Good practice in risk management - Northern Ireland Audit

Good practice inrisk management

REPORT BY THE COMPTROLLER AND AUDITOR GENERAL8 June 2011

BELFAST:TheStationeryOffice £5.00

ReportbytheComptrollerandAuditorGeneralforNorthernIreland

Goodpracticeinriskmanagement

ThisreporthasbeenpreparedunderArticle8oftheAudit(NorthernIreland)Order1987forpresentationtotheNorthernIrelandAssemblyinaccordancewithArticle11ofthatOrder.

KJDonnelly NorthernIrelandAuditOfficeComptrollerandAuditorGeneral 8June2011

TheComptrollerandAuditorGeneralistheheadoftheNorthernIrelandAuditOfficeemployingsome145staff.HeandtheNorthernIrelandAuditOfficearetotallyindependentofGovernment.HecertifiestheaccountsofallGovernmentDepartmentsandawiderangeofotherpublicsectorbodies;andhehasstatutoryauthoritytoreporttotheAssemblyontheeconomy,efficiencyandeffectivenesswithwhichdepartmentsandotherbodieshaveusedtheirresources.

ForfurtherinformationabouttheNorthernIrelandAuditOfficepleasecontact:

NorthernIrelandAuditOffice106UniversityStreetBELFASTBT71EU

Tel:02890251100email:[email protected]:www.niauditoffice.gov.uk

©NorthernIrelandAuditOffice2011


Contents

Part one Introduction 1

Part two Risk management framework 5

Part three Risk management process 13

Part four Accountability 29

Appendices 35

Appendix 1 Risk management checklist 36

Appendix 2 Participants 41

Appendix 3 HM Treasury – Key questions for an audit committee to ask 42

Appendix 4 Extract from DHSSPS communications plan 43

Appendix 5 Categories of risk 45

Appendix 6 Department for Regional Development - Risk checklist 47

Appendix 7 Department of Education - Assessment categories for impact 49 and likelihood

Appendix 8 Model of risk appetite 56

Appendix 9 Strategic Investment Board – Fraud risk assessment 58

Appendix 10 OFMDFM stewardship statements pro forma 59


Glossary

Horizon scanning thetechniqueusedtoidentifyrisksbyasystematicexaminationofpotentialthreats,opportunitiesandlikelyfuturedevelopments,including(butnotrestrictedto)thoseatthemarginsofcurrentthinkingandplanning

Inherent risk theexposurearisingfromaspecificriskbeforeanyactionistakentomanageit

Residual Risk theexposurearisingfromaspecificriskafteractionhasbeentakentomanageitandassumingthattheactiontakenhasbeeneffective

Risk appetite theextentofexposuretoriskthathasbeenassessedastolerableforanorganisationorbusinessactivity

Risk Register captures,maintainsandmonitorsinformationontherisktorealisationofaspecificobjectiveandtheassociatedcontrolactionsthathavebeenputinplacetomitigatethatrisk


Abbreviations

ALB ArmsLengthBody

BAFO BestandFinalOffer

CE ChiefExecutive

CGAC CorporateGovernanceAuditCommittee

DARD DepartmentofAgricultureandRuralDevelopment

DE DepartmentofEducation

DFP DepartmentofFinanceandPersonnel

ELB EducationandLibraryBoard

EU EuropeanUnion

IT InformationTechnology

MEMR MonthlyExpenditureandMonitoringReport

NAO NationalAuditOffice

NDPB Non-departmentalPublicBody

NIAO NorthernIrelandAuditOffice

NICS NorthernIrelandCivilService

OFMDFM OfficeofFirstMinisterandDeputyFirstMinister

OGC OfficeofGovernmentCommerce

PDP PersonalDevelopmentPlan

PPA PersonalPerformanceAssessment

PSA PublicServiceAgreement

RRG RiskReviewGroup

Part One:Intoduction

2Goodpracticeinriskmanagement

1.1 Riskmanagementisahighlytopicalissueforallgovernmentdepartmentsandtheirsponsoredbodiesandhasavitalroletoplayinpromotingandsecuringvalueformoneyintheuseofpublicfunds.

1.2 AsaresultofrecentpublicspendingcutsannouncedbyWestminster,publicbodiesfacegreaterchallengesinmanagingrisk.ThecutsannouncedbytheChancelloroftheExchequerintheNationalSpendingReviewinOctober2010willresultinareductionof8percentintheNorthernIrelandExecutive’sdelegatedcurrentexpenditurelimitsby2014-15.ThedelegatedexpenditurelimitforcapitalinvestmentavailabletotheNorthernIrelandExecutivewillreduceby40.1percentinrealtermsby2014-15.Itisessentialtherefore,thatpublicbodiesadoptandembraceaninnovativeapproachtomanagingrisktoassistinthedeliveryofbetter,morecosteffectivepublicservices.

1.3 Thereiscurrentlyagreatdealofriskmanagementguidanceavailable,theessenceofwhichisbroadlysimilar.ThepurposeofthispublicationistoprovideabestpracticeguidetailoredtotheexperiencesandneedsofpublicsectorbodiesinNorthernIreland.Thereportreflectsonlocalcasestudyexamplestoillustratehowwellriskisbeinghandledinpracticeandtoidentifybetterandmoreinnovativewaysofmanagingrisk.

1.4 Inproducingthisreport,wedevelopedariskmanagementchecklist(seeAppendix1),designedasatooltoenablepublicbodiestoselfassesstheircapability

andcapacitytomanagerisk.However,asaone-offexercise,wecompletedthechecklistwithalloftheNorthernIrelandCivilService(NICS)departmentsandanumberofArm’sLengthBodies,(seeAppendix2forafulllist).Thisexercisefacilitatedtheidentificationofgoodpracticeintheapplicationofriskmanagementprinciples.Thisreportexaminesgoodpracticeinthecontextof:

• theriskmanagementframework(PartTwo);

• theriskmanagementprocess(PartThree);and

• accountability(PartFour).

1.5 Overall,wefoundthatthedepartmentshaddevelopedastrongawarenessofriskandhadmadegenuineeffortstodevelopandembedaneffectiveriskmanagementstrategy.Traditionallypublicsectorbodiesdisplaymanyofthecharacteristicsassociatedwithahighlyriskaverseculture,however,bestpracticeguidanceonriskmanagementemphasisesthattheconsequencesofriskcanbepositiveornegative.Wellmanagedrisktakingcanproducebenefitsfortheorganisationintermsofopportunities,butequallycanpresentthreatsthatultimatelymayimpactonanorganisation’sabilitytomeetitsstrategicobjectives.RiskmanagementisanimportantaspectofgoodgovernanceandisausefultoolincontributingtotheachievementofoutcomesandensuringthatpublicbodiesmeettheirobjectivesasthefollowingCaseStudyillustrates.

Part One:Introduction

Goodpracticeinriskmanagement3

Case Study 1 Department of Education – Managing risk to achieve outcomes

Followingsubstantialoverspendsin2003-04and2004-05bytwoEducationandLibraryBoards(ELBs),theDepartmentofEducation(DE)introducedaseriesofmeasurestoensuretighterfinancialmonitoringandcontrolwiththeaimofpreventingrecurrence.Thisincludedtheintroductionof:

• arevisedMonthlyExpenditureandMonitoringReport(MEMR)toprovidemorerelevantanddetailedinformation;

• asignedassurancestatementfromtheChiefExecutiveastotheaccuracyoftheinformationprovidedandacommitmenttoremainwithinbudget;

• monthlymeetingswitheachChiefFinanceOfficertodiscussindetailtheinformationontheMEMRandreducetheriskofunder/overspendattheyearend;

• reconciliationandreviewofdetailsprovidedintheMEMRswithdetailsheldinDEtoreducetheriskoferrorsinfiguresbeingusedbyELBsandDE;and

• keepingtheDEBoardinformedtoaidbetterdecisionmaking.

Followingtheimplementationofthesemeasures,theELBshaveremainedwithinbudgetsince2004-05.

Source: Department of Education

Case Study 2 The Fermanagh Flooding – Managing risk to achieve outcomes

DuringthecourseoflateOctoberandNovember2009,CountyFermanaghexperiencedunprecedentedlevelsofrainfall.Theareawassubjecttowidespreadflooding,leadingtosignificantdisruptiontolifeinthecountyatbothindividualandcommunitylevel.TheNorthernIrelandExecutivedecided,atitsmeetingon3December2009,thataFloodingTaskforceshouldbeestablishedtoinvestigatethecausesoftheflooding,identifylessonslearnedandconsidermeasuresrequiredtomitigatetheimpactofanyfutureflooding.Thiscross-departmentalTaskforcegatheredevidencefrommembersofthepublicintheaffectedareas,businesspeople,localrepresentativesandstakeholderorganisations.TheTaskforcealsotookfullaccountoftheissuesidentifiedbyaReviewoftheFloodResponseconductedbytheRiversAgency,DepartmentofAgriculture&RuralDevelopment.


FollowingdetailedexaminationofalltheevidencetheTaskforcepresentedanumberofrecommendationstotheNorthernIrelandExecutiveon22July2010.Theseincluded:

• conductinganin-depthreviewoftheManagementoftheOperatingRegimefortheErneSystem;

• undertakingaprogrammeofroadimprovementworks;

• conductingafeasibilitystudytoconsideroptionsforafloodalleviationscheme;

• undertakingaprogrammeofworktoimprovethelevelofprotectionfromfloodrisk;

• maintainingandfurtherdevelopingemergencyplanningarrangementsandnetworks;

• ensuringthatrobustcontingencyarrangementsareinplacefortheprovisionofessentialservicestothelocalcommunity;and

• developinganeducationandpublicawarenessprogrammetoinformthelocalcommunityaboutfloodingintheFermanaghareaandhowtodealwithit.

TherecommendationsoutlinedabovewereapprovedbytheNorthernIrelandExecutiveon22July2010andOfficeofFirstMinisterandDeputyFirstMinisteradvisedusthatconsiderableprogresshassincebeenmadeontheirimplementation.

