Risk man­age­ment strategy

Louise Allen (Octo­ber 2023)

Intro­duc­tion

1. Risk man­age­ment is the pro­cess of identi­fy­ing, assess­ing and con­trolling the uncer­tain­ties and oppor­tun­it­ies asso­ci­ated with the deliv­ery of the organisation’s object­ives. These uncer­tain­ties and oppor­tun­it­ies can arise from events that are intern­al or extern­al to the organisation.

2. To be effect­ive, risk man­age­ment should oper­ate through­out the organ­isa­tion. Stra­tegic risk man­age­ment focuses on the deliv­ery of longer-term cor­por­ate object­ives, for example, those set out in the Cor­por­ate Plan. Oper­a­tion­al risks relate to the activ­it­ies set out in the Oper­a­tion­al Plan, and to spe­cif­ic pro­ject and activ­ity plans.

3. At the broad­est level, risk man­age­ment is a sys­tem of people, pro­cesses and tech­no­logy that enables an organ­isa­tion to secure object­ives in line with val­ues and risks. Through our risk man­age­ment pro­cesses we seek to apply resources to min­im­ize, mon­it­or and con­trol the impact of neg­at­ive events, while max­im­iz­ing the oppor­tun­it­ies offered by pos­it­ive events. A con­sist­ent, and integ­rated approach to risk man­age­ment oper­ated through­out the organ­isa­tion, at both stra­tegic and oper­a­tion­al levels, determ­ines how best to identi­fy, man­age, and mit­ig­ate sig­ni­fic­ant risks.

4. Those respons­ible for over­see­ing the deliv­ery of the Park Authority’s object­ives need to estab­lish their risk appet­ite, that is, the extent to which they are will­ing to accept a degree of uncer­tainty around stra­tegic, and oper­a­tion­al object­ives. Our risk man­age­ment approach seeks to eval­u­ate risk, to determ­ine the poten­tial to reduce or mit­ig­ate these risks, and then to decide wheth­er the remain­ing levels of risk are accept­able with­in the organisation’s risk appetite.

Risk man­age­ment – under­ly­ing principles

1. The UK Gov­ern­ment pub­lic­a­tion, The Orange Book (Man­age­ment of Risk – Prin­ciples and Con­cepts) sets out the under­ly­ing prin­ciples to be applied by pub­lic bod­ies to the man­age­ment of risk.

• Risk man­age­ment shall be an essen­tial part of gov­ernance and lead­er­ship, and fun­da­ment­al to how the organ­isa­tion is dir­ec­ted, man­aged, and con­trolled at all levels.
• Risk man­age­ment shall be an integ­ral part of all organ­isa­tion­al activ­it­ies to sup­port decision-mak­ing in achiev­ing objectives.
• Risk man­age­ment shall be col­lab­or­at­ive and informed by the best avail­able inform­a­tion and expertise.
• Risk man­age­ment pro­cesses shall be struc­tured to include:
  • risk iden­ti­fic­a­tion and assess­ment, to determ­ine and pri­or­it­ise how the risks should be managed;
  • the selec­tion, design, and imple­ment­a­tion of risk treat­ment options that sup­port achieve­ment of inten­ded out­comes and man­age risks to an accept­able level;
  • the design and oper­a­tion of integ­rated, insight­ful, and inform­at­ive risk mon­it­or­ing; and
  • timely, accur­ate and use­ful risk report­ing to enhance the qual­ity of decision-mak­ing, and to sup­port man­age­ment and over­sight bod­ies in meet­ing their responsibilities.
• Risk man­age­ment shall be con­tinu­ally improved through learn­ing and experience.

The man­age­ment of stra­tegic risks

1. Risk Man­age­ment in the Park Author­ity is led from the stra­tegic level. The Board agrees the long-term Cor­por­ate Plan for the organ­isa­tion and estab­lishes a stra­tegic risk register identi­fy­ing the main risks that could impact the achieve­ment of the long-term pri­or­it­ies and object­ives adop­ted with­in that Plan. The Board, with the sup­port of officers, also estab­lishes a set of mit­ig­a­tion actions focused on redu­cing the levels of uncer­tainty – wheth­er the like­li­hood of a risk occur­ring, or its impact should it occur – to accept­able levels wherever possible.

