Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

230922AUCtteePaper1RiskManagementReport

Cairngorms Nation­al Park Author­ity Intern­al Audit Report 202324: Risk Management

August 2023

Con­tents

  • Exec­ut­ive Summary
  • Man­age­ment Action Plan
  • Appendix A – Example Stra­tegic Risk Register
  • Appendix B – Example Risk Scor­ing Matrix
  • Appendix C – Definitions

Exec­ut­ive Summary

Con­clu­sion

Cairngorms Nation­al Park Author­ity (CNPA) has a risk man­age­ment frame­work in place that includes a Stra­tegic Risk Register and spe­cif­ic risk registers for major pro­grammes and pro­jects. Over­sight is primar­ily provided by the Audit and Risk Com­mit­tee for stra­tegic risks and the Per­form­ance Com­mit­tee for pro­gramme and pro­ject risks.

There is a need how­ever to devel­op risk man­age­ment arrange­ments fur­ther to bet­ter reflect the size, scale and com­plex­ity of the organ­isa­tion. We have iden­ti­fied sev­er­al areas for improve­ment includ­ing the need to devel­op oper­a­tion­al risk registers, to con­sist­ently score and review stra­tegic and oper­a­tion­al risks and to form­al­ise revised work­ing prac­tices with­in an updated Risk Man­age­ment Strategy.

Back­ground and scope

Risk man­age­ment involves under­stand­ing, ana­lys­ing and address­ing risk to make sure organ­isa­tions achieve their object­ives. It is not a pro­cess for avoid­ing risk. When used well, it can act­ively encour­age an organ­isa­tion to take on activ­it­ies that have a high­er level of risk because the risks have been iden­ti­fied and are being well man­aged, so the expos­ure to risk is both under­stood and acceptable.

In order to be effect­ive, risk man­age­ment should be embed­ded through­out an organ­isa­tion in such a way as to facil­it­ate the timely iden­ti­fic­a­tion and mit­ig­a­tion of the risks to the achieve­ment of busi­ness object­ives. This means that risk registers should be based on CNPA’s stra­tegic and oper­a­tion­al plans, and in par­tic­u­lar those risks that would pre­vent the achieve­ment of stra­tegic and oper­a­tion­al objectives.

In accord­ance with the 2023/2024 Intern­al Audit Plan, we reviewed the policies, pro­ced­ures and prac­tices in place to sup­port robust risk man­age­ment with­in CNPA, build­ing on the risk appet­ite work being under­taken by the Board.

Con­trol assessment

  • CNPA has a robust risk man­age­ment frame­work, includ­ing a defined risk appet­ite, risk man­age­ment strategy and policies for man­aging stra­tegic risk
  • There is a clearly defined and con­sist­ently applied approach for the accur­ate and timely iden­ti­fic­a­tion, eval­u­ation and report­ing of stra­tegic and oper­a­tion­al risks.
  • Mit­ig­at­ing actions are iden­ti­fied to man­age risk to with­in appet­ite that are assigned clear times­cales and a respons­ible officer.
  • There is effect­ive over­sight of risk man­age­ment includ­ing clear report­ing and (de)escalation lines at the Board, com­mit­tee and seni­or man­age­ment levels.

Improve­ment actions by type and priority

[Graph show­ing improve­ment actions by type and priority]

Eight improve­ment actions have been iden­ti­fied from this review, sev­en of which relate to the design of con­trols in place. See Appendix C for defin­i­tions of col­our coding.