RainfalllevelsinCountyFermanaghhavenotreachedtheunprecedentedlevelsexperiencedinNovember2009sinceandthemeasuresoutlinedabovehavenot,therefore,beentestedinaliveenvironment.However,ifthesecontrolmeasuresprovetobeeffective,thiscasedemonstratestheprinciplesofeffectiveriskmanagement.Asaresult,anyadverseimpactonthecommunityonthescaleofthatexperiencedinNovember2009shouldbeaverted.

Source: Department of Agriculture and Rural Development

Part One:Introduction

Part Two:Risk management framework


Risk management function

2.1 Thestructureofanorganisation’sriskmanagementfunctionwillvaryaccordingtoitssize,natureandresourceconstraints.Theriskmanagementfunctionmayrangefromasingleindividualriskchampionormanagertoawholeriskmanagementdepartment.Figure1providesasummaryoftherolesandresponsibilitiesthatmaybedelegatedto,andcoordinatedby,theriskmanagementfunction.

Figure 1 – Risk management function: roles and responsibilities

Good Practice – Forums for exchanging knowledge and working practices

HMTreasurycurrentlyrunsariskimprovementgroupthatmeetstwiceayear.Thisprovidesagoodnetworkingopportunityandenablesattendeestomeetexpertsinthefield.Guestspeakersareinvitedtoattendthemeetingsandshareexperiencesincludingcasestudiesandguidance.Theforumplaysausefulroleinspreadingandembeddinggoodpractice.

Provides regularupdates and

communicationon risk

managementissues

RiskManagement

Function

Providesguidance andadvice to staff

Produces riskmanagement

strategy

Maintains riskregisters

Provides riskmanagement

trainingto staff

Monitorscontect of

registers andstatus of actions



Leadership

2.2 InpublicbodiestheAccountingOfficerhasresponsibilityformaintainingasoundsystemofinternalcontrolthatsupportstheachievementofpolicies,aimsandobjectives,whilstsafeguardingthepublicfundsanddepartmentalassets.Thisinvolvesputtingasysteminplacetoensurethatallbusinessareasidentifythekeyriskstotheachievementoftheorganisation’sobjectives.TheAccountingOfficermustreportannuallyontheorganisation’ssystemofinternalcontrolintheStatementonInternalControl.Thestatementshouldhighlightanykeyinternalcontrolissuesthathavebeenencounteredthroughoutthatyear.

2.3 StrongleadershipandclearownershipatAccountingOfficerlevelisessentialinembeddinganorganisationalriskmanagementculture.Anorganisation’sriskmanagementstrategyshouldoutlineclearlytherolesandresponsibilitiesforriskmanagement,includingthatoftheAccountingOfficer.

2.4 Inaddition,thecorporategovernanceframeworkofpublicsectorbodieswillincludeaBoard,anAuditCommitteeandaninternalauditservice,allofwhichwillassumesomeresponsibilityforseekingandprovidingassuranceinrelationtoriskmanagement.Themanagementofriskhowever,alwaysremainsanexecutiveresponsibility.

2.5 AccordingtoHMTreasuryguidance,“theBoardshouldensurethateffectiveriskmanagementarrangementsare

inplacetoprovideassuranceonriskmanagement,governanceandinternalcontrol”.1Dependingonanorganisation’scircumstancesitmaychoosetoestablishaseparateriskcommittee.However,frequentlytheroleoftheAuditCommitteewillbeextendedtoincludeseekingassurancesinrelationtoriskmanagement.ForthisreasontheAuditCommitteeissometimesreferredtoastheAuditandRiskCommittee.TheAuditCommitteewillsupporttheBoardandtheAccountingOfficerbygatheringassuranceandprovidingadvicetotheBoardonriskmanagement,governanceandcontrolissues.HMTreasuryguidancereflectsthat,“theAuditCommitteeischargedwithensuringthattheBoardandAccountingOfficeroftheorganisationgaintheassurancetheyneedonriskmanagement,governanceandinternalcontrol”.2TheguidanceprovidesalistofquestionsthatanAuditCommitteemaywishtoaskinseekingassuranceonriskmanagementissues(Appendix3).Itisessential,however,thatauditcommitteesmaintaintheirindependenceanddonotbecomeoperationallyinvolvedinriskmanagement.

2.6 InternalAuditshouldadoptariskbasedapproachtoplanningitsprogrammeofworkwhichwillrefertoorganisationalriskregisterstoidentifytopicsforreview.Inadditiontoindividualauditreports,InternalAuditprovidesanindependentopinionontheoveralladequacyandeffectivenessoftheframeworkofgovernance,riskmanagementandinternalcontrolwhichshouldsupportandinformtheAccountingOfficer’sStatementonInternalControl.

1 HMTreasuryguidance-Corporategovernanceincentralgovernmentdepartments:CodeofGoodPractice.2 HMTreasury–AuditCommitteeHandbook.


Figure 2 – Risk management in practice: roles and responsibilities

• Retainsultimateresponsibilityfortheorganisation’ssystemofinternalcontrolandensuresthataneffectiveriskmanagementprocessisinplaceandisregularlyreviewed

• Providescleardirectiontostaff• Establishes,promotesandembedsanorganisationalriskculture• ReportstotheBoardandtheAuditCommittee

• Establishesandoverseesriskmanagementprocedures• Endorsestheriskmanagementstrategy/policies• Ensuresappropriatemonitoringandmanagementofsignificantrisksbymanagement• Challengesriskmanagementtoensurethatallkeyriskshavebeenidentified• Isawareofanyinstanceswhererisksarerealised

• ReportstotheBoardontheeffectivenessofthesystemofinternalcontrolandalertstheBoardmemberstoanyemergingissues

• Endorsestheorganisation’sriskmanagementstrategy/policies• Takesresponsibilityfortheoversightoftheriskmanagementprocess• Reviewsriskregisterstoprovidechallengeandadvice(notinanexecutivecapacity)

• ActsonbehalfoftheBoardandwill:• determinetheorganisation’sapproachtoriskmanagement• implementpoliciesonriskmanagementandinternalcontrol• discussandapproveissuesthatsignificantlyaffecttheorganistion’sriskprofileor

exposure• continuallymonitortheidentificationandmanagementofsignificantrisksandensurethat

actionstoremedycontrolweaknessareimplemented• reportchangesinriskassessmenttotheBoardonanexceptionbasis• annuallyreviewtheorganisation’sapproachtoriskmanagementandapprovechanges

orimprovementstokeyelementsofitsprocessesandprocedures• reporttotheAuditCommitteeandtotheBoardonriskmanagementmatters

• Providessubsidiarymanagement/internalcontrolstatementstotheAccountingOfficer

• Identifiesandassessesindividualrisks• Decideswhetherariskissufficientlyserioustobeescalatedtothenextlevelofthe

organisation• Ensuresthatactionstotreatorcontroltheriskarecarriedoutandinformstheriskmanagerof

anyconsequentupdatestotheriskregister• Reviewstheriskratingandthenecessitytokeeptheriskontheregister

Accounting Officer

Board

Audit (& Risk) Committee

Senior Management

Risk Owner



Risk management strategy and policies

2.7 Publicbodiesshoulddocumentformallytheirapproachtoriskmanagementinariskmanagementstrategy.ThiswillassisttheAccountingOfficer,theBoardandtheseniormanagementteaminpromotingandembeddingriskmanagementinthecultureoftheorganisation.Theriskmanagementstrategywillusuallybepublishedinaseparatedocumentbutmaybeintegratedwithestablishedpoliciesfordepartmentalbusinessactivities.Regardlessofhoworganisationschoosetopresenttheirriskmanagementstrategy,thereareanumberofkeyissuesthatshouldbeaddressed.

1. Thestrategyshouldoutlinetheorganisation’sapproachtoriskmanagementandshoulddefineitsriskappetite.

2. Therolesandresponsibilitiesforthemanagementandownershipofriskshouldbedocumentedtoensurethat

allstaffhaveaclearunderstandingoftheirremit.

3. Theriskmanagementprocessadoptedbytheorganisationshouldbeclearlyoutlinedinthestrategy.

4. Thestrategyshoulddefinehowriskswillbeevaluatedorranked.Thisshouldassistinidentifyingkeyrisks.

5. Riskregistersshouldberegularlyreviewedandthisprocessshouldbeidentifiedinthestrategy.

6. Theprocessformonitoringandreviewingriskmanagementproceduresshouldbedocumented.

7. TheprocessbywhichtheAccountingOfficersatisfieshimself/herselfthatthereisanadequatesystemofinternalcontrolinplaceshouldbeoutlinedinthestrategy.

• Maintainstheriskregisterunderthedirectionofriskownersandupdatesoramendstheriskregisterasnecessary

• Regularlyreviewsthecontentofriskregisterswithaviewtoensuringthatriskactionsarebeingcompletedandthatalldetailsontheriskregisterarecorrect

• Carryoutriskactionsidentifiedanddelegatedbytheriskowners• Maintainsawarenessoftheorganisation’sriskmanagementstrategyandthekeyrisksfaced

bytheorganisation• Ensuresthatdutiesrelatingtocontrolsarecarriedout

• Providesindependentopinionontheoveralladequacyandeffectivenessoftheorganisation’sframeworkofgovernance,riskmanagementandinternalcontroltotheAccountingOfficer(andAuditCommittee)

Risk Management Functione.g. risk champion/manager/co-ordinator/department

Staff

Internal Audit


2.8 Theriskmanagementstrategyisakeydocumentwhichshouldunderpintheorganisation’sriskmanagementculture.Itisessential,therefore,thatitisendorsedbytheAccountingOfficer,theBoardandtheAuditCommitteegiventheirrespectiverolesandresponsibilitiesinrelationtoriskmanagement.