2. The Board is respons­ible for man­aging the approach to stra­tegic risk in deliv­ery of its long-term goals and achieves this by integ­rat­ing its review of the stra­tegic risk pos­i­tion as an embed­ded ele­ment of its reg­u­lar review of Cor­por­ate Plan deliv­ery. The status of stra­tegic risks is assessed twice each year at the same time as updates on deliv­ery against stra­tegic plans are presen­ted by staff. Embed­ding these pro­cesses ensures the pro­cess of risk man­age­ment remains rel­ev­ant and dir­ectly linked to the pro­cess of mon­it­or­ing deliv­ery of the Authority’s objectives.

3. The com­plete­ness of the Authority’s risk register can be assessed at these points, as can the effect­ive­ness of mit­ig­a­tion actions. Newly emer­ging uncer­tain­ties or oppor­tun­it­ies and the planned approach to them can be added, while any risks that have been adequately reduced and are able to be evid­enced as effect­ively man­aged and mit­ig­ated can be removed from the risk register.

4. Between Board meet­ings, the respons­ib­il­ity for mon­it­or­ing stra­tegic risk man­age­ment and the cov­er­age of the risk register and man­age­ment action is del­eg­ated to the Board’s Audit and Risk Com­mit­tee. Both the Exec­ut­ive, and the Seni­or Man­age­ment Team also under­take reg­u­lar reviews of the risk register as an integ­ral part of the wider risk man­age­ment and assur­ance sys­tems with­in the Park Authority.

Risk appet­ite

1. Risk appet­ite is the level of risk that an organ­isa­tion is pre­pared to accept in pur­suit of its object­ives before action is deemed neces­sary to reduce the risk. It rep­res­ents a bal­ance between the poten­tial bene­fits of innov­a­tion and the threats that change inev­it­ably brings. The ISO 31000 risk man­age­ment stand­ard refers to risk appet­ite as the ​“amount and type of risk that an organ­isa­tion is pre­pared to pur­sue, retain or take”. This concept helps guide an organisation’s approach to risk and its management.

2. The Board com­mu­nic­ates its appet­ite in rela­tion to stra­tegic risks, defin­ing its pos­i­tion rel­at­ive to each theme with­in the cor­por­ate plan. Appet­ite towards oper­a­tion­al risks is determ­ined by the Head of Ser­vice respons­ible for each theme with­in the oper­a­tion­al plan.

3. Risk appet­ite will change over time, and accord­ing to cir­cum­stances. For example, fin­an­cial con­straints may res­ult in less flex­ib­il­ity in the applic­a­tion of funds to meet object­ives, and this may make us risk averse; fund­ing at a level that allows us to be con­fid­ent of fin­an­cing all our object­ives would make it easi­er for us to accept a high­er level of risk. Con­sequently, risk appet­ite should be chal­lenged peri­od­ic­ally. As part of the quarterly review of the registers, con­sid­er­a­tion will be giv­en to the appro­pri­ate­ness of the risk appet­ite para­met­ers applied, giv­en cur­rent cir­cum­stances, both with­in the Park Author­ity and extern­ally in the wider environment.

4. Risk appet­ite determ­ines the level of resid­ual risk the organ­isa­tion is will­ing to accept. For the pur­poses of risk eval­u­ation, we con­sider risk appet­ite with­in 5 cat­egor­ies. Each of these cat­egor­ies is aligned with a risk score that defines the level of resid­ual risk as set out in the table below:

Cat­egory	Defin­i­tion	Max­im­um resid­ual risk score
Averse	Accept no risk / ter­min­ate risk. Act­ively lim­it and avoid risk. Avoid actions with any risk exposure.	0
Min­im­al	Min­im­ise risk. Accept low level of risk in pur­suit of stra­tegic goals and pri­or­it­ies. Avoid innov­a­tion unless essential.	3
Cau­tious	Con­sidered risk tak­ing allowed, where bene­fits out­weigh risks. Innov­a­tion gen­er­ally avoided unless neces­sary. Pref­er­ence towards safe deliv­ery mod­els with min­im­al uncer­tainty about benefits/​loss.	6
Open	Take risk if expec­ted reward war­rants, with­in lim­its. Open to invest­ment and innov­a­tion, with some loss accep­ted with­in limits.	12
Eager	Act­ively embrace innov­a­tion and change. Will­ing to accept risk/​losses in the pur­suit of excep­tion­al benefits.	75

1. Mit­ig­a­tion activ­it­ies should be designed so as to reduce the ori­gin­al risk score to the desired value of resid­ual risk.

The man­age­ment of oper­a­tion­al risks

1. Man­age­ment of oper­a­tion­al risks is the respons­ib­il­ity of the Seni­or Man­age­ment Team. Each ser­vice, led by its Dir­ect­or and Head of Ser­vice, estab­lishes an oper­a­tion­al risk register, identi­fy­ing the main risks that could impact on the achieve­ment of the oper­a­tion­al pri­or­it­ies and object­ives adop­ted with­in the annu­al Oper­a­tion­al Plan for which that ser­vice is respons­ible. Each ser­vice estab­lishes a set of mit­ig­a­tion actions focused on redu­cing the levels of uncer­tainty which may impact on deliv­ery plans, in respect of both occur­rence and impact, to accept­able levels wherever possible.

2. The status of oper­a­tion­al risks is assessed quarterly as a stand­ing agenda item for the Oper­a­tion­al Man­age­ment Group. This quarterly review provides the oppor­tun­ity to con­sider the com­plete­ness of the oper­a­tion­al risk register, the poten­tial inter­ac­tion of risks and depend­en­cies for mit­ig­a­tion actions between ser­vices, and the effect­ive­ness of mit­ig­a­tion actions. Where there is con­cern that the like­li­hood and/​or impact of a risk is increas­ing, or that mit­ig­a­tion actions are prov­ing inef­fect­ive, the mat­ter should be escal­ated to the Seni­or Management.

Risk man­age­ment process

1. The pro­cess of risk man­age­ment involves risk iden­ti­fic­a­tion, risk ana­lys­is and assess­ment, and risk mit­ig­a­tion and monitoring.

2. Risk iden­ti­fic­a­tion is the pro­cess of identi­fy­ing and assess­ing both threats to the organ­isa­tion, its oper­a­tions, and its work­force, and poten­tial impacts from tak­ing up iden­ti­fied oppor­tun­it­ies. For example, risk iden­ti­fic­a­tion may include assess­ing pres­sures on staff (addi­tion­al work­load may arise from the oppor­tun­ity to under­take new pro­jects), the impact of cyber secur­ity breaches, threats to spe­cies or con­ser­va­tion activ­it­ies, and oth­er poten­tially harm­ful events that could dis­rupt operations.

3. Risk ana­lys­is involves estab­lish­ing the prob­ab­il­ity that a risk event might occur and the poten­tial out­come or impact of each event. Risk eval­u­ation com­pares the mag­nitude of each risk and ranks them accord­ing to prom­in­ence (like­li­hood) and con­sequence (impact).

4. Risk mit­ig­a­tion refers to the pro­cess of plan­ning and devel­op­ing meth­ods and options to reduce threats to the Park Authority’s objectives.

5. Risk man­age­ment is a con­tinu­ous pro­cess that adapts and changes over time. Repeat­ing and con­tinu­ally mon­it­or­ing the pro­cesses can help assure max­im­um cov­er­age of known and unknown risks. The pro­cess starts at the plan­ning stage of all pro­grammes and pro­jects. All plans and pro­ject devel­op­ments are expec­ted to be designed on a risk-man­aged basis. This requires both an aware­ness of stra­tegic risk man­age­ment actions and a more spe­cif­ic focus on the man­age­ment of lower-level oper­a­tion­al risks.

