WARNING - By their nature, text files cannot include scanned images and tables. The process of converting documents to text only, can cause formatting changes and misinterpretation of the contents can sometimes result. Wherever possible you should refer to the pdf version of this document. CAIRNGORMS NATIONAL PARK AUTHORITY Audit Committee Paper 2 24/03/05 CAIRNGORMS NATIONAL PARK AUTHORITY FOR DECISION Title: STRATEGIC RISK REGISTER AND RISK MANAGEMENT STRATEGY Prepared by: DAVID CAMERON, HEAD of CORPORATE SERVICES Purpose To present a proposed Strategic Risk Register and Risk Management Strategy for consideration by the Committee. Recommendations The Committee is asked to: • Approve the proposed Strategic Risk Register as set out in Appendix 1 to the paper. • Approve the proposed Risk Management Strategy as set out in paragraph 13 of the paper. Executive Summary A risk management workshop identified a total of 77 strategic risks, which could potentially affect the organisation’s ability to achieve its strategic objectives over its forthcoming Corporate Planning period, April 2005 to March 2008. Risks identified were appraised on the basis of both their likelihood of occurrence and impact were they to occur. The schedule of risks considered at the workshop now effectively comprises the Authority’s Strategic Risk Register. This paper puts forward a proposed Risk Management Strategy and associated risk management processes which seeks to recognise the risks to achievement of the Authority’s objectives and to act on them in an appropriate manner. STRATEGIC RISK REGISTER AND RISK MANAGEMENT STRATEGY Background 1. The Committee received a report on the progress toward development of the Authority’s Risk Register and Risk Management Strategy at its meeting in December 2004. This report noted the Turnbull Committee guidance extending the requirement on organisations to set out a statement covering all controls, including management of risk in their annual accounts. 2. The Committee also noted that the Financial Memorandum requires the Authority to develop a risk management strategy, while the Management Statement requires the Chief Executive, as the Accountable Officer, to ensure that a system of risk management is embedded in the organisation, to inform decisions on financial and operational planning and to assist in achieving objectives and targets. 3. The Committee agreed that a proposed Risk Management Strategy would be submitted to its next meeting, following Deloitte’s submission of the full information generated at the workshop to the Head of Corporate Services and Management Team’s consideration of the draft risk register. Risk Register 4. A risk management workshop identifying and appraising strategic risks faced by the Authority was held on 18 November 2004. This was attended by the Chair of the Board’s Audit Committee and 6 members of the Authority’s Management Team, and facilitated by the internal auditors, Deloitte. 5. The workshop considered a total of 77 strategic risks, proposed at and prior to the workshop, which could potentially affect the organisation’s ability to achieve its strategic objectives over its forthcoming Corporate Planning period, April 2005 to March 2008. Risks identified were appraised by all seven attendees, on the basis of both their likelihood of occurrence and impact were they to occur, over a five point scale (1=low, 5=high). Average scores for both criteria were established, with the product of these two scores giving a total risk assessment score. 6. The schedule of risks considered at the workshop now effectively comprises the Authority’s Strategic Risk Register. The full Risk Register is reproduced at Appendix One to this report, ordered by the total risk assessment score. Recommendation 7. The Committee is requested to approve the adoption of the Strategic Risk Register as set out in Appendix One to this report. Risk Management 8. The management of risk in an organisation is influenced by a number of factors, including: a. Assessed magnitude of risk represented to the organisation: how likely is the identified risk to occur and, were it to occur, how great would the impact on the organisation be? b. Attitude to risk management or appetite for risks: what is an acceptable level of risk? c. Risk Management processes: what procedures are required to manage risks within the organisation once they have been identified, evaluated and considered in light of the Authority’s attitude to risk? d. Existence of acceptable / adequate internal controls and reporting structures: is there a reasonable capacity to allow for certain risks to be accepted and / or monitored, rather than actively managed, on the basis that the chance of these risks crystallising will be detected and reported on through existing structures? e. Integration of risk management with planning and monitoring processes: to what extent can risk management processes be embedded within existing corporate and operational planning and monitoring processes? 9. Decisions taken on the above questions will determine the manner by which the Authority will respond to the identification of its Risk Register. Assessment of Risk Magnitude 10. Question 8.a above, regarding the assessment of the magnitude of risk faced by the organisation, has been dealt with in part through consideration of strategic risks and establishment of a risk register. In undertaking the risk management workshop outlined above, progress has already been made in assessing the magnitude of the risks faced by the Authority. Attitude to Risk / Appetite for Risk 11. With some 77 strategic risks identified, resources are likely to become overly stretched if action were to be taken to control risks in all areas identified. Moreover, the assessed magnitude of risk may not warrant any further attention or resource investment. 