Good Practice - Risk management guidance

Inadditiontoitsriskmanagementstrategy,theDepartmentofJusticehasproduced‘apracticalguide’toriskmanagementwhichaimstoassiststaffininterpretingtheguidanceandaddressescommonissues.TheDepartmentinformedusthatthisdocumentismadeavailabletoallstaffandsupplementsanytrainingprovided.Theguideisuserfriendlyandwouldbeofparticularbenefittothosestaffwhomaynothavedirectresponsibilityforriskmanagement,butneedtobeawareofthekeyconcepts.

Communicating the risk management strategy

2.9 OncetheriskmanagementstrategyhasbeenapprovedbytheBoard,(anysubsequentupdatesshouldalsobeapprovedbytheBoard)itisessentialthatthedocumentispublicisedthroughouttheorganisationandmadeavailabletoallstaff.Thiscaninvolveholdingtrainingsessionstailoredtotheneedsofdifferentlevelsofstaffthroughouttheorganisation,sendingoutupdatesbyemailandpublishingthedocumentontheorganisation’sintranet.Oneofthekey

waysofgainingstaffbuy-inisforseniormanagementtopromotetheimportanceofriskmanagement.Thismightinvolveseniormanagementfacilitatingstaffmeetingsanddeliveringriskawarenesssessionstostaff.

Good Practice – Embedding risk management

EmbeddingeffectiveriskmanagementprocessesacrosstheDepartmentforSocialDevelopmentanditssponsoredbodiesisacontinuousprocessratherthanaone-offannualexercise.Ithasinvolvedlookingbelowthesurfaceofpoliciesandprocedurestoidentifywhatisactuallyhappeningontheground.Takingonboardtheprinciplethatthisaffectsawiderangeofpeople,theDepartmenthasadoptedanallinclusiveprocessdrivenbytheBoardandtheAuditCommittee.Peopleareengagedcontinuallythroughongoingsupportandchallengebyadedicatedteamofstaff.Recognisingthebenefitsthataseparatesetofviewscanbring,apeerreviewprocesshasbeenusedtoobtainanexternalperspectiveonriskmanagementarrangements.Toensurecontinualrefreshmentoftheprocess,managersfromacrosstheDepartmentanditssponsoredbodieshavebeenbroughttogetherforaseriesofexternallyfacilitatedworkshopstoprovidetimeforreflection,anopportunitytochallengeeachothers’thinkingandtoassesstheadequacyofcurrentriskmanagementarrangementsinthecontextofidentifiedgoodpracticeoutsidetheNICS.TheworkshopsprovidedaforumforsharingknowledgeandexperienceandtheoutputinformedtheongoingreviewoftheDepartment’sriskmanagementstrategy.Thisincludedtheinvolvementofstaffinthedevelopmentofdefinitionstohelpbuild



managementstrategywhichdidnot,inourview,dealadequatelywithexternalcommunications.TheDepartmentofHealth,SocialServicesandPublicSafetyhasdevelopedacommunicationsplanasanannextoitsbusinesscontinuityplanwhichfocusesontheexternalaspectsofcommunication.Theplanidentifiesalistofquestionsforconsiderationwhendevisingacommunicationsstrategyinresponsetoaneventthatmayimpactadverselyontheorganisationandasummaryofthekeystepsthatshouldbeapplied.AnextractfromtheplanisprovidedatAppendix4.

Arm’s length bodies

2.13 Riskmanagementisanimportantaspectinthegovernanceofarm’slengthbodies(ALBs).HMTreasuryguidanceindicatesthateffectiveriskmanagementneedstogivefullconsiderationtothecontextinwhichthedepartmentfunctionsandtotheriskprioritiesofpartnerorganisations.Forexample,departmentsdelegateaspectsofservicedeliverytoALBs.IfALBsfailtomanagethesedelegatedrisksappropriatelythiscouldimpactonthedepartment’sachievementofobjectives.Inaddition,anyreputationalriskfacedbyanALBcanalsoimpactonthereputationofthesponsoringdepartment.Itisessentialtherefore,thatdepartmentsseekassurancesthattheirALBsaremanagingriskatanacceptablelevel.ManagingPublicMoneyNorthernIrelandstatesthat‘theAccountingOfficerofadepartmentwhichsponsorsanALBshouldmakearrangementstosatisfyhimself/herself

consistencyintheriskassessmentprocesswhichhashelpedtokeepriskmanagementattheforefrontofdecision-making.

Source: Department for Social Development

Contingency and business continuity plans

2.10 Itisessentialthatpublicservicescanbemaintainedintheeventofadisaster.Contingencyplanningisthereforevitalinensuringthatthenegativeimpactassociatedwithrisksoccurringismanagedandthatthereisminimalinterruptiontoservicedelivery.Contingencyplansshouldbeputinplaceandregularlyreviewedandtestedtoensurethattheyprovideadequatecoverintheeventofadisaster.

2.11 Duetothenatureofthepublicsector,theservicesitprovides,andthewayinwhichitisfunded,publicbodiesmustmanagereputationalrisk.Riskcannothoweverbeeliminatedentirelyandtherewillalwaysbearesidualrisktothereputationofanorganisationintheeventofariskmaturing.Inordertominimisethepotentialimpactthatthismayhave,publicbodiesshouldensurethattheyarewellequippedtodealwiththeevent.Thisinvolvesdevelopingacommunicationsstrategyandprovidingtrainingtorelevantstaffonitsapplication.

2.12 Weaskeddepartmentstocommentonandprovideacopyoftheircommunicationsstrategy.Asignificantnumberofthepublicbodieswereviewedreferredustotheirrisk


thattheAccountingOfficeriscarryingouthis/herresponsibilities’.

2.14 TheapproachadoptedbydepartmentswillbeinfluencedbythenumberofALBstheyprovidefundingtoandtheriskprofileofthoseALBs.DepartmentsandALBsneedtoworktogethertoidentifysharedrisksanddevelopappropriateefficientriskmanagementapproaches.DepartmentsshouldregularlyreviewtheriskprofileoftheirALBsandensurethatappropriateandeffectiveriskmanagementprocessesareinplace,including:

• structuredprocessesforidentifyingandmanagingrisksassociatedwithdepartmentalsponsorshipresponsibilities;

• regularreviewofprocessesforgainingassurancesonALBs’managementofriskstoensurethatappropriateandeffectivecontrolsareinplace;and

• regularandopendiscussionofriskissuesbetweendepartmentsandtheirALBs.

2.15 DepartmentshavedevelopedanumberoftechniquesforgainingassurancesonthegovernanceandriskmanagementoftheirALBs.

Good Practice – managing risks in arm’s length bodies

• TheAccountingOfficerofeachALBisrequiredtocompleteanannual‘SubsidiaryStatementonInternalControl’confirmingthatriskswithintheirorganisationhavebeenidentified,evaluatedandmanagedappropriately.ThisstatementistimedtosupportthedepartmentalStatementonInternalControlwhichwillreflectanysignificantcontrolfailuresreportedwithinALBs.

• TheheadofInternalAuditineachALBprovidesanannualopinionontheadequacyoftheorganisation’sriskmanagement,controlandgovernanceprocess.ThisreportshouldbetimedtosupporttheAccountingOfficerineachALBpreparehis/herStatementonInternalControl.

• TrainingisprovidedforBoardmembersofALBsontheirrolesandresponsibilities.

• TheDepartmentattendsinanobservercapacityatthemeetingsoftheALB’sAuditandRiskCommitteetoensurealignmentofrisks,monitortheeffectivenessofsystemsinplaceandmaintainawarenessofkeyrisks.

• ALBrepresentativesattendthedepartmentalAuditandRiskCommitteeinanobservercapacityonmatterswhichimpactonboth,toofferreassurancethatappropriategovernancearrangementsareinplaceandworking.

• ProceduresaredocumentedandembeddedtoensurethatnewrisksidentifiedintheALBsareescalatedtotheDepartmentonatimelybasis.


Part Three:Risk management process


3.1 Thereisnoonesizefitsallapproachtotheriskmanagementprocessforpublicsectorbodies.However,allriskmanagementprocessesshouldincorporatefivecorestagesandtheseshouldbeoutlinedintheriskmanagementstrategy.

Step 1: Risk identification

3.2 Riskidentificationistheprocessofidentifyingriskswhichmayimpacton

Figure 3 - Risk management process

2. Riskassessment

3. Riskappetite

4. Addressingrisk

1. Riskidentification

5. Reviewingand

reporting risk

theorganisation’sabilitytoachieveitsobjectives.Theaimistoidentifywhat,when,where,whyandhoweventscouldprevent,degrade,delayorenhanceachievementofobjectives.Appendix5providesabreakdownofthe3maincategoriesofriskwhichincludes:

• externalrisks;

• operationalrisks;and

• changerisks.



3.3 Riskidentificationshouldbeapproachedinamethodicalwaytoensurethatallsignificantactivitieswithinthedepartmenthavebeenidentifiedandallrisksflowingfromtheseactivitiesdefined.Riskshouldalwaysberelatedtoobjectives.Departmentsuseanumberofmethodsforidentifyingrisksincludingfacilitatedworkshops,brainstorming,usingpastexperience,auditreportssuchasinternalaudit,NIAOandotherauditinstitutions.AspartofitsriskmanagementproceduremanualtheDepartmentforRegionalDevelopmenthascompiledariskchecklistasatooltofacilitatetheconsiderationofriskforanybusinessactivity.Althoughnotexhaustiveitprovidesastartingpointforbusinessareastoassessrisk(seeAppendix6).

3.4 Anumberofdepartmentsalsouseatechniquecalled“horizonscanning”whichidentifiesrisksthatarelikelytoariseinthefuture.HorizonscanningisdefinedbytheGovernmentOfficeforScienceas‘the systematic examination of potential threats, opportunities and likely future developments, including (but not restricted to) those at the margins of current thinking and planning.’

3.5 Theidentificationofriskcanbeseparatedinto2stages:

Initial risk identification shouldbecompletedbythosebodieswhichhavenotpreviouslyidentifiedrisksinastructuredway,neworganisations,orwhenanorganisationundertakesanewprojectoractivity.

