| 1 A1 | All | Resources — financial | Public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Preventative: Corporate plan prioritised around anticipated Scottish Government budget allocations, taking on Board expectation of funding constraints. Remedial: Focus resource on diversification of income streams to alternative, non-public income generation. Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, Cairngorms Trust in securing inward investment. | 5 | 3 | 15 | Allocations for 2025⁄26 financial year provide a good settlement sufficient to cover planned delivery against corporate plan objectives. Mitigation actions have supported positive risk management. Risk Decreasing decreasing while recognisiing allocations remain subject to approval of Scottish budget, with residual risk around in year adjustments.Award of £1.19 million from NRF confirms success of mitigation approaches. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Remedial: scenario planning on forward budget modelling to prepare options for future resource allocations within final allocations, based on funding parameters suggested by sponsorship team. | Open | David Cameron | 20/01/2025 |
| 2 | All | Resources — financial | Risk of C2030 match funding not being secured — current match funding in bid not fully committed and/or for one year only in many areas. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA and importance of Peatland Restoration funding to inward investment by NLHF. Remedial: Discussions with Transport Scotland on funding for active travel design work. | 4 | 2 | 8 | Funding for 2025 – 26 Peatland Restoration has been secured at £4.33m. This provides a suitable level of match funding for the C2030 programme, in line with the programme’s 5‑year budget. Peatland restoration delivery profile is healthy, with expectation that sufficient will be spent within the year to meet required contribution to C2030 delivery. Funding for Active Communities projects now in place (Transport Scotland). Contractor for RIBA stages 3 and 4 design work now appointed. Transport Scotland funding awarded must be used by 31 March 2026, the short time-frame putting pressure on delivery. Continuation of the projects past design stage 3 will require an additional award of funding for 2026⁄27. | Preventative: focus over 2025 on match funding position and consequent impacts to ensure C2030 programme plans and financing of them fully aligned by end of year. Preventative: high profile and ongoing focus for SMT in engaging in influencing to secure the match funding needed from partners; project managers aware of relevant project match funding position and tasked with seeking additional match funding where appropriate. Prevantative: consideration of new, wider match funding opportunities. | Open | David Cameron | 02/09/2025 |
| 3 | All | Resources — staffing | There are perceived gaps in our skill set with respect to: procurement processes, recruitment of technical staff, ability to undertake necessary due diligence on output from consultants and contractors. — Risks that procurement and wider skill set capacities are insufficient to meet the evolving needs of the organisation. — Lack of expertise and experience in managing construction projects may compromise the effectiveness and efficiency of planned delivery. — Financial risks associated with the letting of contracts where partnership funding is likely to be dependent on the achievement of satisfactory standards. | Preventative: Recruitment of Procurement Officer Preventative: Support secured from Scotland Excel (and from Central Government Procurement Shared Services (CGPSS) if required). Preventative: Consider delivery through partners with construction project delivery experience where appropriate to delivery objectives. Remedial: use of legal support or other outsourced support where required Preventative: licencing arrangements contribute to more effective control framework. | 3 | 3 | 9 | Recruitment to new Procurement Officer post achieved. Programme of improvement in procurement processes, procedures and controls underway, including establishment of new Procurement Strategy. Construction projects of the size anticipated within the C2030 programme are new to the organisation. We need to improve our knowledge of Construction Design Management Regulations (CDM) and contracts (NEC4). We lack experience in producing briefs and reviewing tenders of this size and type. Improvements in our skill set will also benefit: peatland restoration, river restoration, construction of paths, active travel projects. | Preventative: additional support from LL&TNPA requested Preventative: Options for training of wider staff group under investigation — supported by Scotland Excel. Remedial: procurement action plan developed from internal audit recommendations; reviewed monthly by Chair/Vice Chair of ARC. Target date for completion of key improvements 31.03.26 (extended from 31/12/24). SG budget controls delayed training until the first half of 2025⁄26. | Cautious | David Cameron | 12/05/2025 |