Risk response strategies and treatment

1. There are five com­monly accep­ted strategies for address­ing risk. The pro­cess begins with an ini­tial con­sid­er­a­tion of risk avoid­ance then pro­ceeds to three addi­tion­al meth­ods of address­ing risk (trans­fer, spread­ing and reduc­tion). Ideally, these three meth­ods are employed in con­cert with one anoth­er as part of a com­pre­hens­ive strategy. Some resid­ual risk may remain.

• Risk avoid­ance — Avoid­ance is a meth­od for mit­ig­at­ing risk by not par­ti­cip­at­ing in activ­it­ies that may neg­at­ively affect the organ­isa­tion. For example, not start­ing a par­tic­u­lar activ­ity or pro­ject would avoid the risk of loss.
• Risk reduc­tion — This meth­od of risk man­age­ment attempts to min­im­ize the loss, rather than com­pletely elim­in­ate it. While accept­ing the risk, it stays focused on keep­ing the loss con­tained. An example of this is the pur­chase of an employ­ee assist­ance pro­gramme as pre­vent­at­ive care, and part of our com­mit­ment to the well­being of staff and reduc­tion of risks caused by staff absence.
• Risk shar­ing — When risks are shared, the pos­sib­il­ity of loss/​dis­be­ne­fit is trans­ferred from the indi­vidu­al to the group. Much of the work of the Park Author­ity depends on col­lab­or­a­tion with part­ners. Such part­ner­ship work­ing is likely to involve the shar­ing of risk. For example, the Pal­la­di­um part­ner­ship man­ages the risk asso­ci­ated with the private fin­an­cing of peat­land res­tor­a­tion, while the Park Author­ity man­ages repu­ta­tion­al risk and innov­a­tion risk around com­munity bene­fit mod­els, pro­cure­ment and com­munity atti­tudes to land management.
• Trans­fer­ring risk — Con­trac­tu­ally trans­fer­ring a risk to a third-party, such as, insur­ance to cov­er pos­sible prop­erty dam­age or injury, shifts the risks asso­ci­ated with the prop­erty from the own­er to the insur­ance com­pany. Motor vehicle insur­ance is included in our fleet agree­ments; we also ensure that mem­bers of staff using their own cars on Park Author­ity busi­ness are covered by their own per­son­al insur­ance policy for busi­ness use.
• Risk accept­ance and reten­tion — After all risk shar­ing, risk trans­fer and risk reduc­tion meas­ures have been imple­men­ted, some risk will remain since it is vir­tu­ally impossible to elim­in­ate all risk (except through risk avoid­ance). This is called resid­ual risk.

Risk man­age­ment procedure

1. The Cor­por­ate Plan defines the organisation’s object­ives for the next plan­ning peri­od (e.g. cor­por­ate plan 2023 – 27). The Oper­a­tion­al Plan sets out the object­ives for the com­ing fin­an­cial year. The uncer­tain­ties (risks and oppor­tun­it­ies) asso­ci­ated with each object­ive with­in the plan are con­sidered. It may be help­ful to con­sider each object­ive against the spe­cif­ic cat­egor­ies of risk lis­ted in Appendix 1. Stra­tegic risks are likely to be dis­tilled from the Cor­por­ate Plan, with the Oper­a­tion­al Plan being the likely source of oper­a­tion­al risks. How­ever, the inter­ac­tion between stra­tegic and oper­a­tion­al risks should be con­sidered through­out the risk man­age­ment process.

2. The pro­cess of risk iden­ti­fic­a­tion and man­age­ment should run in par­al­lel with budget set­ting and budget management/​mon­it­or­ing activ­it­ies. Budget alloc­a­tions should be made with due con­sid­er­a­tion of costs that may arise from the need to manage/​mit­ig­ate the risks inher­ent in par­tic­u­lar activ­it­ies or projects.