Continuous risk identificationisaprocessofreviewtoidentfynewrisksastheyarise,changestoexistingrisks,oreliminateriskswhicharenolongerrelevant.

3.6 Inthecurrenteconomicclimateitisparticularlyimportantthatpublicsectorbodiesareresponsivetochangesintheiroperatingenvironment.Organisationsmustengageintheprocessofcontinuousriskidentificationtoidentifyandmanagethreatstothebusinessthatmayariseasaresultofchangestotheoperatingenvironment.Theprocessshouldnotonlyinvolveidentifyingnewrisks,butshouldincorporateareviewofthedocumentedriskswhichmaynolongerbevalidorwhichmayhavebeenfullyaddressed.Theserisksshouldberemovedfromtheriskregister.Frequently,organisationsaddnewriskstotheregisterbutfailtoremoverisksthathavebeenaddressedandthatarenolongercurrent.Thiscanresultin:

• theriskregisterprovidinganinaccurateprofileoftheorganisation’scorporaterisks;

• theriskregisterbecoming‘cluttered’withrisksthatarenolongercurrent,makingitdifficulttoidentifythemostsignificantstrategiclevelrisksfacedbytheorganisation;and

• theriskregisterbecomingburdensometomaintainandreview.

3.7 Riskassessmentandmanagementshouldbearoutineelementofallpolicydevelopmentandimplementation.Risks


consideredshouldnotonlyincludethosewhichthreatentheachievementofobjectives,butalsothoseoffailingtoidentifyandexploitopportunitiestodothingsdifferentlyorbetter(missedopportunities).

Risk ownership

3.8 PublicbodiesmustestablishappropriateaccountabilityarrangementstoprovideassurancesonriskmanagementtotheBoardandtheAuditCommittee.Thiswillinvolveassigningeachoftherisksidentifiedtoanownerwhowillberesponsibleforensuringthattheriskismanagedandmonitoredovertime.Inordertopromoteaccountability,riskownersshouldbenamedindividualsandnotgroups,forexample‘FinanceDirector’ratherthan‘SeniorManagementTeam’.

3.9 Ownershipofkey strategic risks willusuallybeassignedatseniormanagement/Boardlevel.Theownershipofoperational risks willbeallocatedtoheadofdivisionorheadofbranchleveldependingonthenatureoftheidentifiedriskandthepotentialimpactonbusiness.TheserisksmaynotbeincludedonthecorporateriskregisterorreportedtotheAuditCommittee.Inpromotingtheneedforaccountability,organisationsshouldlinktheownershipofrisktoanindividual’sperformanceobjectives.

3.10 Itisessentialthatriskownersreceivethesupporttheyrequireinordertomanagethoserisksthathavebeenassignedtothemandthattheyhavetheauthorityto

assignresourcestomanagekeyrisks.Theywillberesponsibleforensuringtheriskframeworkisappliedatalllevelsthroughouttheirbusinessarea.

Step 2: Risk assessment

3.11 Thenextstepintheprocessistoassessthe“inherent”risktoaorganisation’sactivity.Inherentriskcanbedescribedastheexposurearisingfromaspecificriskbeforeanyactionistakentomanageit.

3.12 Thisinvolvesassessingthe‘likelihood’ofariskoccuringanditspotential‘impact’ontherelevantbusinessobjective.Theimpactandlikelihoodofrisksoccuringwillbereassessedlaterintheriskmanagementprocess(step4)toreflecthowtheriskexposurehaschangedasaresultoftheriskresponse.Thisisreferredtoas“residual”riskandcanbedescribedastheexposurearisingfromaspecificriskafteractionhasbeentakentomanageitandmakingtheassumptionthattheactioniseffective.

3.13 Asaminimumtheimpactandlikelihoodshouldbeassessedashigh,mediumorlowinasimple3x3riskmatrixasillustratedinfigure4.Amoredetailedanalyticalscalecanbeappliedifappropriate:Appendix7showshowtheDepartmentofEducationhasdevelopeditsownmodel.Eachdepartmentshouldreachajudgementaboutthelevelofanalysisthatismostsuitableforitscircumstances.



3.14 Thisinitialriskassessmentfocusesoninherentrisk.Onceorganisationshavecompletedstep4intheriskmanagementprocesstheriskwillbereassessedto

Figure 4 – Simple 3x3 risk assessment matrix

AMBER RED RED

GREEN AMBER RED

GREEN GREEN AMBER

Likelihood

Impact

High

Medium

Low

Low Medium High

identifytheresidualrisk.Figure5providesanexampleofhowthisinformationmightbepresentedinariskregister.

Figure 5 – Extract from risk register

Risk Inherent Risk Assessment (Impact/ Likelihood)

Risk Response Residual Risk Assessment (Impact/ Likelihood)

Projectdeadlinewillnotbemet.

H H Controls:1. ProjectBoardestablishedand

SeniorResponsibleOwneridentifiedtomanageproject

2. Regularmonitoringofreportedprogressagainstmilestones

3. Contractpenalitesforprojectoverruns

M L


Step 3: Risk appetite

3.15 Anorganisation’sriskappetiteistheextentofexposuretoriskthatisjudgedtolerableforthatorganisation.Theconceptmaybelookedatindifferentwaysdependingonwhethertheriskbeingconsideredisathreatoranopportunity.

• Whenconsideringthreats,riskappetiteclarifiesthelevelofexposurewhichisconsideredtolerableandjustifiableshoulditberealised.Itisaboutcomparingthecost(financialorotherwise)ofconstrainingtheriskwiththecostoftheexposureshouldtheexposurebecomearealityandfindinganacceptablebalance;or

• Whenconsideringopportunities,riskappetiteclarifieshowmuchoneispreparedtoactivelyputatriskinordertoobtainthebenefitsoftheopportunity.Itisaboutcomparingthevalue(financialorotherwise)ofpotentialbenefitswiththelosseswhichmightbeincurred(somelossesmaybeincurredwithorwithoutrealisingthebenefits).

3.16 Somerisksareunavoidableanditisnotalwayswithintheabilityoftheorganisationtomanagerisktoatolerablelevel–forexample,manyorganisationshavetoacceptthattherearerisksarisingfromterroristactivities,extremeweather,industrialactionetcwhichtheycannotcontrol.Inthiscasetheorganisationneedstomakecontingency planstominimiseanypotentialnegativeimpactofariskmaturing.

Setting the risk appetite

3.17 Riskappetitewillbestbeexpressedasaseriesofboundaries,appropriatelyauthorisedbymanagement,whichgiveeachleveloftheorganisationclearguidanceonthelimitsofriskwhichtheycantake,whethertheirconsiderationisofathreatandthecostofcontrol,orofanopportunityandthecostsoftryingtoexploitit.Riskappetitewillbeexpressedinthesametermsasthoseusedinassessingrisk.Anorganisation’sriskappetiteisnotnecessarilystatic;inparticulartheBoardwillhavefreedomtovarytheamountofriskwhichitispreparedtotakedependingonthecircumstancesatthetime.Riskappetiteshouldbeconsideredatdifferentlevelsincluding:

• corporateriskappetite;

• delegatedriskappetite;and

• projectriskappetite.

Appendix8explorestheseconceptsinmoredetailinamodelofriskappetitethatwasdevelopedbyHMTreasury.

Applications of risk appetite

3.18 AspartofitsproceduremanualtheDepartmentforRegionalDevelopmenthasdevelopedagrid(seefigure7)whichidentifieshowriskappetitewillinfluencethebehaviourofdecisionmakerswhenconsideringthevariouscategoriesofrisk.



Averse Open Hungry

Avoidanceofriskanduncertaintyorforsafeoptionsthathavealowdegreeofinherentriskandmayonlyhavelimitedpotentialforrewardisakeyobjective.

Willingtoconsideralloptionsandchoosetheonethatismostlikelytoresultinsuccessfuldeliverywhilealsoprovidinganacceptablelevelofreward.

Eagertobeinnovativeandtochooseoptionsbasedonpotentialhigherrewards(despitegreaterinherentrisk).

CategoryofRisk Example behaviours when taking key decisions…

Reputation, Political and Societal

•MinimaltoleranceforanydecisionsthatcouldleadtoscrutinyoftheDepartmentorAgencyislimitedtothoseeventswherethereislittlechanceofanysignificantrepercussionshouldtherebeafailure

•AppetitetotakedecisionswithpotentialtoexposetheDepartmentorAgencytoadditionalscrutinybutonlywhereappropriatestepshavebeentakentominimiseexposure

•AppetitetotakedecisionswhicharelikelytobringscrutinyoftheDepartmentorAgencybutwherepotentialbenefitsoutweightherisks

Operational •Defensiveapproachtoobjectives–aimtomaintainorprotect,ratherthantocreate.Innovationsgenerallyavoidedunlessnecessary

•Priorityfortightmanagementcontrolsandoversightwithlimiteddevolveddecisionmakingauthority

•Decisionmakingauthoritygenerallyheldbyseniormanagement

•Generalavoidanceofsystems/technologydevelopments.Occasionaldevelopmentsarelimitedtoimprovementstoprotectionofcurrentoperations

•Innovationsupported,withdemonstrationofcommensurateimprovementsinmanagementcontrol

•Systems/technologydevelopmentsconsideredtoenableoperationaldelivery

•Responsibilityfornon-criticaldecisionsmaybedevolved

•Innovationpursued–desireto‘breakthemould’andchallengecurrentworkingpractices

•Newtechnologiesviewedasakeyenablerofoperationaldelivery

•Highlevelsofdevolvedauthority–managementbytrustratherthantightcontrol

Figure 7: Department for Regional Development: Risk appetite and categories


CategoryofRisk Example behaviours when taking key decisions…

Financial •Avoidance/limitedfinanciallossisakeyobjective

•Onlywillingtoacceptthelowcostoption

•Resourceswithdrawnfromnon-essentialactivitiesorrestrictedtocoreoperationaltargets

•Preparedtoinvestforrewardandminimisethepossibilityoffinanciallossbymanagingtheriskstoatolerablelevel

•Valueandbenefitsconsidered(notjustcheapestprice)

•Resourcesallocatedinordertocapitiliseonpotentialopportunites

•Preparedtoinvestforthebestpossiblerewardandacceptthepossibilityoffinancialloss(althoughcontrolsmaybeinplace).

