241025ARCtteePaper3Annex1StrategicRiskRegister
Audit and Risk Committee Paper 6 Annex 1
27 September 2024
| Risk reference | Theme | Risk category | Risk description | Mitigation/controls in place | Current impact | Current likelihood | Risk score | Trend | Comment | Planned actions | Due date | Risk appetite | Target impact | Target likelihood | Target risk score | Risk owner | Date last updated |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | All | Resources — financial | Public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Preventative: Corporate plan prioritised around anticipated Scottish Government budget allocations, taking on Board expectation of funding constraints. Remedial: Focus resource on diversification of income streams to alternative, non-public income generation. Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, Cairngorms Trust in securing inward investment. | 5 | 4 | 20 | Static | Risk escalation reflects Scottish Government’s continued and heightened concerns on forward stability of current financial allocations; risk of in-year adjustments, and risk over future year funding levels. Despite a good settlement for 2024 – 25, the risk of in-year adjustments remains a concern. All mitigating actions in place and operational. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Remedial: scenario planning on forward budget modelling to prepare options for future resource allocations within final allocations, based on funding parameters suggested by sponsorship team. | Ongoing | Open | 4 | 3 | 12 | David Cameron | 21/10/2024 |
| 2 | All | Resources — financial | Risk of C2030 match funding not being secured — current match funding in bid not fully committed and/or for one year only in many areas. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA and importance of Peatland Restoration funding to inward investment by NLHF. Remedial: Discussions with Transport Scotland on funding for active travel design work. | 5 | 4 | 20 | Escalating | Funding for 2024 – 25 Peatland Restoration has been secured at £3.5m. This provides a suitable level of match funding for the C2030 programme, in line with the programme’s 5‑year budget. Active Transport funding changes and impacts have impacted expected match funding in 2024⁄25 and are being escalated to Transport Scotland and our sponsor team. | Preventative: strategic discussions progressing on approach by Transport Scotland to Active Transport / Active Communities funding Preventative: high profile and ongoing focus for SMT in engaging in influencing to secure the match funding needed from partners; project managers aware of relevant project match funding position and tasked with seeking additional match funding where appropriate. Prevantative: consideration of new, wider match funding opportunities. | Ongoing | Open | 4 | 2 | 8 | David Cameron | 18/09/2024 |
| 3 | All | Resources — staffing | There are perceived gaps in our skill set with respect to: procurement processes, recruitment of technical staff, ability to undertake necessary due diligence on output from consultants and contractors. — Risks that procurement and wider skill set capacities are insufficient to meet the evolving needs of the organisation. — Lack of expertise and experience in managing construction projects may compromise the effectiveness and efficiency of planned delivery. — Financial risks associated with the letting of contracts where partnership funding is likely to be dependent on the achievement of satisfactory standards. | Preventative: Recruitment of Procurement Officer Preventative: Support secured from Scotland Excel (and from Central Government Procurement Shared Services (CGPSS) if required). | 5 | 3 | 15 | Static | Recruitment to new Procurement Officer post achieved. Programme of improvement in procurement processes, procedures and controls underway, including establishment of new Procurement Strategy. Construction projects of the size anticipated within the C2030 programme are new to the organisation. We need to improve our knowledge of Construction Design Management Regulations (CDM) and contracts (NEC4). We lack experience in producing briefs and reviewing tenders of this size and type. Improvements in our skill set will also benefit: peatland restoration, river restoration, construction of paths, active travel projects. | Preventative: additional support from LL&TNPA requested Preventative: Options for training of wider staff group under investigation — supported by Scotland Excel. Remdial: procurement action plan developed from internal audit recommendations; reviewed monthly by Chair / Vice Chair of ARC. Target date for completion of key improvements 31.03.25 (extended from 31/12/24). SG budget controls may delay training until the first quarter of 2025⁄26. | 31/12/2024 | Cautious | 4 | 1 | 4 | David Cameron | 18/09/2024 |
