Formal Board Paper 2 Annex 5 - Strategic Risk Register
Cairngorms National Park Authority Ughdarras Pàirc Nàiseanta a’ Mhonaidh Ruaidh
Formal Board Paper 2 Annex 5 27 March 2026
Paper 2
Annex 5
| Risk Ref | Old Ref | Theme | Risk category | Risk description | Mitigation/controls in place | Current Impact | Current Likelihood | Risk Score | Trend | Comment | Planned actions | Due date | Risk appetite | Target Impact | Target Likelihood | Target Risk Score | Risk owner | Date last updated |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | A1 | All | Resources — financial | Public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan. | - Preventative: Ongoing liaison with Scottish Government through our sponsorship team, Peatland Action Team, and Rural Communities Team highlighting achievements of CNPA. - Preventative: prepare briefing on work and priority investment for post-election budget allocations, taking on Board expectation of funding constraints. - Remedial: Focus resource on diversification of income streams to alternative, non-public income generation. - Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, Cairngorms Trust in securing inward investment. | 12 | 3 | 36 | Decreasing | Allocations for 2026⁄27 financial year provide a good settlement sufficient to cover planned delivery against corporate plan objectives. Mitigation actions have supported positive risk management. Risk decreasing while recognising allocations remain subject to approval of Scottish budget, with residual risk around in year adjustments in line with development of new 2027 to 2032 Corporate Plan and NPPP. Award of £1.19 million from NRF together with significant NLHF funding to 2029 confirms success of mitigation approaches. Risk associated with forthcoming election is recognised and risk profile will be reconsidered in June 26. | - Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. - Remedial: scenario planning on forward budget modelling to prepare options for future resource allocations within final allocations, based on funding parameters suggested by sponsorship team. | Ongoing | Open | 3 | 4 | 12 | David Cameron | 18/02/2026 |
| 2 | A8 | All | Resources — financial | Risk of C2030 match funding not being secured — current match funding in bid not fully committed and/or for one year only in many areas. | - Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA and importance of Peatland Restoration funding to inward investment by NLHF. - Remedial: Discussions with Transport Scotland on funding for active travel design work. - Remedial: ongoing exploration with partners to secure C2030 programme funding | 4 | 3 | 12 | Decreasing | Funding for 2026⁄27 Peatland Restoration has been secured in line with requirements. This provides a suitable level of match funding for the C2030 programme, in line with the programme’s 5‑year budget. Peatland restoration delivery profile is healthy, with expectation that sufficient will be spent within the year to meet required contribution to C2030 delivery. Funding for Active Communities projects now in place (Transport Scotland). Contractor for RIBA stages 3 and 4 design work now appointed. Transport Scotland funding awarded must be used by 31 March 2026, the short time-frame putting pressure on delivery. Continuation of the projects past design stage 3 will require an additional award of funding for 2026⁄27 which is now in application process. Discussions with HIE progressing well toward securing budgeted contribution plus potentially a slight increase. | - Preventative: high profile and ongoing focus for SMT in engaging in influencing to secure the match funding needed from partners; project managers aware of relevant project match funding position and tasked with seeking additional match funding where appropriate. - Preventative: consideration of new, wider match funding opportunities. - Remedial: Fully updated C2030 budget development in Q1 of 26⁄27 to identify any remaing specific issues or remedial work. | Ongoing | Open | 2 | 4 | 8 | David Cameron | 18/02/2026 |
| 3 | A9 | All | Resources — staffing | There are perceived gaps in our skill set with respect to: procurement processes, recruitment of technical staff, ability to undertake necessary due diligence on output from consultants and contractors. — Risks that procurement and wider skill set capacities are insufficient to meet the evolving needs of the organisation. Lack of expertise and experience in managing construction projects may compromise the effectiveness and efficiency of planned delivery. Financial risks associated with the letting of contracts where partnership funding is likely to be dependent on the achievement of satisfactory standards. | - Preventative: Recruitment of Procurement Officer - Preventative: Support secured from Scotland Excel (and from Central Government Procurement Shared Services (CGPSS) if required). - Preventative: Consider delivery through partners with construction project delivery experience where appropriate to delivery objectives. - Remedial: use of legal support or other outsourced support where required | 4 | 2 | 8 | Managed | This risk now appears under effective management. As a relatively small organisation, staff turnover will have significant impacts on position. Recruitment to new Procurement Officer post achieved. Programme of improvement in procurement processes, procedures and controls well underway, including establishment of new Procurement Strategy. Construction projects of the size anticipated within the C2030 programme are new to the organisation. We need to improve our knowledge of Construction Design and Management Regulations (CDM) and contracts (NEC4). We lack experience in producing briefs and reviewing tenders of this size and type. Improvements in our skill set will also benefit: peatland restoration, river restoration, construction of paths, active travel projects. | - Preventative: explore back up arrangements — shared services and commercial back up including increasing scale of our operations if supported by shared service income from third parties - Preventative: Staff retention approaches and link to organisational devevlopment. - Remedial: Continued focus on training and development of staff | 31/03/2026 | Cautious | 2 | 4 | 8 | David Cameron | 18/02/2026 |