•Resourcesallocatedwithoutfirmguaranteeofreturn–‘investmentcapital’typeapproach

Compliance – legal / environmental

•Avoidmostthingswhichcouldbechallenged,evenunsuccessfully

•Limitedtoleranceforstickingneckout.Wouldwanttobereasonablysureofsuccessfuloutcomeofanychallenge

•Playsafe

•Challengewillbeproblematicbutwearelikelytowinitandthegainwilloutweightheadverseconsequences

•Chancesoflosingarehighandconsequencesserious.Butawinwouldbeseenasagreatcoup

Step 4: Addressing the risk

3.19 Therearefourstandardtraditionalresponsestoaddressingrisk(seefigure8).Thechoiceofapproachtaken

willdependonfactorssuchascost,feasibility,probabilityandpotentialimpact.Byaddressingtherisksidentified,organisationscanconstrainthreatsandtakeadvantageofopportunities.



Figure 8: Actions to address risk

Adecisionismadenottotaketheriskorceasetheactivitywhichcausestherisk.Wheretherisksoutweighthepossiblebenefits,riskcanbeterminatedbydoingthingsdifferentlyandthusremovingtherisk,whereitisfeasibletodoso.Thisisnotalwayspossibleintheprovisionofpublicservicesormandatedorregulatorymeasuresbuttheoptionofclosingdownaprojectorprogrammewherethebenefitsareindoubtmustbearealone.For example, DFP took the decision to terminate Procurement for the Workplace 2010 programme when it became apparent in late 2008 that the prevailing conditions in the financial markets meant that it would be extremely difficult for bidders to raise the finance required to fund the project. This, coupled with the fact that the two companies shortlisted to submit best and final offers (BAFOs) announced a possible merger during the BAFO process, meant there was a serious risk that value for money could not be achieved on the project.

Accepttherisk.Thismaybewheretheriskisexternalandthereforetheopportunitytocontrolitislimited,orwheretheprobabilityorimpactissolowthatthecostofmanagingitwouldbegreaterthanthecostoftheriskbeingrealised.Thisoptionmaybesupplementedbycontingencyplanningforhandlingtheimpactsthatwillariseiftheriskisrealised.For example, cuts in departments’ budgets presents a serious risk to the delivery of some services. However, cuts to budgets are outside the control of public bodies and departments must accept the cuts and develop a plan for dealing with the loss of resources.

Whereanotherpartycantakeonsomeoralloftheriskmoreeconomicallyormoreeffectively.Forexample,throughanotherorganisationundertakingtheactivityorthroughobtaininginsurance.Itisimportanttonotethatsomerisksarenot(fully)transferable-inparticularitisgenerallynotpossibletotransferreputationalriskevenifthedeliveryoftheserviceiscontractedout.Therelationshipwiththethirdpartytowhichtheriskistranferredneedstobecarefullymanagedtoensuresuccessfultransferofrisk.For example, PPP projects such as the Roads Service Westlink project and the Department of Education’s Pathfinders project are examples of where risk has, to some extent, been transferred to third parties.

Mitigatetherisk.Inpractice,thisisthemostcommonresponsetorisk.Itisachievedbyeliminatingtheriskorreducingittoanacceptablelevelbypreventionoranothercontrolaction.Case Studies 3 and 4 illustrate the steps taken by Invest NI to reduce risk to an acceptable level when supporting two manufacturing projects.

Terminate

Tolerate

Transfer

Treat


3.20 Organisationsmayalsowanttoexploittheopportunitythatariskpresentsandprovidedthisismanagedwell,itshouldbeencouraged.Therearetwoaspectstothis:

• atthesametimeasmitigatingthreats,anopportunityarisestoexploitpositiveimpact.Forexample,ifalargesumofcapitalfundingistobeputatriskinamajorproject,aretherelevantcontrolsjudgedtobegoodenoughtojustifyincreasingthesumofmoneyatstaketogainevengreateradvantages;and

• circumstancesarisewhich,whilstnotgeneratingthreats,offerpositiveopportunitiesforexample,adropin


thecostofgoodsorservicesfreesupresourceswhichcanberedeployed.

3.21 InvestNorthernIreland’s(InvestNI)roleistogrowtheeconomybyhelpingnewandexistingbusinessestocompeteinternationally,andbyattractingnewinvestmenttoNorthernIreland.InordertodeliveronitsbusinessobjectivesandsupporteconomicgrowthinNorthernIreland,InvestNImustembracerisktoagreaterextentthanotherpublicsectorbodies.Therefore,InvestNIwillhaveagreaterappetiteforriskthanotherpublicsectorbodies.WhileInvestNIhasauniqueoutlookonriskasaresultofitsoperatingenvironment,therearelessonsthatcanbelearntbyotherpublicsectorbodies.

Case Study 3Invest NI - Risk management in a successful project

Background: InvestNIprovidedapproximately£3.5millionofa£10millioninvestmenttosupportahightechnologymanufacturingcompanyinBelfastwhoseparentcompanyhadwithdrawnitssupport.Theprojectproposedthecreationof52newposts,manyofwhichwouldbefilledbyhighlyskilledPhDengineersandscientists.

Risk assessment: InvestNIundertookariskassessmentoftheprojectandidentifiedtheprojectashighriskforthefollowingreasons:• Salesachievability-afunctioningprototypehadnotachievedcommercialisation;• Aspecifictechnicalissueinthemanufacturingprocessrequiredresolution;• Therewasadependencyoncustomerstoincorporatethecompany’sproductintotheirown

products;and• Therewasarelianceonasmallnumberofkeyindividuals.

Rationale for proceeding:Whilsttheprojectwasregardedashighrisk,theappraisalidentifiedthepotentialforsignificantcommercialreturns.Themanagementteamwasassessedtobecredible;aclearmarketopportunityhadbeenidentifiedandverifiedbyadetailedmarketappraisal;anexternaltechnicalappraisalidentifiedtherewasareasonableexpectationthattheResearchandDevelopment


requiredtodeveloptheproductwasachievable;anditwascheckedandconfirmedthatthepromotershadownershipoftheintellectualpropertyunderpinningtheirproduct.

How Invest NI ensured that risk was reduced to an acceptable level: Reflectingthebalancebetweenprojectriskandthepotentialcommercialreturn,InvestNI’sfinancialassistancecontainedasignificantelementofordinarysharecapitalofferingareturntothetaxpayershouldtheprojectbeimplementedsuccessfully.

Useofpre-conditions(tobesatisfiedinfullbeforeanyassistancecouldbepaid)andgeneralconditionsofferedclarityandsuretyaround:

• accessto,andrightsover,intellectualproperty;• evidenceofintroductionofcashbyotherinvestors;• timelyprovisionofmanagementandyearendaccountstoInvestNI;• restrictionsonmakingloans,payingdividendsandremunerationlevelstodirectorsandsenior

managers;and• paymentoffinancialassistancedependentontheachievementofspecifiedmilestonesincludingthe

introductionofadditionalcapitalbythepromoters.

Outcome of this project: Theproject,whichwasinitiatedin2005,iscurrentlythesubjectofaPostProjectEvaluation.Whilstlossmaking,manufacturingoperationscontinueatthepremises,employmentisinlinewithprojectionsandtheResearchandDevelopmentobjectivesoftheprojecthavebeenlargelymet.Onthebasisofthelatestfundinground,thereisevidencetosuggestthatthevalueofInvestNI’sshareholdinghasincreasedmeasurablyandthereisthepotentialthatInvestNI’sinvestmentcanbere-coupedeitherbyadditionalexternalinvestmentorfurtherinvestmentbyexistingshareholders.

How risk management contributed to the outcome: Theriskelementofthisprojectwasmanagedbymaintainingacloserelationshipwiththecompany;byensuringthatallpre-conditionsweremetbeforeanypaymentofgrantwasmade;thatallgeneralconditionswerefullyappliedandmet;andbyregularmonitoringofperformanceagainsttargetsandmilestones,includingreceiptofcopiesofpapersrelatedtothecompany’sBoardmeetings.

Source Invest NI


Case Study 4Limiting exposure in an unsuccessful project through risk management

Background:AsmallandtechnicallyskilledmanagementteamestablishedacompanyhavingpreviouslyworkedattheNorthernIrelandsiteofalargeinternationalorganisation.Thepromotershadidentifiedanumberofcomplexsoftwaresolutionsforglobalmarkets.Anestimated80jobsweretobecreated.

InvestNIprovidedgrantsupportofsome£85,000andpreferencesharecapitalofapproximately£1.2mtothenewventuretoassistinthedevelopmentofanumberofsoftwareapplicationstoamarketablepoint.

Risk assessment: AsastartupventurewithnotrackrecordandsubstantialResearch&Developmenttocarryout,theprojectwasregardedashighrisk,forthefollowingreasons:

• whilstsomeapplicationsweretechnicallyfeasibleandmarketready,nosaleshadbeenachievedtodate;

• furtherproductsrequiredsubstantialdevelopment;• relianceon3rdpartyjointventuresandalliancestodevelopmarketopportunities;• timeslippage;• management–technicallyablebutlackingincommercialexperienceandacumen;and• cashflowandfunding–thecompanyrequiredskilledandexpensiveengineerstodevelopand

supportthesoftwareapplications.

Rationale for proceeding: Whilsttheprojectwasregardedashighrisk,independentcommercialappraisalidentifiedacrediblemarketopportunity.