| 4 | Nature & conservation | Strategic delivery | The Authority’s range of powers combined with strategic partnerships is insufficient to deliver outcomes on wildlife crime. | Preventative: licencing arrangements contribute to more effective control framework. Tracker/satellite monitoring deployed for some raptors. Remedial: NPPP development processes used to explore partnership attitudes, engagement and powers. | 4 | 4 | 16 | Static | Action on wildlife crime depends on the development, delivery and design of strategic partnerships. Financial constraints within the public and third sectors is likely to reduce the level of resource available to tackle this issue. | Remedial: Development/strengthening of strategic partnerships. | Ongoing | Open | 4 | 3 | 12 | Andy Ford | 30/01/2024 |
| 5 | All | Resources — staffing | Increasingly competitive and restricted recruitment climate prevents staff with the required experience and skill sets being secured. Planning and other specialist staff (IT, procurement, finance) requirements impacted by national labour/skills shortages and/or salary structures not sufficiently competitive to attract or retain key staff. | Preventative: focus on training and development and internal succession planning, in turn bringing recruitment into less experienced/less highly skilled markets and developing pipeline of qualified staff Preventative: consideration given to job design, creating roles with more seniority (higher grades), and flexibility of offer regarding part-time/ job share. | 3 | 3 | 9 | Decreasing | Evidence of reducing number of applicants and candidate lists for vacancies ongoing, while trend in unsuccessful recruitment exercises has been acted on with no recent unsuccessful recruitment. Successful recent recruitment in difficult sectors including procurement and planning. | Preventative: Review our salary structures and benchmark these against organisations with whom we might compete for staff, particularly in the local area. Use this evidence to inform future pay structure/awards. Remedial: contingency planning for example around out-sourcing of aspects of delivery eg establish call-off framework for consult planning services. | 31/03/2025 | Open | 2 | 3 | 6 | David Cameron | 21/10/2024 |
| 6 | All | Systems development | Supporting speed of organisational change prevents required development and embedding of effective support systems. The speed / scale of operational demand for support from corporate systems is such that we are always fire-fighting and giving the best advice and support we can. However, that ongoing fire-fighting and immediate advice prevents us having sufficient time to design, develop and implement new systems to better suit the new organisation. | Remedial: recruitment of additional staff to corporate function during 22⁄23 and 23⁄24. Remedial: project management training provided Remedial: development of improved systems/ways of working through better use of M365 applications Remedial: Implement new finance system to support wider digitisation of systems and effective financial reporting | 4 | 4 | 16 | Escalating | Assessment of the impact of new/additional activities on corporate systems and resources should be part of the initial considerations of these activities. Staff recruitmet has been seccessfully completed. Key work on improving organisational internal control systems and digitisation of systems is progressing well. New finance system implementation is underway. | Remedial: apply resource to development of improved systems/ways of working — new finance system due to be installed by 31/12/24; new project initiation control under development Remedial: provide training — procurement and in wider assessment of project impacts at initiation stage | 31/12/2024 | Open | 3 | 2 | 6 | David Cameron | 21/10/2024 |
| 7 | All | Resources — staffing | Scottish Government Main Group award 2023⁄25 creates significant financial pressure on the Park Authority’s resource budget for 2024⁄25, with the potential to affect positive relationships with the Union, staff morale and motivation, recruitment and retention. | Preventative: development of pay models to identify the potential cost to the Park Authority of following the Main Group position & consider the impact of potential pay strategies on the developing budget position for 2024⁄25; consider pay award dates and staged awards as tools to meet expectations while maintaining affordability Preventative: Staff and financial resources considered during budget development process for 24⁄25. | 3 | 3 | 9 | Managed | Pay models developed are being accommodated within the budget, based on indicative Grant-in-Aid funding for 2024⁄25. | Open | 3 | 3 | 9 | David Cameron | 25/07/2024 | ||
| 8 | All | Resources — staffing | Our Corporate and Operational Planning systems do not adapt to delivery of major funded programmes alongside delivering ‘core’ national park objectives. This leads to workforce stretch between 3rd party funding delivery and ‘core’ corporate plan activities with increased risks of stress and reduced morale. | Preventative: Strategic and operational plans developed with externally funded project delivery as intrinsic elements of plans to ensure delivery capacity is considered fully. Preventative:Importance of staff management and task prioritisation reinforced through leadership meetings. Preventative:Focus on fewer, larger impact projects (C2030). Remedial: Performance Development Conversations (PDCs) being deployed regularly with all staff to check on staff workloads, with 2 way flows of communications enabled through that process on staff workload and capacity. Preventative: Staff and financial resources for C2030 considered alongside operational plan activity as part of budget development process for 24⁄25. | 3 | 3 | 9 | Managed | Additional recruitment has alleviated key staff pressure points. Fixed term staff contracts reviewed throughout the year. Staff survey results (23÷24) positive. Impact score of 3 reflects the risks inherent in the likely intensity of work during initial stages of C2030.Likelihood of risk therefore held static. Impact of measures and risk profile will continue to be closely monitored through staff management processes. | 3 | 3 | 9 | David Cameron | 25/07/2024 | |||