Key find­ings

Good prac­tice

  • There is a clear focus on risk man­age­ment and escal­a­tion with­in the Gen­er­ic Terms of Ref­er­ence for all Com­mit­tees’ as attached to the Gov­ernance com­mit­tees’ Terms of Ref­er­ence, with clear guid­ance that com­mit­tees should identi­fy any risks rel­ev­ant to their area and escal­ate these to the ARC should they be con­sidered ser­i­ous enough.
  • We con­firmed through inter­views with staff that the Seni­or Man­age­ment Team has a sound under­stand­ing of the risk man­age­ment frame­work and lines of escal­a­tion, i.e. escal­at­ing risks with­in rel­ev­ant com­mit­tees, through the Seni­or Man­age­ment Team or dir­ectly to the ARC.
  • In May 2023 CNPA under­took a Board work­shop to both refresh the under­stand­ing of the prin­ciples behind risk appet­ite and to re-score the risk appet­ite across dif­fer­ent themes.
  • There are spe­cif­ic risk registers for major pro­grammes and pro­jects which are repor­ted to the Per­form­ance Com­mit­tee on a reg­u­lar basis.

Areas for improvement

We have iden­ti­fied a num­ber of areas for improve­ment which, if addressed, would strengthen CNPA’s con­trol frame­work. These include:

  • Refresh­ing the Risk Man­age­ment Strategy.
  • Imple­ment­ing oper­a­tion­al risk registers to ensure that oper­a­tion­al risks related to the day-to-day activ­it­ies of the organ­isa­tion are recor­ded and mon­itored on a reg­u­lar basis.
  • Updat­ing the Stra­tegic Risk Register tem­plate to include cur­rent and tar­get score and risk appetite.
  • Imple­ment­ing a form­al risk scor­ing meth­od­o­logy for the assess­ment of all stra­tegic risks cur­rent and tar­get risk scores.

These are fur­ther dis­cussed in the Man­age­ment Action Plan below.

Impact on risk register

This review is linked to all risks from the CNPA Cor­por­ate Risk Register. Man­age­ment should con­sider the recom­mend­a­tions raised through­out this report to strengthen the risk frame­work cur­rently in place across the organisation.

Acknow­ledge­ments

We would like to thank all staff con­sul­ted dur­ing this review for their assist­ance and co-operation.

Man­age­ment Action Plan

Con­trol Object­ive 1: CNPA has a robust risk man­age­ment frame­work, includ­ing a defined risk appet­ite, risk man­age­ment strategy and policies for man­aging stra­tegic risk.

1.1 Risk Man­age­ment Strategy

The cur­rent CNPA Risk Man­age­ment Strategy was developed in 2018 and is there­fore con­sidered out of date. The Deputy Chief Exec­ut­ive has con­firmed that fol­low­ing the revi­sion of the risk appet­ite, the strategy would require updat­ing to reflect this.

We also noted that the strategy does not detail the pro­cesses required for the main­ten­ance of oper­a­tion­al risk registers, out­side of those for major pro­grammes or pro­jects. This issue is also dis­cussed under MAP 1.2. In addi­tion, at present the form­al pro­cess of escal­at­ing and de-escal­at­ing risks is not doc­u­mented with­in the Strategy, as also covered under MAP 4.1.

Risk

There is a risk the lack of an up-to-date Risk Man­age­ment Strategy or clear rel­ev­ant policies in place could lead to the CNPA fail­ing to suc­cess­fully mit­ig­ate risks, res­ult­ing in inef­fect­ive or failed intern­al pro­cesses, people, sys­tems, or extern­al events which can dis­rupt the flow of busi­ness oper­a­tions and in turn lead to fin­an­cial loss at CNPA.

Recom­mend­a­tion

We sup­port the work to com­mence refresh­ing the Risk Man­age­ment Strategy and recom­mend this is done as soon as pos­sible. The strategy should be updated to include the pro­ced­ures regard­ing oper­a­tion­al risks, includ­ing how these should be iden­ti­fied, recor­ded and repor­ted on and the pro­cess for the escal­a­tion and de-escal­a­tion of risks should be documented.

Man­age­ment Action

Recom­mend­a­tion agreed. This recom­mend­a­tion and related find­ing is a fair reflec­tion of the degree of update needed in the over­all risk man­age­ment envir­on­ment with­in the Park Author­ity, com­menced with the con­sid­er­a­tion of risk appet­ite at board level.