Thecompanyhadsecuredventurecapitalfundingandanumberofproductsweremarketready.ThemanagementteamhadbeenstrengthenedandInvestNIhadstructureditsinvestmenttominimiserisks.

How Invest NI ensured that risk was reduced to an acceptable level:InvestNIsupportedtheprojectbyconvertibleredeemablepreferencesharesofferingareturntothetaxpayerandanoptiontoconverttoordinarysharecapital.InvestNIfundswerereleasedintranchesagainstspecifiedmilestonessuchastheintroductionofmatchfundingfromthepromotersandsecuringadditionalbankfunding.

Themanagementteamwasstrengthenedbytheintroductionofmarketingexpertiseandanexperiencedcompanychairman.

InvestNImadeitsinvestmentpaymentsintranchesinordertoensurethatsufficientprogresshadbeenmadeagainstproductdevelopmentobjectives.

Part Three:Risk management process(paragraph 1.4)


avoidacultureofblamebutshouldtaketheopportunitytoidentifylessonsthatcanbeappliedinthefuture.

• Thecasestudiesoutlinedaboveillustratethatprojectsmayhaveentirelydifferentoutcomesdespitemanagingrisksinaconsistentmanner.Thisisbecauseitisnotpossibletoentirelyeliminaterisk;therewillalwaysbealevelofresidualriskthatcannotbeaddressed.Itisessential,therefore,thatpublicbodiesidentifytheirriskappetiteandminimiserisktoanacceptablelevel.

• Allprojectsshouldbesubjecttoapostprojectevaluationtoidentifyandpromulgateanylessonslearnt.

Good Practice - Pursuing opportunities

• Organisationsshouldgivecarefulconsiderationtotheopportunitythatrisksmaypresentwhendesigningtheirriskresponses.TheprojectidentifiedinCaseStudy1wasconsideredtobehighriskhowever,thiswasoutweighedbythepotentialopportunitythattheprojectpresentedfortheNIeconomy.Theprojecthasbeenverysuccessfultodatedespitetheinitialriskassessmentandthisisduelargelytoriskbeingmanagedwell.

• Itisimportanttorecognisethatalthoughriskmaybemanagedwell,aprojectmaynotachievethedesiredoutcomes.Providedthereissufficientevidencethatriskhasbeenmanagedappropriately,organisationsshould

Outcome of this project: Theprojectdidnotsucceedasplanned.Saleswereslowerthanexpected,cashflowbecamecriticalandthecompanywasunabletocompleteafurtherfundinground.

ThecompanywentintoadministrationapproximatelythreeyearsafterInvestNI’sinitialfunding.InvestNIsoughttorecovermoniespaidtothecompany,buttherewereinsufficientassets.

How risk management contributed to the outcome:InvestNIrecognisedthatthisprojectpresentedsignificantchallenges.Thetechnicalskillsofthepromotersandemployeeswereimpressiveandindependentappraisalshadconfirmedthepotentialmarketopportunity.Theprojectwascloselymonitored,whichallowedInvestNItolimititsexposurewhentherisksbecametoogreattoaddto.

Thecompany’stechnologyandbusinessweresubsequentlytakenonbyanewlyestablishedcompanyundernewcontrol.Thiscompanycontinuestotradesuccessfullywithanumberofemployeesfromtheoriginalcompany.

Source: Invest NI


3.22 Theoptionto“treat”inaddressingriskcanbefurtheranalysedintofourdifferenttypesofcontrols:

Preventative controlsaredesignedtolimitthepossibilityofanundesirableoutcomebeingrealised.Themajorityofcontrolsimplementedbelongtothiscategory.Examplesincludepasswordaccesstocomputers,supervisorychecksandindependentauthorisationsonpaymentsmadetosuppliers.

Directive controls aredesignedtoensurethataparticularoutcomeisachieved.Examplesincludearequirementthatprotectiveclothingbewornduringtheperformanceofdangerousduties,orthatstaffaretrainedbeforebeingallowedtoworkunsupervised.

Corrective controls (reversibility) aredesignedtocorrectundesirableoutcomeswhichhavebeenrealised.Appliedaftertheevent,thesemayconsistofcontractualremediestorecoveroverpaymentsorobtaindamagesoradetailedcontingencyplanthatwillbetriggeredbyanevent(e.g.disasterrecoveryorbusinesscontingencyplans).

Detective controlsaredesignedtoidentifyoccasionsofundesirableoutcomeshavingbeenrealised.Bydefinitiontheseareaftertheevent,sotheyareonlyappropriatewhenitispossibletoacceptthelossordamageincurred.Examplesofdetectivecontrolsincludestockorassetchecks,reconciliations,postimplementationreviews.

3.23 HMTreasury’s‘OrangeBook’3emphasisesthatindesigningcontrols,“it is important that the control put in place is proportional to the risk. Apart from the most extreme undesirable outcome (such as loss of human life) it is normally sufficient to design controls to give reasonable assurance of confining likely loss within the risk appetite of the organisation. Every control action has an associated cost and it is important that the control action offers value for money in relation to the risk that it is controlling. Generally speaking the purpose of control is to constrain risk rather than eliminate it.”

3.24 Takingaccountofthecontrolsthathavebeenputinplaceorganisationsshouldrepeattheearlierriskassessmentintermsoflikelihoodandimpacttoidentifythe“residual”risk.Thisriskassessmentwillgenerallyresultinalowerratingforlikelihood.Theimpactofariskmaturingcanbereducedbyputtinginplaceacontingencyplanthatwilladdresshowtheriskwillbedealtwithintheeventofitmaturing.

Step 5: Recording and reviewing risk

3.25 Theriskmanagementprocessisevidencedthroughthemaintenanceofriskregisters.Riskregistersshouldbemaintainedthroughouttheorganisationatbothoperationalandstrategiclevel.Theaimoftheriskregisteristocapture,maintainandmonitorinformationontherisktorealisationofaspecificobjectiveandtheassociatedcontrolactionsthathavebeenputinplacetomitigatethat

3 TheOrangeBook:ManagementofRisk–PrinciplesandConcepts,HMTreasury,October2004.



risk.Althougheachdepartmentwilldevelopitsowntemplateforrecordingrisk,thekeycomponentsareasfollows(seeAppendix7forillustration):

• thebusiness/corporateobjectiveaffected;

• detailsofrisk(s);

• inherentriskassessment–impactandlikelihood;

• riskresponse;

• residualriskassessment–impactandlikelihood;

• plannedaction;

• targetdate;and

• riskownership.

Riskregistersarelivingdocumentswhichshouldbeupdatedregularly.

Good Practice – Use of Information Technology

ManypublicbodiesuseMicrosoftExceltorecordandmonitortheirriskregisters.TheDepartmentofFinanceandPersonnel(DFP)hasdevelopedandimplementedabespokeInformationTechnologysystemwhichrecordsthedepartment’stargets,objectivesandassociatedrisksandisusedtoprovidequarterlyinformationtotheBoardandtheAuditandRiskCommittee.Theapplicationenablesindividualbusiness

areastoupdatedepartmentaltargetsandrisksandcanalsobeusedtomonitorprogressagainstbusinessplans.

DFPidentifiedanumberofbenefitsofusingthisapplication:

• Itprovidestheabilitytolinkriskstobusinessplantargets;

• Itprovidestheabilityforbusinessareastoupdatetheriskstatusandthecontrolsandmanagementactionsthathavebeenputinplacetomitigateagainsttherisks;

• Itassignsriskownersatdepartmentalboardlevelforcorporaterisks;

• Riskscanbeescalatedtodivisional,directorateanddepartmentallevelsasappropriate;and

• ItproducesthecorporateriskregisterwhichisprovidedtoboththeBoardandtheAuditandRiskCommittee.

Fraud risk assessment

3.26 Allorganisationsaresubjecttofraudrisksandthereforeshouldcompleteafraudriskassessmentonaperiodicbasis.Adetailedfraudassessmentneedstobeperformedbydivisionand/orfunction.Functionsandservicesthatneedtobeincludedintheassessmentarefinanceandaccounting,humanresourcesmanagement(payroll),purchasingandcontracting,andinformationtechnology.Asapartoftheassessment,organisations


needtolookatthecontrolenvironmentandinformationtechnology,asbothhaveasignificanteffectonfraudriskformostfunctions.

3.27 Aneffectivefraudriskmanagementassessmentshouldidentifywherefraudmayoccurandwhotheperpetratorsmightbe.Controlactivitiesshouldalwaysconsiderbothinternalandexternalfraud.

3.28 Afraudriskassessmentwillincludethesamethreekeyelementsofanyotherriskassessment:

• Identify inherent fraud risk —Gatherinformationtoobtainthepopulationoffraudrisksthatcouldapplytotheorganisation.Includedinthisprocessistheexplicitconsiderationofalltypesoffraudscenarios;incentives,

pressures,andopportunitiestocommitfraud;andITfraudrisksspecifictotheorganisation;

• Assess likelihood and significance of inherent fraud risk —Assesstherelativelikelihoodandpotentialsignificanceofidentifiedfraudrisksbasedonhistoricalinformation,knownfraudschemes,andinterviewswithrelevantstaff,includingbusinessprocessowners;and

• Respond to reasonably likely and significant inherent and residual fraud risks —Decidewhattheresponseshouldbetoaddresstheidentifiedrisks.

Appendix9providesapracticalexampleofafraudriskassessment.

Part Four:Accountability


Responsibilities

4.1 Withtherightcultureriskmanagementshouldbecomeinherentintheorganisation’soperationsandintherolesandresponsibilitiesofstaff.Inordertopromoteandembedsuchariskmanagementcultureorganisationsshouldfocusonthefollowingkeydrivers:

• Communication:Everyoneshouldbeawareoftheorganisation’sriskappetite,alongwiththecorrespondingpolicy,strategyandprocesses.Staffshouldbeawareoftheprocesstoraiseriskrelatedissueswhichshouldbeclearlydocumentedandcommunicated.Itisimportantthatstafffeelconfidentinraisingriskrelatedissuesevenwhenthismaypresentnegativeimpactsfortheorganisation.Staffmustalsobeconfidentthatanyissuesorconcernsthattheyraisewillbeconsideredatanappropriatelevelandwill,wherenecessary,beactedupon;

• Leadership: TheAccountingOfficerandseniormanagershaveakeyroleinembeddingtheriskmanagementculture.Theyshouldpromoteriskmanagementthroughtheirownbehavioursandactionsbyencouragingothers;

• Resource:Riskownersshouldhavethenecessaryresourcesattheirdisposaltoimplementriskresponses.Theyshouldalsobewellequippedandsupportedtomanagerisk.Thiswill

involveprovidingtherelevanttrainingandaccesstoriskmanagementadviceandexpertise;and

• Ownership and responsibility:Riskmanagementresponsibilitiesshouldbeclearlylinkedtopersonalobjectivesandtotheperformanceappraisalsystem.Relevantstaffshouldbeempoweredtotakewellmanagedrisksintheknowledgethattheywillnotbeblamedforanynegativeoutcomesprovidingriskhasbeenmanagedinawaywhichisconsistentwiththeorganisation’sriskappetite.

Governance

4.2 Apublicbody’sBoardandAuditandRiskCommitteehavevitalrolestoplayinthegovernanceofriskmanagement(seefigure2).Inlinewithgoodgovernance,theBoardshouldincludenon-executivedirectorsandtheAuditandRiskCommitteeshouldbechairedbyanon-executivedirector.Thisshouldcontributetoanindependentreviewoftheriskmanagementstrategyandthecorporateriskregister.

Good Practice – Risk review group

TheDepartmentofAgricultureandRuralDevelopment(DARD)establishedaRiskReviewGroup(RRG)inJune2007asacommitteetocoordinateandchampionriskmanagementandreportingofrisk.TheRRGisasubgroupoftheCorporateGovernanceAuditCommittee



4 AGoodPracticeGuidetotheStatementonInternalControl,NationalAuditOffice,20105 DAO(DFP)02/10TheStatementonInternalControlaGuideforAuditCommittees

(CGAC),ischairedbyanon-executivedirectorandcomprisesrepresentativesofallbusinessgroupswithinthedepartment.ItmeetsfourtimesperyearandreportsbacktotheCGAC.

4.3 ThepublicbodiesthatwereviewedindicatedthattheriskregisterwasastandingitemontheagendaoftheAuditandRiskCommitteeandinmostcasesthefullBoardreviewedthecorporateriskregistereithermonthlyorquarterly.

Good Practice – Provision of information to the Board

DARDcurrentlypreparesariskcommentarywhichispresentedtoandreviewedbytheBoardonamonthlybasis.TheriskcommentaryiscoordinatedbytheHeadofFinancialPolicyandcommentaryissoughtfromacrossallbusinessareas.ThisprocessassiststheBoardinconductingahighlevelreviewofthecorporateriskregisteronaregularbasis.

Reporting

4.4 Anorganisation’ssystemofinternalcontrolisdesignedtomanagerisktoanacceptablelevel.InaccordancewithManagingPublicMoneyNorthernIreland,theAccountingOfficermustreportannuallyonthesystemofinternalcontrolbypreparingandsigningaStatementonInternalControl.TheStatementonInternalControlshouldreflectonthesystemofinternalcontrolinoperationinthedepartmentanditsALBsthroughoutthe

year,andshouldhighlightanysignificantinternalcontrolweaknessesorfailures.

4.5 InordertoassisttheAccountingOfficerinfulfillinghisorherresponsibilities,departmentsindicatedthattheyhaveputinplaceaprocessforstewardshipreporting.Inmostcasesthisinvolvestheheadofeachdivisioninthecoredepartment,andtheAccountingOfficerineachALBsubmittingastewardshipstatementtotheAccountingOfficeratleastbiannually(insomecasesquarterly).ThestewardshipstatementsshouldreflectanysignificantinternalcontrolissuesintherelevantALBordivisionandshouldbetimedtosupporttheAccountingOfficerinhis/herpreparationoftheStatementonInternalControl.TheNationalAuditOfficehasproducedguidanceonthearrangementsfortheproductionoftheStatementonInternalControl4,5.

Good Practice - Stewardship reporting

TheOfficeoftheFirstMinisterandDeputyFirstMinister(OFMDFM)recentlyredesignedandexpandeditsstewardshipreportingprocesstoaddressawiderrangeofgovernanceandcontrolissuesandissuedguidanceoncorporate/businessareariskframeworkstostaff.Theframeworkprovidesachecklistforcompletionofquarterlystewardshipstatementswhichcoverselevenkeyareasofrisk(OFMDFM’sproformastewardshipstatementisprovidedatAppendix10).

Incompletingthestewardshipstatements,directorsandAccountingOfficersreflecton:


• anyfindingsemergingfromrecentinternalauditreviewsundertakeninthebusinessarea;

• findingsemergingfromtheyear-endauditofthedepartment’sResourceAccountsbyNIAO;

• anycontrolandapprovalissueshighlightedbytheDepartmentofFinanceandPersonnel’sannualreviewofconsultancyspend;

• mattersarisingfromin-yearassetverificationexercises;and,

• anyissuesthatmayhaveemergedinrelationtothesponsorshipofNon-departmentalPublicBodies.

Significantinternalcontrolissuesshouldbeidentifiedandcommentedoninthestatement,includingproposedremedialactiontominimisetheimpactofidentifiedrisksmaterialising.

Assurance

4.6 HMTreasuryGuidancestatesthat“assurance draws attention to the aspects of risk management, governance and internal control that are functioning effectively and the aspects which need to be given attention to improve them. Assurance helps a Board to judge whether or not its agenda is focussing on the issues that are most significant in relation to achieving the organisation’s objectives and whether best use is being made of resources”.6Thereareanumber

ofwaysinwhichorganisationsmightseekassurancesthattheriskmanagementstrategyandproceduresinplaceprovideanadequatelevelofassurancetotheirBoardandauditcommittee:

• InternalAudit–conductandreportonanannualprogrammeofwork.TheHeadofInternalAuditwilladoptariskbasedapproachtoplanningitswork,referringtoorganisationalriskregistersinidentifyingtopicsforreview.InadditiontoindividualauditreportsthattheHeadofInternalAuditwillproducetorecordtheauditfindingsofindividualauditassignments,he/shewillprepareanannualreportgivinghis/heropiniononriskmanagement,controlandgovernancewhichisgenerallytimedtosupportandinformtheAccountingOfficer’sStatementonInternalControl.Theannualreportwillprovideanoverviewoftheinternalauditworkundertakenthroughouttheyearandwillhighlightanylimitedassuranceratings.HMTreasuryGuidancehighlightsthat,“the work of Internal Audit is likely to be the single most significant resource use by the Audit Committee in discharging its responsibilities. This is because the Head of Internal Audit, in accordance with the Government Internal Audit Standards, has a responsibility to offer an annual audit opinion on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes”.


6 HMTreasury–AuditCommitteeHandbook


Good Practice - Internal Audit review of the risk management process

AspartoftheDepartmentofCulture,ArtsandLeisure’srecentreviewofitsriskmanagementframeworkithasintroducedarequirementforInternalAudittoperformanannualreview,withtheobjectiveofprovidingtheBoardandtheAuditandRiskCommitteewithanopinionontheDepartment’sriskmanagementprocessandriskregisters.ThisreviewwillbetimedtosupporttheAccountingOfficerinsigningtheStatementonInternalControl.

• Externalaudit–willissueareporttothosechargedwithgovernanceaspartoftheyear-endauditofthefinancialstatements.Thisreportwillhighlightanyinternalcontrolorgovernanceissuesthathavebeenidentifiedduringtheexternalauditprocedures.

• Otherauditandverificationexercises–publicbodiesmaybesubjecttoarangeofadditionalaudit,inspectionandverificationexercisesasaresultofthenatureoftheirbusinessandthefundingthathasbeenreceived.TheseexercisesmayresultinotherauditbodiesbringinginternalcontrolissuestotheattentionoftheAuditandRiskCommitteeandtheBoard.

• StatementonInternalControl–shouldbereviewedbytheAuditCommitteetoensurethattheinformationpresentedinthestatementiscompleteandaccuratelyreflectsotherinformationrelatingtorisk

andinternalcontrolthathasbeenpresentedtothecommitteethroughouttheyear.NationalAuditOfficepublishedguidancein‘TheStatementonInternalControl:AGuideforAuditCommittees’in2010.

• Self-assessment–itisrecognisedthatitisgoodpracticeforAuditandRiskCommitteestoconductaselfassessmentannually.NationalAuditOfficepublished‘TheAuditCommitteeSelf-AssessmentChecklist’inNovember2009andthisincludesasectiononinternalcontrol.

Good Practice - National Audit Office

Audit Committee self-assessment – Internal control issues for consideration

• DoestheAuditCommitteeconsiderwhethercorporategovernanceisembeddedthroughouttheorganisation,ratherthantreatedasacomplianceexercise?

• DoestheAuditCommitteeconsiderwhetherthesystemofinternalreportinggivesearlywarningofcontrolfailuresandemergingrisks?

• DoestheAuditCommitteeconsiderwhethertheStatementonInternalControlissufficientlycomprehensiveandmeaningful,andtheevidencethatunderpinsit?

• DoestheAuditCommitteesatisfyitselfthatthesystemofinternalcontrolhasoperatedeffectivelythroughoutthereportingperiod?


• Doestheauditcommitteeconsiderwhetherfinancialcontrol,includingthestructureofdelegations,enablestheorganisationtoachieveitsobjectivesandachievegoodvalueformoney?

• Doestheauditcommitteemonitorwhethertheorganisation’sproceduresforidentifyingandmanagingbusinessriskhaveregardfortherelevantlegislationandregulation?

• Third-partyreview–publicbodiesmayseekindependentassurancefromthirdpartiesontheirriskmanagementprocessandriskregisters.