| 9 | All | Technical | CNPA IT services are not sufficiently robust/secure/or well enough specified to support effective and efficient service delivery. Increasing demand for knowledge around Microsoft 365 and cyber security is outstripping the team’s knowledge/skill-set. Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support. Use of AI increases risk of cyber security threats such as spear-phishing. | Preventative: Daily review of Scottish Cyber Coordination Centre threat summaries, with follow up action taken (eg patching) as appropriate. Preventative/remedial: Collaboration with LL&TNPA provides support. Preventative: Transition to Sharepoint complete; R‑drive now a read-only repository, reducing risk of threats from outside the organisation. Preventative: implement Cyber Security Plus controls | 5 | 3 | 15 | Static | Internal audit report on IT Strategy sets out key actions in this area of risk management around IT Strategy development, project management and costing of IT action plans to be implemented. Movement into Microsoft 365 deployment and cloud based systems continues. Consideration given to effectiveness of shared services with LL&TNPA. Development of the IT operational risk register has identified potential for structural improvement. These considerations to be developed further (potential for external consultancy to develop our IT strategy organisational development, technical improvements and upskilling). Cyber essentials accreditation achieved; audit towards essentials plus accreditation underway (11÷09÷24). A review of IT staff role descriptions now completed; renewed focus on IT actions plans will flow from that. Work on the information management plan will produce greater resilience of data and access to key information when complete. | 31/12/2024 | Cautious | 3 | 2 | 6 | David Cameron | 21/10/2024 | |
| 10 | All | Technical | Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure. | Preventative: Development of hybrid working methods and cloud computing approaches have improved the organisation’s resilience. Remedial: develop updated business continuity plan and embed its provisions | 5 | 4 | 20 | Static | Work on BCP assisted in roll out of initial and ongoing responses to Coronavirus pandemic. Now that hybrid working arrangements are embedded, there is a need to reconsider BCP. | Preventative: proposed consultancy to develop new BCP | 31/03/2025 | Cautious | 5 | 1 | 5 | David Cameron | 21/10/2024 |
| 11 | All | Reputation | Reputational damage may result from: — Unrealistic expectations of what the Park Authority and its partners can achieve in the face of the significant risks presented by climate change, species extinction, flood management and fire; and/or — Disagreement between the Park Authority and stakeholder groups within the Park. | Preventative: Existing strategic partnerships and stakeholder relationships help to create a wider understanding of the factors that are within, and those that are outside the control of the Park Authority and its partners. | 5 | 3 | 15 | Decreasing | Scoring reviewed following overview of NPPP delivery to be submitted to board in September,with likelihood decreased from 4 to 3. Stakeholder relationship database now designed and under development | Preventative: Management of expectations through: — Targeted communications — Further development of stakeholder relationships. — Development/strengthening of strategic partnerships. — Ongoing assessment of operational risk management and mitigation in our communications. — Development of stakeholder relationship database | Ongoing | Open | 3 | 3 | 9 | Grant Moir | 21/10/2024 |
| 12 | All | Resources — staffing | Scottish Government pay remit for 24⁄25 is lower than desired pay award. Pay expectations of staff may not be met, leading to issues with pay alignment with other NDPBs and consequent effect on staff morale and motivation | Preventative: Development and submission of business case for pay alignment in keeping with SG national two-year sectoral pay award. | 4 | 4 | 16 | Decreasing | SG remuneration Group turned down initial business case. Amended business case submitted and approval received end Aug 24. Staff consultation underway to end Oct. Seasonal staff position resolved satisfactorily. | Remedial: business case submitted to SG; attendance at Remuneration group July 2024; staff consultations Oct 24; action on seasonal pay arrangements Oct 24. | 31/12/2024 | Open | 1 | 2 | 2 | David Cameron | 21/10/2024 |