  • Action own­er: Deputy Chief Executive
  • Due date: 31 Decem­ber 2023

1.2 Oper­a­tion­al risk registers

CNPA main­tains a Stra­tegic Risk Register and spe­cif­ic pro­gramme and pro­ject risk registers. No oper­a­tion­al risk registers are main­tained to doc­u­ment, score and review oper­a­tion­al risks rel­ev­ant to the day-to-day activ­it­ies of CNPA. As such these risks would not be doc­u­mented until such time as they became sig­ni­fic­ant enough to be included with­in the Stra­tegic Risk Register.

Risk

There is a risk that oper­a­tion­al risks are not mon­itored to ensure they are man­aged with­in appet­ite, res­ult­ing in risks poten­tially becom­ing more sig­ni­fic­ant over time.

Recom­mend­a­tion

Man­age­ment should imple­ment oper­a­tion­al risk registers to ensure that oper­a­tion­al risks related to the day-to-day activ­it­ies of the organ­isa­tion are recor­ded and mon­itored on a reg­u­lar basis.

Man­age­ment Action

Recom­mend­a­tion agreed. We will work through the Oper­a­tion­al Man­age­ment Group in order to estab­lish an appro­pri­ate frame­work for oper­a­tion­al risk management.

  • Action own­er: Deputy Chief Executive
  • Due date: 31 Decem­ber 2023

Con­trol Object­ive 2: There is a clearly defined and con­sist­ently applied approach for the accur­ate and timely iden­ti­fic­a­tion, eval­u­ation and report­ing of stra­tegic and oper­a­tion­al risks.

2.1 Risk Register Template

The cur­rent Stra­tegic Risk Register tem­plate util­ised by CNPA does not include the fol­low­ing detail:

  • Risk Cat­egory
  • Risk Appet­ite
  • Cur­rent Score (Linked to Map 2.2)
  • Tar­get Score (Linked to Map 2.2)
  • Due date for mit­ig­at­ing actions

From dis­cus­sions with the Deputy Chief Exec­ut­ive it was noted that man­age­ment felt that includ­ing the risk scor­ing on the risk register may lead to dis­cus­sion focus­sing on the scor­ing rather than the word­ing of risks or mit­ig­at­ing actions.

Whilst this is acknow­ledged, it is essen­tial to show risk scores and appet­ite on the risk register tem­plate to provide suf­fi­cient inform­a­tion to the ARC and Board on the over­all risk expos­ure to the organ­isa­tion, includ­ing wheth­er this is in line with the defined risk appet­ite of the Board and the impact that mit­ig­at­ing actions are hav­ing on this expos­ure. Fur­ther, it was noted from dis­cus­sions with non-exec­ut­ive mem­bers that this inform­a­tion would be help­ful in allow­ing ARC to fully dis­charge their duties in rela­tion to risk.

An example Stra­tegic Risk Register has been provided in Appendix A.

Risk

There is a risk there is a lack of clar­ity over the risk expos­ure to the organ­isa­tion, includ­ing wheth­er actions are being treated in line with risk appet­ite, as a res­ult of a lack of clear scor­ing meth­od­o­logy res­ult­ing in risks poten­tially being under or over treated.

Recom­mend­a­tion

The Stra­tegic Risk Register tem­plate should be updated to include the fol­low­ing areas:

  • Risk Cat­egory
  • Risk Appet­ite
  • Cur­rent Score
  • Tar­get Score
  • Due date for mit­ig­at­ing actions

Man­age­ment Action

Recom­mend­a­tion accep­ted. We will revise risk register formats in the con­text of the sug­ges­tions of this report and will review our approaches to mon­it­or­ing risk man­age­ment accordingly.

