WARNING - By their nature, text files cannot include scanned images and tables. 
The process of converting documents to text only, can cause formatting changes and 
misinterpretation of the contents can sometimes result. Wherever possible you 
should refer to the pdf version of this document.


CAIRNGORMS NATIONAL PARK AUTHORITY 
Audit Committee Paper 2 17/12/04 


CAIRNGORMS NATIONAL PARK AUTHORITY 

Title: RISK MANAGEMENT STRATEGY 

Prepared by: DAVID CAMERON, HEAD of CORPORATE SERVICES 

Purpose
 
To update the Committee on progress on development of the Authority’s Risk Register and 
Risk Management Strategy.
 
Recommendations 

The Committee is asked to: 

1. note that a risk management workshop was held in November, and that a range of 
strategic risks were identified in pursuance of the Authority’s requirement to adopt a risk 
register and develop a risk management strategy; 

2. note that the Management Team will receive a future report on the Authority’s risk 
register, following receipt of the final report and underpinning information from Deloitte 
and further development of the information generated by the workshop by the Head of 
Corporate Services; 

3. agree the Risk Management strategy will be submitted to its next meeting for 
consideration. 

Executive Summary 

In line with the Scottish Executive’s principle that best practice in the private sector should be 
reflected in the public sector, the CNPA’s Financial Memorandum requires the Authority to 
develop a risk management strategy. A risk management workshop was held on 12 
November, including the Chair of the Committee and members of the Authority’s 
Management Team. This was facilitated by representatives of the internal auditors, Deloitte. 
Following receipt of the final report and underpinning data from that exercise, the 
Management Team will determine a final risk register. The next step will be to develop an 
appropriate risk management strategy and response plan and to identify appropriate 
responsible officers for management of risks. The strategy will also determine the ongoing 
reporting framework for risk management processes. 


RISK MANAGEMENT STRATEGY
 
Background 

1. In September 1999, the Institute of Chartered Accountants in England and Wales 
published the report of the Turnbull Committee, “Internal Control: Guidance for 
Directors on the Combined Code”. This extended the requirement on organisations to 
provide a statement on their financial controls in their annual accounts to set out a 
statement covering all controls, including financial, operational, compliance and the 
management of risk. 

2. In line with the Scottish Executive’s principle that best practice in the private sector 
should be reflected in the public sector, the CNPA’s Financial Memorandum requires 
the Authority to develop a risk management strategy. The Management Statement 
also requires the Chief Executive, as the Accountable Officer, to ensure that a system 
of risk management is embedded in the organisation, to inform decisions on financial 
and operational planning and to assist in achieving objectives and targets. The 
requirement to establish a risk register and risk management policy was highlighted by 
the external auditor, Bob Clark, at the Committee’s previous meeting. 

3. In developing a risk management strategy, the Authority needs to consider not only its 
financial performance and controls, but also risks to its strategies, service objectives 
and reputation. 

Identification of Risks and Establishment of a Risk Register 

4. A risk management workshop was held on 12 November, including the Chair of the 
Committee and members of the Authority’s Management Team. This was facilitated 
by representatives of the internal auditors, Deloitte. The aim of the workshop was to 
identify strategic risks faced by the Authority and to prioritise these in terms of both 
their impact on policy and achievement of goals if the risk in question materialised 
and on their likelihood of actual occurrence. 

5. The outcome of the process was a prioritised risk register comprising over 70 potential 
areas of risk to the authority. These risks had been originally identified from within 
the Authority and are therefore specific to the CNPA’s current circumstances and 
policy objectives, rather than comprising a set of generic business risks. 

6. At the time of writing, the final report and underpinning analysis from the workshop 
was still to be submitted by Deloitte. Once received, the next stage in the process will 
be for the Head of Corporate Services to present a report on the findings to the 
Management Team in order to: 

• Allow for final review of the risks and their priority, and in particular to make a 
final determination of the relative priority of those risks where there was a range 
of views expressed in terms of likely impact and likelihood; 

• Agree a final risk register for adoption. 

Recommendations
 
7. That the Committee notes that a risk management workshop was held in 
November and a range of strategic risks identified in pursuance of the 
Authority’s requirement to adopt a risk register and develop a risk management 
strategy. 

8. That the Committee notes that the Management Team will receive a future 
report on the Authority’s risk register, following receipt of the final report and 
underpinning information from Deloitte and development of the information by 
the Head of Corporate Services. 

Risk Management Strategy 

9. Following adoption of a strategic risk register, a risk management strategy will be 
required to set out the means by which risks identified will be addressed. 

10. The process of risk management is not one of encouraging risk avoidance. Rather, 
there is a requirement to identify the most appropriate response for each risk. 
Typically, for high priority areas of risk, this may be proactive management of 
situations to eliminate or reduce the potential impact of the risk and/or its likelihood 
of occurrence. For “medium” priority areas, identification of controls, monitoring of 
effectiveness and establishment of any potential “early warning indicators” may be 
adequate. For both these areas, identification of a responsible officer for risk 
management and reporting will be required. For low priority areas, there may be a 
risk management “acceptance” strategy, whereby risks have been identified, given low 
priority in terms of impact and occurrence and therefore accepted as being possible 
but not warranting resources being directed to their control. 

Future Action 

11. Once the risk register has been agreed, an appropriate risk management strategy and 
response plan will be developed and submitted to the Committee for consideration. 
The risk management strategy will provide the basis for the identification of 
appropriate responsible officers for management of risks, where those risks are 
deemed to be of a significance requiring active management or monitoring. The 
strategy will also determine the ongoing reporting framework for risk management 
processes. 

12. Risk management processes are a relatively adaptable tool and may also be 
incorporated in the future to widen the scope of risk management from consideration 
of business risks to other areas such as environmental or economic risk factors within 
the Park. In embedding risk management processes throughout the organisation, risk 
management techniques may also be incorporated into the early stages of planning 
project delivery, particularly where projects are sizable in terms of expenditure and/or 
complex in their delivery. 

Recommendations 

13. That the Committee agrees the Risk Management strategy will be submitted to 
its next meeting for consideration. 

David Cameron 
7 December 2004 
davidcameron@cairngorms.co.uk