3. The iden­ti­fied risks are ana­lysed accord­ing to like­li­hood of occur­rence and their poten­tial impact; they are eval­u­ated using the scor­ing mat­rix shown in Appendix 2. Pos­sible scores range between 1, where like­li­hood is rare and impact neg­li­gible, and 25, where like­li­hood is very high, and impact is also very high. The alloc­ated risk scores are then used to estab­lish the rel­at­ive import­ance of the pop­u­la­tion of risks, allow­ing focus to be giv­en to the highest scor­ing risks, their man­age­ment and mitigation.

4. Each risk is entered into the risk register. The con­trols cur­rently in place to man­age the risk are described, and the assess­ment of like­li­hood and impact are noted, along with the over­all risk score. Actions to mit­ig­ate the risk are devised. Risk appet­ite is estab­lished, and tar­get risk scores are eval­u­ated accord­ing to this appet­ite, the over­all tar­get score indic­at­ing the meas­ure at which the risk would be con­sidered accept­able. Each risk is giv­en an own­er, who is respons­ible for its mon­it­or­ing and management.

5. The risk registers record the risk trend, using a rat­ing sys­tem as shown below:

Status	Descrip­tion
Man­aged	Man­aged risk: risk assess­ment that risk is effect­ively man­aged and no longer a stra­tegic risk pos­ing poten­tial to inhib­it achieve­ment of cor­por­ate stra­tegic object­ives. Risk can be removed from risk register.
Decreas­ing	Decreas­ing risk: risk now assessed as hav­ing reduced like­li­hood and/​or impact as a con­sequence of risk mit­ig­a­tion action.
Stat­ic	Stat­ic risk: risk impact and like­li­hood is stable. Over­all stra­tegic risk assess­ment is stable indic­at­ing that stra­tegic risk remains, requir­ing ongo­ing man­age­ment and con­tin­ued imple­ment­a­tion of pro­posed mit­ig­a­tion and controls.
Escal­at­ing	Increas­ing risk: risk impact and/​or like­li­hood is increas­ing res­ult­ing in increas­ing risk of achieve­ment of stra­tegic object­ives being inhib­ited. Man­age­ment action, and pos­sibly resource invest­ment, required to address risk envir­on­ment and pos­sibly intro­duce new mit­ig­a­tion action, in order to reduce risk impact and/​or likelihood.

1. The Oper­a­tion­al Risk Register is mon­itored by the Oper­a­tion­al Man­age­ment Group (OMG). Each quarter, a report on oper­a­tion­al risks, high­light­ing any changes in their assess­ment, eval­u­ation, or mit­ig­a­tion, is presen­ted to meet­ings of the Seni­or Man­age­ment Team (SMT). The com­plete­ness of the register is also con­sidered by the OMG, with any new risks added to the register and repor­ted to SMT.

2. The Stra­tegic Risk Register is mon­itored quarterly by the Seni­or Man­age­ment Team. Con­sid­er­a­tion is giv­en to the inter­ac­tion between stra­tegic risks and oper­a­tion­al risks, with any con­sequent amend­ments made to the register.

3. The Stra­tegic Risk Register is presen­ted to each meet­ing of the Audit and Risk Com­mit­tee for con­sid­er­a­tion and discussion.

4. The Board reviews the stra­tegic risk pos­i­tion as an embed­ded ele­ment of its reg­u­lar review of Cor­por­ate Plan deliv­ery. The status of stra­tegic risks is assessed twice each year at the same time as updates on deliv­ery against stra­tegic plans are presen­ted by staff.

5. A sum­mary of the risk man­age­ment pro­cess is set out in Appendix 3.

Escal­a­tion of risks

1. Where there is con­cern about an increase in the organisation’s oper­a­tion­al risk pro­file this should be escal­ated imme­di­ately to the Exec­ut­ive team. Increased risk may arise from factors affect­ing the like­li­hood or the impact of par­tic­u­lar risks, or through the fail­ure of mit­ig­a­tion meas­ures. An increase in risk score that moves a risk between cat­egor­ies (low – mod­er­ate – high – very high) must be escalated.