We note from a man­age­ment per­spect­ive that we believe this action area to be graded too highly. Our present­a­tion of risk man­age­ment has sought to encour­age stra­tegic dis­cus­sion of the risk envir­on­ment and risk man­age­ment trends rather than risk des­cend­ing’ into more trans­ac­tion­al dis­cus­sions on risk scores. We believe overly detailed risk present­a­tion has the poten­tial to divert stra­tegic level dis­cus­sion away from the key sub­ject of effect­ive risk man­age­ment onto more detailed mat­ters of risk cat­egor­isa­tion and scor­ing. We do not accept that the absence of the spe­cified ele­ments with­in the cur­rent risk register rep­res­ent a high risk expos­ure” in terms of the action grad­ing. We have made this point to the intern­al auditors.

  • Action own­er: Deputy Chief Executive
  • Due date: 31 Decem­ber 2023

2.2 Risk scoring

There is cur­rently no risk scor­ing mat­rix util­ised to record the cur­rent and tar­get risks on the Stra­tegic Risk Register. The Deputy Chief Exec­ut­ive noted that risks would have been scored at incep­tion but have not been form­ally scored since. We have been unable to obtain evid­ence of this ini­tial scor­ing. We noted that the Stra­tegic Risk Register tem­plate states that: Aim through mit­ig­a­tion to reduce Like­li­hood (LL) mul­ti­plied by Impact (IM) risk score to below 10 as accept­able risk value’, how­ever it is not clear what the cur­rent risk scores are in rela­tion to this nor wheth­er the tar­get of 10’ was tied to the CNPA risk appetite.

Fur­ther­more the trend ana­lys­is out­lined with­in the register is based on dis­cus­sion with­in the Seni­or Man­age­ment Team on wheth­er they feel mit­ig­at­ing actions are effect­ively address­ing risks, rather than being based on a form­al scor­ing meth­od­o­logy. As such there is cur­rently no doc­u­ment­a­tion of the risk scor­ing pro­cess with­in the Risk Man­age­ment Strategy with guid­ance for staff on the scor­ing of risks upon iden­ti­fic­a­tion, includ­ing how the tar­get scores and mit­ig­at­ing actions should be tied to the organ­isa­tions risk appetite.

An example scor­ing mat­rix has been included in Appendix B.

Risk

There is a risk that there is a lack of clar­ity over the sever­ity of the risks included with­in the Stra­tegic Risk Register as a res­ult of a lack of clear scor­ing meth­od­o­logy res­ult­ing in risks poten­tially being under or over managed.

Recom­mend­a­tion

A form­al risk scor­ing mat­rix should be doc­u­mented and util­ised to score the risks on stra­tegic and oper­a­tion­al risk registers, with a cur­rent and tar­get risk score doc­u­mented along with a trend ana­lys­is for the risk. This scor­ing should align to the risk appet­ite rel­ev­ant to the area.

Man­age­ment Action

Recom­mend­a­tion accep­ted – we will incor­por­ate more integ­rated, reg­u­lar scor­ing of risks with­in the approach to risk management.

We note from a man­age­ment per­spect­ive that we believe this action area to be graded too highly. Our present­a­tion of risk man­age­ment has sought to encour­age stra­tegic dis­cus­sion of the risk envir­on­ment and risk man­age­ment trends rather than risk des­cend­ing’ into more trans­ac­tion­al dis­cus­sions on risk scores. We do not accept that the absence of the spe­cified ele­ments with­in the cur­rent risk register rep­res­ent a high risk expos­ure” in terms of the action grad­ing. We have made this point to the intern­al aud­it­ors. We believe that the retained pres­ence of risks on the stra­tegic risk register has adequately sig­ni­fied that the level of risk pro­file remains such that it war­rants inclu­sion in the register.

  • Action own­er: Deputy Chief Executive
  • Due date: 31 Decem­ber 2023

2.3 Risk reporting

The Risk Man­age­ment Strategy notes that the Board will review the status of stra­tegic risks twice per year at the time deliv­ery against stra­tegic plans are presen­ted by staff. We reviewed board minutes for the past 12 months and found that the Board has not reviewed the Stra­tegic Risk Register dur­ing this time.