12. In determining the Authority’s response to the risks identified, there is a need to agree thresholds above which risks require proactive management and below which a process of monitoring may be more suitable. There may also be a “floor” of assessed magnitude below which a risk may be accepted as an element of operations without need for further action or monitoring. Recommendation 13. The following risk management strategy is recommended for adoption by the Authority. a. All identified risks with both an assessed likelihood of occurrence and an assessed impact in excess of “medium” (score of 3.25 or higher on both criteria) should be the subject of active management in order to reduce one or both of these variables. b. Where either likelihood or impact of a risk is assessed with a score of 3.25 or higher, this risk area should be the subject of ongoing monitoring and regular reporting in order to ensure that associated areas of concern identified by the risk do not appear to be occurring and / or potential impact remains as assessed. c. Where both likelihood of occurrence and potential impact are classified as medium or below, it is proposed that the Authority accepts the associated risks at this stage. 14. At present, some 19 risk areas would fall within the above definition of risks requiring proactive management and action planning. A further 36 areas of risk would require ongoing monitoring of the associated situation, leaving 22 identified “acceptable” risks requiring no further action or monitoring at this stage. 15. The associated risk map is depicted in the graph included at Appendix Two to this report. Risks falling into the top right quadrant of this chart are those which would require proactive management and action planning to address situations. Risks in the top left and bottom right areas will require ongoing monitoring, while those falling into the bottom left require no action on the basis of the proposed attitude to risk management. Risk Management Processes 16. Generally, where a significant risk is deemed to exist, an organisation will identify an officer responsible for managing the risk. This responsible officer will typically be a member of staff whose responsibilities are most associated with the risk area in question. The responsible officer should prepare an action plan to address the risk identified and regularly report on progress. 17. Where a potential risk exists but only one element of its impact or likelihood is assessed as being high or significant, the response may again be to identify a responsible officer who will be charged with monitoring the risk area identified, without necessarily taking remedial action, in order to ensure the magnitude of risk does not increase or provide early warning should the risk be assessed to have increased. A report of monitoring activity is also likely to be required at predetermined intervals. Existing Internal Controls 18. As a consequence primarily of the relative “youth” of the organisation, the existing internal control framework is relatively untested. Internal auditors are only just starting their work programme, although the external auditors have undertaken two specific audit assignments. The Authority’s monitoring and control procedures are also still in a developmental basis, rather than a steady state. 19. As such, it is somewhat difficult to set a risk appetite – i.e. that area of risk which the organisation is happy to accept without specific management or monitoring and which can be expected to be controlled to some degree by existing control arrangements - which is much higher than that suggested above. Integration within Robust Monitoring and Reporting Procedures 20. Although the Corporate and Operational Planning processes are themselves currently subject to some refinements, it appears appropriate to integrate risk management controls and reporting within these processes rather than develop specific procedures. Indeed, as one of the objectives arising from the Turnbull Committee recommendations is to embed risk management processes within an organisation, use of existing rather than bespoke planning tools to deal with Risk Management should be adopted where possible. 21. The Operational Plan for 2005/06 has therefore been designed to include the identification of risks subject to active management and to monitoring alongside the organisational goals, actions and tasks which may be affected by the risk. Members of staff identified as leading on a particular task will also, typically, be responsible for managing the organisation’s responses to strategic risks linked to achievement of that task. 22. Where a risk requires active management, there may be a need to introduce specific tasks into the Operational Plan to deal with risk mitigation. Conclusion and Future Action: Risk Management Strategy 23. The proposed risk management strategy is therefore that identified in paragraph 13. This encompasses the identification, assessment and appetite for risk within the Authority. 24. Where active management to reduce or remove a risk to the achievement of the authority’s objectives is required, tasks should be identified in the Authority’s Operational Plan. Progress will hence be monitored along with other operational plan activities. 25. The Strategic Risk Register itself should be reviewed annually along with the Corporate Plan. 26. Once approved by Management Team, the final Risk Register and Risk Management Strategy will be put forward to the Board’s Audit Committee. 27. Embedding risk management practice within the organisation has a potential to move beyond the evaluation and consequent management of risks threatening achievement of organisational objectives to a focus on performance improvement. Rather than a focus on managing identified risks, the orientation should be more on meeting identified objectives and managing the internal and environmental variables which may influence target outcomes. David Cameron 14 March 2005 davidcameron@cairngorms.co.uk