Paper 2 annex 5 Strategic risk register
Risk reference | Risk category | Risk description | Mitigation/controls in place | Comment | Planned actions | Paper 2 Annex 5 28 March 2025 —-| — -| — -| — -| — -| — -| — - 1 | Resources — financial | Public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Preventative: Corporate plan prioritised around anticipated Scottish Government budget allocations, taking on Board expectation of funding constraints. Remedial: Focus resource on diversification of income streams to alternative, non-public income generation. Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, Cairngorms Trust in securing inward investment. | Indicative allocations for 2025⁄26 financial year provide a good settlement sufficient to cover planned delivery against corporate plan objectives. Mitigation actions have supported positive risk management. Risk decreasing while recognisiing allocations remain subject to approval of Scottish budget, with residual risk around in year adjustments. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Remedial: scenario planning on forward budget modelling to prepare options for future resource allocations within final allocations, based on funding parameters suggested by sponsorship team. | 2 | Resources — financial | Risk of C2030 match funding not being secured — current match funding in bid not fully committed and/or for one year only in many areas. | Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA and importance of Peatland Restoration funding to inward investment by NLHF. Remedial: Discussions with Transport Scotland on funding for active travel design work. | Funding for 2024 – 25 Peatland Restoration has been secured at £3.5m. This provides a suitable level of match funding for the C2030 programme, in line with the programme’s 5‑year budget. Active transport funding now in place within wider Scottish Government / Transport Scotland financial plans. Mitigation actions supporting effective risk management, with declining risk while recognising proposals remain subject to approval of Scottish budget. | Preventative: focus over 2025 on match funding position and consequent impacts to ensure C2030 programme plans and financing of them fully aligned by end of year. Preventative: high profile and ongoing focus for SMT in engaging in influencing to secure the match funding needed from partners; project managers aware of relevant project match funding position and tasked with seeking additional match funding where appropriate. Prevantative: consideration of new, wider match funding opportunities. | 3 | Resources — staffing | There are perceived gaps in our skill set with respect to: procurement processes, recruitment of technical staff, ability to undertake necessary due diligence on output from consultants and contractors. — Risks that procurement and wider skill set capacities are insufficient to meet the evolving needs of the organisation. — Lack of expertise and experience in managing construction projects may compromise the effectiveness and efficiency of planned delivery. — Financial risks associated with the letting of contracts where partnership funding is likely to be dependent on the achievement of satisfactory standards. | Preventative: Recruitment of Procurement Officer Preventative: Support secured from Scotland Excel (and from Central Government Procurement Shared Services (CGPSS) if required). Preventative: Consider delivery through partners with construction project delivery experience where appropriate to delivery objectives. | Recruitment to new Procurement Officer post achieved. Programme of improvement in procurement processes, procedures and controls underway, including establishment of new Procurement Strategy. Construction projects of the size anticipated within the C2030 programme are new to the organisation. We need to improve our knowledge of Construction Design Management Regulations (CDM) and contracts (NEC4). We lack experience in producing briefs and reviewing tenders of this size and type. Improvements in our skill set will also benefit: peatland restoration, river restoration, construction of paths, active travel projects. | Preventative: additional support from LL&TNPA requested Preventative: Options for training of wider staff group under investigation — supported by Scotland Excel. Remdial: procurement action plan developed from internal audit recommendations; reviewed monthly by Chair / Vice Chair of ARC. Target date for completion of key improvements 31.03.25 (extended from 31/12/24). SG budget controls may delay training until the first quarter of 2025⁄26. | 4 | Strategic delivery | The Authority’s range of powers combined with strategic partnerships is insufficient to deliver outcomes on wildlife crime. | Preventative: licencing arrangements contribute to more effective control framework. Tracker/satellite monitoring deployed for some raptors. Remedial: NPPP development processes used to explore partnership attitudes, engagement and powers. | Action on wildlife crime depends on the development, delivery and design of strategic partnerships. Financial constraints within the public and third sectors is likely to reduce the level of resource available to tackle this issue. | Remedial: Development/strengthening of strategic partnerships. | 5 | Resources — staffing | Increasingly competitive and restricted recruitment climate prevents staff with the required experience and skill sets being secured. Planning and other specialist staff (IT, procurement, finance) requirements impacted by national labour/skills shortages and/or salary structures not sufficiently competitive to attract or retain key staff. | Preventative: focus on training and development and internal succession planning, in turn bringing recruitment into less experienced/less highly skilled markets and developing pipeline of qualified staff Preventative: consideration given to job design, creating roles with more seniority (higher grades), and flexibility of offer regarding part-time/job share. | Evidence of reducing number of applicants and candidate lists for vacancies ongoing, while trend in unsuccessful recruitment exercises has been acted on with no recent unsuccessful recruitment. Successful recent recruitment in difficult sectors including procurement and planning.Salary structures reviewed with three year pay position now agreed. Risk declining toward acceptable risk appetite level. | Remedial: contingency planning for example around out-sourcing of aspects of delivery eg establish call-off framework for consult planning services. | 6 | Systems development | Supporting speed of organisational change prevents required development and embedding of effective support systems. The speed / scale of operational demand for support from corporate systems is such that we are always fire-fighting and giving the best advice and support we can. However, that ongoing fire-fighting and immediate advice prevents us having sufficient time to design, develop and implement new systems to better suit the new organisation. | Remedial: recruitment of additional staff to corporate