It is noted that this was a trans­ition­al year for the organ­isa­tion as a res­ult of the trans­ition from the 2018 to 2022 Cor­por­ate Plan to the 2023 to 2027 Cor­por­ate Plan. We con­firmed the Audit and Risk Com­mit­tee con­tin­ued to review the Stra­tegic Risk Register dur­ing this time.

Risk

There is a risk that there is a lack of clar­ity at Board level of the risk expos­ure being faced by CNPA, poten­tially impact­ing on the Board’s abil­ity to shape responses in line with risk appet­ite and lead­ing to an increase in impact and sever­ity of the risks, res­ult­ing in the CNPA not being able to achieve its stra­tegic objectives.

Recom­mend­a­tion

Man­age­ment should ensure the Stra­tegic Risk Register is reviewed bi-annu­ally in line with the Risk Man­age­ment Policy.

Man­age­ment Action

We agree that the board should con­tin­ue to review the stra­tegic risk man­age­ment pos­i­tion twice each year. As high­lighted in the above nar­rat­ive, the ARC has con­tin­ued to review stra­tegic risk man­age­ment and the 202223 year has been a trans­ition­al year between cor­por­ate plan­ning peri­ods and with con­sequent trans­ition between cor­por­ate per­form­ance report­ing sys­tems. The board reviewed the stra­tegic risk register in Septem­ber 2023 and will con­tin­ue to have sight of the redevel­op­ment and man­age­ment of stra­tegic risks mov­ing forward.

  • Action own­er: Deputy Chief Executive
  • Due date: 30 June 2024

2.4 Risk training

The last risk man­age­ment train­ing provided to the Board was pre-COV­ID19 and as such there have been a num­ber of changes to the board com­pos­i­tion dur­ing this time. The Deputy Chief Exec­ut­ive noted that he intends to com­mis­sion train­ing towards the end of 2023 upon the next round of appoint­ments. From our dis­cus­sions with Non-Exec­ut­ive mem­bers it was felt that risk train­ing for the whole board and mem­bers of man­age­ment would be beneficial.

Risk

There is a risk that Non-Exec­ut­ive mem­bers and staff do not have a clear under­stand­ing of the risk man­age­ment prin­ciples being used by CNPA res­ult­ing in risks not being iden­ti­fied or scru­tin­ised sufficiently.

Recom­mend­a­tion

We sup­port man­age­ments inten­tion to under­take risk man­age­ment train­ing and recom­mend this includes all key prin­ciples of risk man­age­ment, iden­ti­fic­a­tion, scor­ing, report­ing etc tak­ing into con­sid­er­a­tion the oth­er recom­mend­a­tions raised in the report.

Man­age­ment Action

As noted, we will look to sched­ule risk man­age­ment train­ing to the full board on com­ple­tion of a sig­ni­fic­ant round of appoint­ments of mem­bers since Septem­ber 2022. Board time has been fully used over the last few years giv­en wider pres­sures of COV­ID and NPPP / Cor­por­ate Plan devel­op­ment, togeth­er with oth­er gov­ernance issues raised to be dealt with urgently.

  • Action own­er: Deputy Chief Executive
  • Due date: 31 March 2023

Con­trol Object­ive 3: Mit­ig­at­ing actions are iden­ti­fied to man­age risk to with­in appet­ite that are assigned clear times­cales and a respons­ible officer.

3.1 Mit­ig­at­ing actions

We iden­ti­fied that while the cur­rent Stra­tegic Risk Register tem­plate includes mit­ig­at­ing actions and com­ments, it can be dif­fi­cult to delin­eate between actions which have been imple­men­ted and planned actions. It is also not clear wheth­er the trend ana­lys­is is based on the imple­men­ted actions only or includes the planned actions. Fur­ther, there is a lack of detail regard­ing the impact the planned actions will have on the risk and wheth­er these are the only actions con­sidered required to man­age the risk with­in appetite.