Score	Level
1 – 3	Low
4 – 6	Mod­er­ate
8 – 12	High
>12	Very High

Embed­ding Risk Management

1. All plans and pro­ject devel­op­ments are expec­ted to be designed on a risk-man­aged basis. This requires both an aware­ness of stra­tegic risk man­age­ment actions and a more spe­cif­ic focus on lower-level oper­a­tion­al risks and their management.

2. Papers tak­ing pro­pos­als to the Board should high­light how the pro­pos­als inter­act with the stra­tegic risk register. Their effect may be to con­trib­ute to the man­age­ment of exist­ing risks, to add new risks by present­ing new untried oppor­tun­it­ies, and/​or to add new uncer­tain­ties to the Authority’s operations.

3. Deliv­ery plans flow­ing from Board decisions, and from the Authority’s oper­a­tion­al plans, are expec­ted to devel­op and fol­low core risk man­age­ment approaches agreed by the Author­ity. Plans should estab­lish the oper­a­tion­al and deliv­ery risks that may impact on the achieve­ment of object­ives. They should also include an eval­u­ation of wheth­er, and how, the planned activ­it­ies help address stra­tegic risk management.

Appendix 1 – Risk categories

• Strategy risks – Risks arising from identi­fy­ing and pur­su­ing a strategy, which is poorly defined, is based on flawed or inac­cur­ate data or fails to sup­port the deliv­ery of com­mit­ments, plans or object­ives due to a chan­ging macro-envir­on­ment (e.g. polit­ic­al, eco­nom­ic, social, tech­no­lo­gic­al, envir­on­ment and legis­lat­ive change).
• Gov­ernance risks – Risks arising from unclear plans, pri­or­it­ies, author­it­ies and account­ab­il­it­ies, and/​or inef­fect­ive or dis­pro­por­tion­ate over­sight of decision-mak­ing and/​or performance.
• Oper­a­tions risks – Risks arising from inad­equate, poorly designed or ineffective/​inefficient intern­al pro­cesses res­ult­ing in fraud, error, impaired cus­tom­er ser­vice (qual­ity and/​or quant­ity of ser­vice), non-com­pli­ance and/​or poor value for money.
• Leg­al risks – Risks arising from a defect­ive trans­ac­tion, a claim being made (includ­ing a defence to a claim or a coun­ter­claim) or some oth­er leg­al event occur­ring that res­ults in a liab­il­ity or oth­er loss, or a fail­ure to take appro­pri­ate meas­ures to meet leg­al or reg­u­lat­ory require­ments or to pro­tect assets (for example, intel­lec­tu­al property).
• Prop­erty risks – Risks arising from prop­erty defi­cien­cies or poorly designed or ineffective/​inefficient safety man­age­ment res­ult­ing in non-com­pli­ance and/​or harm and suf­fer­ing to employ­ees, con­tract­ors, ser­vice users or the public.
• Fin­an­cial risks – Risks arising from not man­aging fin­ances in accord­ance with require­ments and fin­an­cial con­straints res­ult­ing in poor returns from invest­ments, fail­ure to man­age assets/​liabilities or to obtain value for money from the resources deployed, and/​or non-com­pli­ant fin­an­cial reporting.
• Com­mer­cial risks – Risks arising from weak­nesses in the man­age­ment of com­mer­cial part­ner­ships, sup­ply chains and con­trac­tu­al require­ments, res­ult­ing in poor per­form­ance, inef­fi­ciency, poor value for money, fraud, and/​or fail­ure to meet busi­ness requirements/​objectives.
• People risks – Risks arising from inef­fect­ive lead­er­ship and engage­ment, sub­op­tim­al cul­ture, inap­pro­pri­ate beha­viours, the unavail­ab­il­ity of suf­fi­cient capa­city and cap­ab­il­ity, indus­tri­al action and/​or non-com­pli­ance with rel­ev­ant employ­ment legislation/​HR policies res­ult­ing in neg­at­ive impact on performance.
• Tech­no­logy risks – Risks arising from tech­no­logy not deliv­er­ing the expec­ted ser­vices due to inad­equate or defi­cient system/​process devel­op­ment and per­form­ance or inad­equate resilience.
• Inform­a­tion risks – Risks arising from a fail­ure to pro­duce robust, suit­able and appro­pri­ate data/​information and to exploit data/​information to its full potential.
• Secur­ity risks – Risks arising from a fail­ure to pre­vent unau­thor­ised and/​or inap­pro­pri­ate access to the estate and inform­a­tion, includ­ing cyber secur­ity and non-com­pli­ance with Gen­er­al Data Pro­tec­tion Reg­u­la­tion requirements.
• Project/​Programme risks – Risks that change pro­grammes and pro­jects are not aligned with stra­tegic pri­or­it­ies and do not suc­cess­fully and safely deliv­er require­ments and inten­ded bene­fits to time, cost and quality.
• Repu­ta­tion­al risks – Risks arising from adverse events, includ­ing eth­ic­al viol­a­tions, a lack of sus­tain­ab­il­ity, sys­tem­ic or repeated fail­ures or poor qual­ity or a lack of innov­a­tion, lead­ing to dam­ages to repu­ta­tion and or destruc­tion of trust and rela­tions. Fail­ure to man­age risks in any of these cat­egor­ies may lead to fin­an­cial, repu­ta­tion­al, leg­al, reg­u­lat­ory, safety, secur­ity, envir­on­ment­al, employ­ee, cus­tom­er and oper­a­tion­al consequences.

Appendix 2 – Risk scor­ing matrix

Impact	Risk Pro­file
Very High	5, 10, 15, 20, 25
High	4, 8, 12, 16, 20
Medi­um	3, 6, 9, 12, 15
Low	2, 4, 6, 8, 10
Neg­li­gible	1, 2, 3, 4, 5
Like­li­hood	Rare, Low, Medi­um, High, Very High

Appendix 3 – Sum­mary of the risk man­age­ment process

1. The uncer­tain­ties (risks and oppor­tun­it­ies) asso­ci­ated with each object­ive with­in the corporate/​oper­a­tion­al plan are considered.
2. Budget alloc­a­tions are made with due con­sid­er­a­tion of costs that may arise from the need to manage/​mit­ig­ate the risks.
3. The iden­ti­fied risks are ana­lysed accord­ing to like­li­hood of occur­rence and their poten­tial impact; they are eval­u­ated using the scor­ing matrix.
4. Each risk is entered into the appro­pri­ate risk register (strategic/​oper­a­tion­al). The con­trols cur­rently in place to man­age the risk are described, and the assess­ment of like­li­hood and impact are noted, along with the over­all risk score. Actions to mit­ig­ate the risk are devised.
5. Risk appet­ite is estab­lished, and tar­get risk scores are eval­u­ated accord­ing to this appetite.
6. Each risk is giv­en an own­er, who is respons­ible for its mon­it­or­ing and management.
7. The Oper­a­tion­al Risk Register is mon­itored quarterly as a stand­ard item on the agenda of the Oper­a­tion­al Man­age­ment Group (OMG). The com­plete­ness of the register is also con­sidered by the OMG.
8. Each quarter, a report on oper­a­tion­al risks is presen­ted to meet­ings of the Seni­or Man­age­ment Team (SMT). The report high­lights any changes in the assess­ment, eval­u­ation, or mit­ig­a­tion of exist­ing risks, and also provides details of new risks added to the register.
9. The Stra­tegic Risk Register is mon­itored quarterly by the Exec­ut­ive. Con­sid­er­a­tion is giv­en to the inter­ac­tion between stra­tegic risks and oper­a­tion­al risks, with any con­sequent amend­ments made to the register.
10. The Stra­tegic Risk Register is presen­ted to each meet­ing of the Audit and Risk Com­mit­tee for con­sid­er­a­tion and discussion.
11. The Board reviews the stra­tegic risk pos­i­tion as an embed­ded ele­ment of its reg­u­lar review of Cor­por­ate Plan deliv­ery. The status of stra­tegic risks is assessed twice each year at the same time as updates on deliv­ery against stra­tegic plans are presen­ted by staff.