function during 22⁄23 and 23⁄24. Remedial: project management training provided Remedial: development of improved systems/ways of working through better use of M365 applications Remedial: Implement new finance system to support wider digitisation of systems and effective financial reporting. Preventative: design and implement project initiation controls supporting more managed timelines and fuller, earlier consideration of project plans. | Assessment of the impact of new/additional activities on corporate systems and resources should be part of the initial considerations of these activities. Staff recruitmet has been seccessfully completed. Key work on improving organisational internal control systems and digitisation of systems is progressing well. New finance system implementation is underway. | Remedial: apply resource to development of improved systems/ways of working — new finance system due to be installed by 31/03/25; new project initiation control under development Remedial: provide training — procurement and in wider assessment of project impacts at initiation stage. Remedial: finalisation and roll-out of project initiation guidance, including assessment of any new legal implications arising from project delivery intentions. | 9 | Technical | CNPA IT services are not sufficiently robust/secure/or well enough specified to support effective and efficient service delivery. Increasing demand for knowledge around Microsoft 365 and cyber security is outstripping the team’s knowledge/skill-set. Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support. Use of Al increases risk of cyber security threats such as spear-phishing. | Preventative: Daily review of Scottish Cyber Coordination Centre threat summaries, with follow up action taken (eg patching) as appropriate. Preventative/remedial: Collaboration with LL&TNPA provides support. Preventative: Transition to Sharepoint complete; R‑drive now a read-only repository, reducing risk of threats from outside the organisation. Preventative: implement Cyber Security Plus controls | Internal audit report on IT Strategy sets out key actions in this area of risk management around IT Strategy development, project management and costing of IT action plans to be implemented. Movement into Microsoft 365 deployment and cloud based systems continues. Cyber Security Plus accreditation now in place and systems operating to those standards. Consideration given to effectiveness of shared services with LL&TNPA. | Development of the IT operational risk register has identified potential for structural improvement. These considerations to be developed further (potential for external consultancy to develop our IT strategy organisational development, technical improvements and upskilling). Cyber essentials accreditation achieved; audit towards essentials plus accreditation underway (11÷09÷24). A review of IT staff role descriptions now completed; renewed focus on IT action plans will flow from that. Work on the information management plan will produce greater resilience of data and access to key information when complete. | 10 | Technical | Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure. | Preventative: Development of hybrid working methods and cloud computing approaches have improved the organisation’s resilience. Remedial: develop updated business continuity plan and embed its provisions | Work on BCP assisted in roll out of initial and ongoing responses to Coronavirus pandemic. Now that hybrid working arrangements are embedded, there is a need to reconsider BCP. | Preventative: proposed consultancy to develop new BCP | 11 | Reputation | Reputational damage may result from: — Unrealistic expectations of what the Park Authority and its partners can achieve in the face of the significant risks presented by climate change, species extinction, flood management and fire; and/or — Disagreement between the Park Authority and stakeholder groups within the Park. — Disinformation circulated about the Park Authority’s actions | Preventative: Existing strategic partnerships and stakeholder relationships help to create a wider understanding of the factors that are within, and those that are outside the control of the Park Authority and its partners. Preventative: communications strategy development and implementation to ensure Park Authority’s messages and information are widely received and understood by appropriate audiences. | Scoring reviewed following overview of NPPP delivery submitted to board in September, with likelihood decreased from 4 to 3. Stakeholder relationship database now designed and under development | Preventative: Management of expectations through: Targeted communications Further development of stakeholder relationships. Development/strengthening of strategic partnerships. Ongoing assessment of operational risk management and mitigation in our communications. Development of stakeholder relationship database Remedial: Media monitoring and remedial actions | 13 | Resources — financial | The Park Authority does not adequately respond or adpat to changes in funding environment at Scottish Government policy levels or in evolution of private finance investment. | Preventative: allocate senior time to engagement with Scottish Government in policy discussion and development, identifying and responding to risk implications. Preventative: proactively identify opportunities for private investment and structures to support their investment to complement and support NPPP and corporate objectives. | New — from horizon scanning | For development | 14 | Resources — staffing | The Park Authority’s workforce is not adequately flexible to respond to changing strategic priorities or to changing operational scale | Preventative: workforce management strategy updated and regularly reviewed to take a 5+ year forward view. Preventative: continued investment in training and development for staff supporting performance in current roles and succession / development plans. Preventative: establish an appropriate mix of permanent and fixed term staff to allow for flexibility in future structures. Remedial: retain scrutiny of all vacancies and identification of opportunities to adapt vacancies toward future needs. | New — from horizon scanning | For development | 15 | Systems development | NPPP delivery responsibilities are not sufficiently clear across the partnership and Park Authority is expected to address more than it is capable to deliver. | Preventative: reinforce specific partner delivery responsibilities through performance management systems and reporting. Preventative: reinforce NPPP delivery linkages through grant contract terms. | New — from horizon scanning | For development | 16 | Technical | Evolution of the Park Authority’s range of activities and projects results in unidentified and unmitigated exposure to legal implications and associated liabilities | Preventative: undertake risk analysis overview of 2025⁄26 operational plan to identify any delivery areas with potential exposure; develop and deliver mitigation action plan | New — from horizon scanning | For development |