An example Risk Register tem­plate is provided in Appendix A util­ising an exist­ing CNPA stra­tegic risk in order to demon­strate the delin­eation between actions imple­men­ted or ongo­ing and those planned.

Risk

There is a risk that staff and Board mem­bers are unclear on the mit­ig­at­ing actions still required for imple­ment­a­tion and the impact these will have on the over­all risk score.

Recom­mend­a­tion

The Risk Register Tem­plate should be updated to dif­fer­en­ti­ate between imple­men­ted actions and those which still require imple­ment­a­tion, and the due date these actions are planned to be in place by.

Man­age­ment Action

Recom­mend­a­tion agreed.

  • Action own­er: Deputy Chief Executive
  • Due date: 30 March 2024

Con­trol Object­ive 4: There is effect­ive over­sight of risk and man­age­ment includ­ing clear report­ing and (de) escal­a­tion lines at the Board, com­mit­tee and seni­or man­age­ment levels.

4.1 Escal­a­tion and de-escal­a­tion of risks

At present, those respons­ible for oper­a­tion­al areas man­age oper­a­tion­al risks as part of busi­ness as usu­al activ­ity until they feel they risk can no longer be man­aged in this way. At this point, it is escal­ated to the Seni­or Man­age­ment Team who dis­cuss wheth­er an addi­tion to the Stra­tegic Risk Register is required. If a risk requires escal­a­tion to the Stra­tegic Risk Register this will be raised at the next ARC meeting.

Should a risk score drop to the point it is no longer a stra­tegic risk, it is removed from the Stra­tegic Risk Register fol­low­ing decision by the ARC. Due to the lack of oper­a­tion­al risk registers, such risks are no longer cap­tured, unless spe­cific­ally related to a pro­gramme or project.

The escal­a­tion and de-escal­a­tion pro­cesses are not cur­rently doc­u­mented with­in the Risk Man­age­ment Strategy or any sup­port­ing procedures.

Risk

There is a risk staff are unclear on the pro­cess for escal­at­ing risks or con­tinu­ing to man­age risks at an oper­a­tion­al level should they be de-escal­ated, res­ult­ing in risks poten­tially being missed or risks increasing.

Recom­mend­a­tion

Man­age­ment should clearly doc­u­ment the pro­cess for the escal­a­tion and de-escal­a­tion of risks with­in the Risk Man­age­ment Strategy (linked to MAP 1.1)

Man­age­ment Action

Recom­mend­a­tion agreed.

  • Action own­er: Deputy Chief Executive
  • Due date: 31 March 2024

Appendix A – Example Stra­tegic Risk Register

[Table show­ing example stra­tegic risk register]

Appendix B – Example Risk Scor­ing Matrix

[Table show­ing example risk scor­ing matrix]

Appendix C – Definitions

Con­trol assessments

  • R: Fun­da­ment­al absence or fail­ure of key controls.
  • A: Con­trol object­ive not achieved — con­trols are inad­equate or ineffective.
  • Y: Con­trol object­ive achieved — no major weak­nesses but scope for improvement.
  • G: Con­trol object­ive achieved — con­trols are adequate, effect­ive and efficient.

Man­age­ment action grades

  • 4: Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organisation.
  • 3: High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organisation.
  • 2: Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organisation.
  • 1: Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

© Azets 2023. All rights reserved. Azets refers to Azets Audit Ser­vices Lim­ited. Registered in Eng­land & Wales Registered No. 09652677 / VAT Regis­tra­tion No. 219 0608 22. Registered to carry on audit work in the UK and reg­u­lated for a range of invest­ment busi­ness activ­it­ies by the Insti­tute of Chartered Account­ants in Eng­land and Wales.

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback