s work in refresh­ing and updat­ing its approaches to Risk Management.

2. Eight recom­mend­a­tions for action have been high­lighted. Four recom­mend­a­tions are of a sig­ni­fic­ant, ​“amber”, risk rat­ing, with four at a grade 2 ​“yel­low” rat­ing. Giv­en the trans­ition­al nature of the Park Authority’s approach to risk man­age­ment and the tim­ing of this intern­al audit, it is not sur­pris­ing to see a rel­at­ively large num­ber of intern­al audit actions raised.

Audit and Risk Com­mit­tee Paper 1

22 Septem­ber 2023 Page 2 of 2

1. The recom­mend­a­tions have been accep­ted by man­age­ment and will be worked on over the com­ing months, with a tar­get of present­ing a draft update of the stra­tegic risk man­age­ment approach to the Board in Novem­ber 2023.

2. The grad­ing of some recom­mend­a­tions around con­trol object­ive 2, the require­ment for a clearly defined and con­sist­ently applied approach for the accur­ate, and timely iden­ti­fic­a­tion, eval­u­ation and report­ing of stra­tegic and oper­a­tion­al risks, has been debated with the intern­al aud­it­ors. The man­age­ment responses to two of the recom­mend­a­tions fall­ing with­in this con­trol object­ive reflect those dis­cus­sions with the intern­al aud­it­ors. Irre­spect­ive of the grad­ing of the recom­mend­a­tion, the dir­ec­tion of the sug­ges­ted con­trol improve­ment in these areas is accepted.