| 4 | A24 | Nature & conservat | Strategic delivery | Action on wildlife crime depends on the development, delivery and design of strategic partnerships. Financial constraints within the Authority’s range of powers combined with strategic partnerships is insufficient to deliver outcomes on wildlife crime. Wildlife crime is difficult to evidence and populations are affected by a variety of interrelated factors. | - Preventative: licencing arrangements contribute to more effective control framework. - Tracker/satellite monitoring deployed for some raptors. Data gathering to highlight public presence/absence | 4 | 4 | 16 | Static | and third sectors is likely to reduce the level of resource available to tackle this issue. No direct correlation between intervention and population increases due to complexity of factors, but tangible efforts demonstrate commitment to the issue. | - Remedial: NPPP development processes used to explore partnership attitudes, engagement and powers. - Remedial: Development/strengthening of strategic partnerships. | Ongoing | Open | 4 | 3 | 12 | Andy Ford | 20/01/2025 |
| 6 | A11 | All | Systems development | The speed/scale of operational demand for support from corporate systems is such that we are more reactive and focused on project specific issues rather than proactively designing effective, generic support systems/ways of working through better use of M365 applications Remedial: Implement new finance system to support wider digitisation of systems and effective financial reporting. systems. However, that ongoing fire-fighting and immediate advice prevents us having sufficient time to design, develop and implement new systems to better suit the new organisation. | - Remedial: recruitment of additional staff to corporate function during 22⁄23 and 23⁄24. - Remedial: project management training provided - Remedial: development of improved systems/ways of working including streamlining and clarifying project initiation controls. - Preventative: design and implement project initiation controls supporting more managed timelines and fuller, earlier consideration of project plans. | 3 | 3 | 9 | Static | Initial mitigation actions now in place and embedding, including further reinforcement of operation of controls to be undetaken. New finance system installed on schedule by 31/03/25; new project initiation control system implemented during 2025. | - Remedial: apply resource to development of improved systems/ways of working - Remedial: provide training — procurement and in wider assessment of project impacts at initiation stage. - Remedial: ongoing roll-out and embedding of project initiation guidance. | 31/08/2025 | Open | 2 | 3 | 6 | David Cameron | 18/02/2026 |
| 9 | A13/ A18 | All | Technical | CNPA IT services are not sufficiently robust/secure/or well enough specified to support effective and efficient service delivery. Increasing demand for knowledge around Microsoft 365 and cyber security is outstripping the team’s knowledge/skill-set. Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support. Use of AI increases risk of cyber security threats such as spear-phishing. | - Preventative: Daily review of Scottish Cyber Coordination Centre threat summaries, with follow up action taken (eg patching) as appropriate. - Preventative/remedial: Collaboration with LL&TNPA provides support. - Preventative: advisory internal audit commissioned Jan 26 to support planning of future systems development - Preventative: Transition to Sharepoint complete; R‑drive now a read-only repository, reducing risk of threats from outside the organisation. - Preventative: implement Cyber Security Plus controls | 5 | 2 | 10 | Static | Movement into Microsoft 365 deployment and cloud based systems continues to evolve and become embedded. Cyber Security Plus accreditation now in place and systems operating to those standards. Consideration given to effectiveness of shared services with LL&TNPA. Action to be taken on advisory audit and business continuity planning once advice is received. | - Development of the IT operational risk register has identified potential for structural improvement. These considerations to be developed further: action to be taken on advisory audit and business continuity planning once advice is received. - Cyber essentials accreditation achieved; audit towards essentials plus accreditation underway (11÷09÷24). - A review of IT staff role descriptions now completed; renewed focus on IT action plans will flow from that. - Work on the information management plan will produce greater resilience of data and access to key information when complete. | Ongoing | Cautious | 4 | 2 | 8 | David Cameron | 18/02/2026 |
| 10 | A22 | All | Technical | Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure. | - Preventative: Development of hybrid working methods and cloud computing approaches have improved the organisation’s resilience. - Remedial: develop updated business continuity plan and embed its provisions | 5 | 4 | 20 | Static | Advisory audit now commissioned. Outputs from this will plug into wider BCP. Consultancy on this will be tendered prior to year end. | - Preventative: proposed consultancy to develop new BCP | 31/03/2026 | Minimal | 3 | 1 | 5 | David Cameron | 18/02/2026 |
| 11 | - | All | Reputation | Reputational damage may result from: - Unrealistic expectations of what the Park Authority and its partners can achieve in the face of the significant risks presented by climate change, species extinction, flood management and fire; and/or - Disagreement between the Park Authority and stakeholder groups within the Park. - Disinformation circulated about the Park Authority’s actions | - Preventative: Existing strategic partnerships and stakeholder relationships help to create a wider understanding of the factors that are within, and those that are outside the control of the Park Authority and its partners. - Preventative: communications strategy development and implementation to ensure Park Authority’s messages and information are widely received and understood by appropriate audiences | 4 | 3 | 12 | Decreasing | Scoring reviewed following overview of NPPP delivery to be submitted to board in September,with likelihood decreased from 4 to 3. Stakeholder relationship database now designed and under development | - Preventative: Management of expectations through: - Targeted communications - Further development of stakeholder relationships. - Development/strengthening of strategic partnerships. - Ongoing assessment of operational risk management and mitigation in our communications. - Development of stakeholder relationship database - Clear positioning on the Park Authority’s role / level of involvement in significant issues | Ongoing | Open | 3 | 3 | 9 | Grant Moir | 17/10/2025 |