| 4 A24 | Nature & conservat | Strategic delivery | The Authority’s range of powers combined with strategic partnerships is insufficient to deliver outcomes on wildlife crime. | Tracker/satellite monitoring deployed for some raptors. Remedial: NPPP development processes used to explore partnership attitudes, engagement and powers. | 4 | 4 | 16 | Action on wildlife crime depends on the development, delivery and design of strategic partnerships. Financial constraints within the public and third sectors is likely to reduce the level of resource available to tackle this issue. | Remedial: Development/strengthening of strategic partnerships. | Open | Andy Ford | 20/01/2025 |
| 5 | All | Systems development | Supporting speed of organisational change prevents required development and embedding of effective support systems. The speed / scale of operational demand for support from corporate systems is such that we are always fire-fighting and giving the best advice and support we can. However, that ongoing fire-fighting and immediate advice prevents us having sufficient time to design, develop and implement new systems to better suit the new organisation. | Remedial: recruitment of additional staff to corporate function during 22⁄23 and 23⁄24. Remedial: project management training provided Remedial: development of improved systems/ways of working through better use of M365 applications Remedial: Implement new finance system to support wider digitisation of systems and effective financial reporting. Preventative: design and implement project initiation controls supporting more managed timelines and fuller, earlier consideration of project plans. | 3 | 2 | 6 | Initial mitigation actions now in place and embedding, including Decreasing project initiation controls. Further reinforcement of operation of controls to be undertaken. Remedial: apply resource to development of improved systems/ways of working — new finance system due to be installed by 31/03/25; new project initiation control under development Remedial: provide training — procurement and in wider assessment of project impacts at initiation stage. Remedial: finalisation and roll-out of project initiation guidance, including assessment of any new legal implications arising from project delivery intentions. | Open | David Cameron | 17/10/2025 |
| 9 A13/A18 | All | Technical | CNPA IT services are not sufficiently robust/secure/or well enough specified to support effective and efficient service delivery. Increasing demand for knowledge around Microsoft 365 and cyber security is outstripping the team’s knowledge/skill-set. Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support. Use of Al increases risk of cyber security threats such as spear-phishing. | Preventative: Daily review of Scottish Cyber Coordination Centre threat summaries, with follow up action taken (eg patching) as appropriate. Preventative/remedial: Collaboration with LL&TNPA provides support. Preventative: Transition to Sharepoint complete; R‑drive now a read-only repository, reducing risk of threats from outside the organisation. Preventative: implement Cyber Security Plus controls | 5 | 2 | 10 | Internal audit report on IT Strategy sets out key actions in this area of risk management around IT Strategy development, project management and costing of IT action plans to be implemented. Movement into Microsoft 365 deployment and cloud based systems continues. Cyber Security Plus accreditation now in place and systems operating to those standards. Consideration given to effectiveness of shared services with LL&TNPA. | Development of the IT operational risk register has identified potential for structural improvement. These considerations to be developed further (potential for external consultancy to develop our IT strategy organisational development, technical improvements and upskilling). Cyber essentials accreditation achieved: audit towards essentials plus accreditation underway (11÷09÷24). A review of IT staff role descriptions now completed; renewed focus on IT action plans will flow from that. Work on the information management plan will produce greater resilience of data and access to key information when complete. | Cautious | David Cameron | 20/01/2025 |
| 10 A22 | All | Technical | Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure. | Preventative: Development of hybrid working methods and cloud computing approaches have improved the organisation’s resilience. Remedial: develop updated business continuity plan and embed its provisions | 5 | 4 | 20 | Work on BCP assisted in roll out of initial and ongoing responses to Coronavirus pandemic. Now that hybrid working arrangements are embedded, there is a need to reconsider BCP. | Preventative: proposed consultancy to develop new BCP | Cautious | David Cameron | 20/01/2025 |
| 11 | All | Reputation | Reputational damage may result from: — Unrealistic expectations of what the Park Authority and its partners can achieve in the face of the significant risks presented by climate change, species extinction, flood management and fire; and/or — Disagreement between the Park Authority and stakeholder groups within the Park. — Disinformation circulated about the Park Authority’s actions | Preventative: Existing strategic partnerships and stakeholder relationships help to create a wider understanding of the factors that are within, and those that are outside the control of the Park Authority and its partners. Preventative: communications strategy development and implementation to ensure Park Authority’s messages and information are widely received and understood by appropriate audiences | 4 | 3 | 12 | Scoring reviewed following overview of NPPP delivery to be submitted to board in September, with likelihood decreased from 4 to 3. Stakeholder relationship database now designed and under development | Preventative: Management of expectations through: — Targeted communications — Further development of stakeholder relationships. Clear positioning on the Park Authority’s role / level of involvement in significant issues | Open | Grant Moir | 17/10/2025 |
| 13 | All | Strategic delivery | The Park Authority does not adequately respond or adpat to changes in funding or policy environment at Scottish Government policy levels; from external funding sources; or in evolution of private finance investment. | Preventative: allocate senior time to engagement with Scottish Government in policy discussion and development, identifying and responding to risk implications. Preventative: proactively identify opportunities for private investment and structures to support their investment to complement and support NPPP and corporate objectives. | 4 | 3 | 12 | Positive relationships developed at senior levels on engagement with the Park Authority and our financial requirements. Work progressing on development of a private finance framework. Need identified to begin planning for end of C2030 financing period and replacement of NLHF funding within the Park Authority’s resource mix. Senior staff are fully engaged at a leadership level in Public Service Reform and wider policy evolution | - Ongoing assessment of operational risk management and mitigation in our communications. — Development of stakeholder relationship database Development/strengthening of strategic partnerships. | Open | David Cameron | 17/10/2025 |
| 14 | All | Resources — staffing | The Park Authority’s workforce is not adequately flexible to respond to changing strategic priorities or to changing operational scale | Prioritise Preventative: workforce management strategy updated and regularly reviewed to take a 5+ year forward view. Preventative: continued investment in training and development for staff supporting performance in current roles and succession / development plans. Preventative: establish an appropriate mix of permanent and fixed term staff to allow for flexibility in future structures. Remedial: retain scrutiny of all vacancies and identification of opportunities to adapt vacancies toward future needs. | 3 | 3 | 9 | Multi-year workforce management and financial forecasts established to guide actions | Finalise private finance framework Workforce management strategy reviewed by board at busiess session, October 2025. This will now guide associated policy development work following full internal consultation. Mitigation actions progressing to plan. | 31.03.26 | David Cameron | 17/10/2025 |
| 15 | All | Systems development | NPPP delivery responsibilities are not sufficiently clear Systems development across the partnership and Park Authority is expected to address more than it is capable to deliver. | Preventative: reinforce specific partner delivery responsibilities through performance management systems and reporting. Preventative: reinforce NPPP delivery linkages through grant contract terms. | 3 | 4 | 12 | NPPP Performance Management dashboard now complete. Partner engagement and clarity of responsibility to be addressed as aspect of development of 27 – 32 NPPP. | Consultation on workforce management strategy. Development of organisational policies supporting delivery of workforce management objectives. | 31.12.26 | Gavin Miles | 17/10/2025 |
| 16 | All | Technical | Evolution of the Park Authority’s range of activities and projects results in unidentified and unmitigated exposure to legal implications and associated liabilities | Preventative: undertake risk analysis overview of 2025⁄26 operational plan to identify any delivery areas with potential exposure; develop and deliver mitigation action plan | 3 | 3 | 9 | Evidence that prpoject initiation processes is working in drawing out potential legal implications of project plans. | Monitor effectiveness of system and level of any issues arising. | TBC | David Cameron | 17/10/2025 |
| 17 | Place | Strategic delivery | Uncertainties on finance, procurement, contractor capcity and partnership development combine to prevent achievement of key Cairngorms 2030 community transport infrastructure enhancements. | Preventative: pressure on external funders to make decisions within necessary timetable Preventative: revised procurement approach to simplify requirements and minimise perceived contractor risk Preventative: establish over-arching aareements with partners | 4 | 4 | 16 | Funding for Active Communities projects now in place (Transport Scotland). Contractor for RIBA stages 3 and 4 design work now appointed. Transport Scotland funding awarded must be used by 31 March 2026, the short time-frame putting pressure on delivery. Continuation of the projects past design stage 3 will require an additional award of funding for 2026⁄27. | Ongoing contact with external funders to secure funding for 2026⁄27. Development of memorandum of agreement with key local authority partner | Gavin Miles | 02/09/2025 |