| 13 | - | All | Strategic delivery | The Park Authority does not adequately respond or adpat to changes in funding or policy environment at Scottish Government policy levels; from external funding sources; or in evolution of private finance investment. | - Preventative: allocate senior time to engagement with Scottish Government in policy discussion and development, identifying and responding to risk implications. - Preventative: proactively identify opportunities for private investment and structures to support their investment to complement and support NPPP and corporate objectives. - Preventative: prioritise time allocation to policy evolution, such as Public Service Reform | 3 | 4 | 12 | Static | Positive relationships developed at senior levels on engagement with the Park Authority and our financial requirements. Work progressing on development of a private finance framework. Need identified to begin planning for end of C2030 financing period and replacement of NLHF funding within the Park Authority’s resource mix. Senior staff are fully engaged at a leadership level in Public Service Reform and wider policy evolution | - Multi-year workforce management and financial forecasts established to guide actions - Finalise private finance framework | 31/03/2026 | Open | 2 | 2 | 4 | David Cameron | 18/02/2026 |
| 14 | - | All | Resources — staffing | The Park Authority’s workforce is not adequately flexible to respond to changing strategic priorities or to changing operational scale | - Preventative: workforce management strategy updated and regularly reviewed to take a 5+ year forward view. - Preventative: continued investment in training and development for staff supporting performance in current roles and succession / development plans. - Preventative: establish an appropriate mix of permanent and fixed term staff to allow for flexibility in future structures. - Remedial: retain scrutiny of all vacancies and identification of opportunities to adapt vacancies toward future needs. | 3 | 3 | 9 | Static | Workforce management strategy reviewed by board at business session, October 2025. This will now guide associated policy development work following full internal consultation. Mitigation actions progressing to plan. | - Consultation on workforce management strategy. - Development of organisational policies supporting delivery of workforce management objectives. | 31/12/26 31/12/26 | Cautious | 3 | 1 | 3 | David Cameron | 17/10/2025 |
| 15 | - | All | Systems development | NPPP delivery responsibilities are not sufficiently clear across the partnership and Park Authority is expected to address more than it is capable to deliver. | - Preventative: reinforce specific partner delivery responsibilities through performance management systems and reporting. - Preventative: reinforce NPPP delivery linkages through grant contract terms. | 3 | 4 | 12 | Static | NPPP Performance Management dashboard now complete. | - Partner engagement and clarity of responsibility to be addressed as aspect of development of 27 – 32 NPPP. | 31/12/26 | Open | 3 | 3 | 9 | Gavin Miles | 17/10/2025 |
| 16 | - | All | Technical | Evolution of the Park Authority’s range of activities and projects results in unidentified and unmitigated exposure to legal implications and associated liabilities | - Preventative: undertake risk analysis overview of 2025⁄26 operational plan to identify any delivery areas with potential exposure; develop and deliver mitigation action plan | 3 | 3 | 9 | Decreasing | Evidence that project initiation processes is working in drawing out potential legal implications of project plans. | - Monitor effectiveness of system and level of any issues arising. | TBC | Open | 3 | 2 | 6 | David Cameron | 17/10/2025 |
| 17 | - | Place | Strategic delivery | Uncertainties on finance, procurement, contractor capacity and partnership development combine to prevent achievement of key Cairngorms 2030 community transport infrastructure enhancements. | - Preventative: pressure on external funders to make decisions within necessary timetable - Preventative: revised procurement approach to simplify requirements and minimise perceived contractor risk - Preventative: establish over-arching agreements with partners | 4 | 3 | 12 | Decreasing | Progress over 2025 in managing these external risks to programme delivery has been generally successful with consequential declining risk profile. | - Ongoing contact with external funders to secure funding for 2026⁄27. - Development of memorandum of agreement with key local authority partner | Ongoing | Cautious | 2 | 3 | 6 | Gavin Miles | 18/02/2026 |
| 18 | - | All | Resources — staffing | Delivery opportunities and external funding offers are lost as a consequence of constraints on staffing levels imposed by public policy and workforce management | - Preventative: engage at senior levels with Scottish Government to ensure there is clarity in public policy with regard to workforce management actions and staffing levels underpinned by external and non-core income. - Preventative: ensure internal workforce management policy and management controls - Preventative: seek to move to a more dynamic and flexible staffing position allowing deployment of staff resource toward emerging priorities | 4 | 4 | 16 | Static | New risk identified by Executive Team January 2026 | - Preventative: Management Team Policy Day overview of programme status; evaluation of 2029 outcomes; identification of key actions and risk mitigations | March 2026 | Cautious | 2 | 2 | 4 | David Cameron | 18/02/2026 |