Good Practice – Third party reviews

Aspartofawiderreviewofitsriskmanagementprocesses,theDepartmentforSocialDevelopmentrecentlyengagedanotherNICSdepartmenttoconductareviewofitscorporateriskregister.Thisworkedwellinpracticeasitprovidedanindependentassessmentoftheriskregister.Duetothesimilarnatureofthebodyundertakingthereviewtherewasacommonunderstandingofhowriskmanagementshouldbeappliedinthepublicsectorenvironment.

TheDepartmentforRegionalDevelopmentemployedconsultantstoundertakeaperformanceassessmentofitsriskmanagementstrategy.Thisexerciseprovidedvaluablelessonsonhowtoapplybestpractice.

4.7 Theassuranceprovidedbythevariousmethodsidentifiedaboveshouldassisttheauditandriskcommitteeinidentifyingwhereriskis:

• managedadequatelyandappropriately;

• controlledinadequately;or

• controlledexcessively.

Whererisksaremanagedadequatelyandappropriatelynofurtheractionisrequiredotherthantomonitorandreviewtherisk.However,whereariskiscontrolledinadequately,measurestoimprovetheriskresponsemustbeimplemented.Inthecurrenteconomicclimatethereisanincreasingpressureonresources.Itisthereforeessentialthatpublicbodiestakeameasuredapproachinmanagingriskandconsiderthecost/benefitthatcontrolsrepresent.Duetothetraditionallyriskaversenatureofthepublicsectoritisnotuncommontofindexcessivecontrolsinoperation.Thiscanresultinsignificantwasteandbyidentifyingsuchmeasuresitmaybepossibletoidentifycostsavings.TheroleoftheAuditCommitteeistoadvisetheBoardonsuchmatters,toenableittomakeaninformeddecision.TheAuditCommitteemust,however,ensurethatitmaintainsindependencetoavoidbecominginvolvedinexecutiveriskmanagementresponsibilities.


Appendices


Appendix 1Risk management checklist(paragraph 1.4)

1. Risk Management Framework Response

1.1 Doestheorganisationhaveanestablishedriskmanagementfunction,e.g.ariskchampion,riskmanager,riskmanagementdepartment,riskcommittee?

1.2 HowisriskmanagementsponsoredbytheAccountingOfficer,andresponsibilitysharedwiththeBoardandtheSeniorManagementteam?

1.3 Istheorganisation’sapproachtoriskfullydocumentedandwidelydistributed?(i.e.riskappetite)

1.4 Howhasriskmanagementbeenembeddedinthefollowingprocesses:–Performancemanagement–Operationalmanagement–Financialmanagement–Businessplanning

1.5 Howhavethefollowingcontributedtothedevelopmentofriskmanagementwithinyourorganisation?–HMTreasuryOrangeBook–InternalAudit–ExternalAudit–Other(pleasedetail)

1.6 Doestheorganisationhaveariskmanagementstrategyand/orpolicy?

1.7 Hastheriskmanagementstrategy/policybeenendorsedbytheAccountingOfficer/Board/AuditandRiskCommittee?


1.8 Howhastheriskmanagementstrategy/policybeenpromulgatedtostaff?

1.9 Howoftenistheriskmanagementstrategy/policyreviewed?Whenwasthestrategy/policylastreviewed/updated?

1.10 Howdoestheriskmanagementstrategypromotetheneedforeffectivecommunicationtoallrelevantstakeholders?

1.11 Howdoestheriskstrategy/policyoutlinehowriskshouldbeconsideredateachlevel,(strategicandoperational),throughouttheorganisation?

1.12 Whatprocessisinplaceforescalatingrisksthroughouttheorganisation?

1.13 Isthereacontingencyorbusinesscontinuityplaninplace?Ifso,howoftenisittested?

1.14 IsthereanITrecoveryplaninplaceIfso,howoftenisittested?

1.15 Isthereacommunicationsstrategyinplacethatcanbeappliedintheeventofriskmaturing?

2. Risk Management Process2.1 Aretheresponsibilitiesofallstaff

clearlydefinedandregularlyreviewed?


2.2 Doriskregistersrecordthefollowinginformation:–Identifiedrisks–Inherentriskassessment (impactandlikelihood)–Responsetorisk–Residualriskassessment (impactandlikelihood)–Riskownership–Timescaleforactionsrequired

2.3 Isthereariskregisterinplacewhichhasidentifiedtheriskstotheorganisationatastrategic(organisational)level?

2.4 Areriskregistersmaintainedatanoperational(divisional)level?

2.5 Areriskregistersmaintainedataprojectlevelordoesevidenceexistthatrisksareassessedforprojectsindividually?

2.6 Howoftenareriskregistersreviewed?

2.7 Whattechniquesareusedbytheorganisationinidentifyingrisks?

2.8 Howhavetherisksidentifiedbeenlinkedtotheobjectivesoftheorganisation?

2.9 Howhaverisksbeenrankedandprioritisedforaction?

2.10 Howregularlyaretheresponsestokeyrisksmonitored?

2.11 Whoisresponsibleformonitoringtherisks?



2.12 Isthereanyearlywarningsysteminplacetoidentifyanythreatsthatmaycontributetotherealisationofkeyrisks?

2.13 Isthereapolicyinplaceformanagingtherisksassociatedwithworkingwithpartnersatprojectlevel?

2.14 Howarerisksassociatedwithworkingwithpartnersatprojectlevelidentifiedandmanaged?

2.15 Whatistheprocessinplaceforreviewingtheriskassessmentthroughouttheprojectlifecycle?

2.16 Howdoestherigourofthisprocessvaryaccordingtothesize/duration/profileoftheproject?

2.17 WhatITsoftwaredoestheorganisationuseinitsriskmanagementprocess?

2.18 Howisriskmanagementincorporatedintotheorganisation’strainingprogramme?Isriskmanagementincludedininductiontrainingforallnewstaff?

2.19 Isthereanyformofongoingriskcommunicationacrosstheorganisation?

2.20 Doestheorganisationmaintainariskdatabase?

3. Accountability3.1 Haveresponsibilitiesforidentifying,

managingandreportingriskbeenestablished?Howregularlyaretheseresponsibilitiesreviewed?


3.2 Areresponsibilitiesinrelationtoriskreflectedinpersonalobjectivesandtheperformanceappraisalsystem?

3.3 WhatmeasureshavetheexecutivedirectorsputinplaceforreportingontheriskmanagementprocesstotheBoardandtheAuditandRiskCommittee?

3.4 HowfrequentlydoesriskmanagementappearontheBoardagenda?

3.5 HowdoestheBoard/SeniorManagementteamassurethemselvesthattheyhaveidentifiedalloftheorganisation’srisks?

3.6 Whatreferenceshavebeenmadetotheriskmanagementprocessintheannualreport?

3.7 HaveanysignificantinternalcontrolissuesrelatingtoidentifiedrisksbeenhighlightedintheStatementonInternalControlinrecentyears?

3.8 HowdoestheInternalAuditServiceusetheriskmanagementframeworkwhenplanningtheirwork?

3.9 Howdoestheorganisationensurethatsystemsofinternalcontrolareoperatingrobustly?

3.10 Howdoestheorganisationgainindependentassuranceontheeffectivenessofitsriskmanagementprocess?



Appendix 2Participants(paragraph 1.4)

Thefollowingpublicsectorbodiesassistedourreviewbycompletingtheriskmanagementchecklist.

1. DepartmentofAgricultureandRuralDevelopment

2. DepartmentofCulture,ArtsandLeisure

3. DepartmentofEducation

4. DepartmentforEmploymentandLearning

5. DepartmentofEnterprise,TradeandInvestment

6. DepartmentofFinanceandPersonnel

7. DepartmentofHealth,SocialServicesandPublicSafety

8. DepartmentoftheEnvironment

9. DepartmentofJustice

10. DepartmentforRegionalDevelopment

11. DepartmentforSocialDevelopment

12. InvestNorthernIreland

13. NorthernIrelandAssembly

14. NorthernIrelandOmbudsmanandCommissionerforComplaints

15. OfficeoftheFirstMinisterandDeputyFirstMinister

16. PublicProsecutionService


On the strategic processes for risk, control and governance, how do we know:

• thattheriskmanagementcultureisappropriate?

• thatthereisacomprehensiveprocessforidentifyingandevaluatingrisk,andfordecidingwhatlevelsofriskaretolerable?

• thattheRiskRegisterisanappropriatereflectionoftherisksfacingtheorganisation?

• thatappropriateownershipofriskisinplace?

• thatmanagementhasanappropriateviewofhoweffectiveinternalcontrolis?

• thatriskmanagementiscarriedoutinawaythatreallybenefitstheorganisationorisittreatedasaboxtickingexercise?

• thattheorganisationasawholeisawareoftheimportanceofriskmanagementandoftheorganisation’sriskpriorities?

• thatthesystemofinternalcontrolwillprovideindicatorsofthingsgoingwrong?

• thattheAccountingOfficer’sannual‘StatementonInternalControl’ismeaningful,andwhatevidenceunderpinsit?

• thattheStatementonInternalControlappropriatelydisclosesactiontodealwithmaterialproblems?

• thattheBoardisappropriatelyconsideringtheresultsoftheeffectivenessreviewunderpinningtheStatementonInternalControl?

Appendix 3HM Treasury Audit Committee HandbookKey questions for an Audit Committee to ask(paragraph 2.5)

On risk management processes, how do we know:

• howseniormanagementandMinisterssupportandpromoteriskmanagement?

• howwellpeopleareequippedandsupportedtomanageriskwell?

• thatthereisaclearriskstrategyandpolicies?

• thatthereareeffectivearrangementsformanagingriskswithpartners?

• thattheorganisation’sprocessesincorporateeffectiveriskmanagement?

• ifrisksarehandledwell?

• ifriskmanagementcontributestoachievingoutcomes?


Devising a Communications Strategy

ThefollowingstrategicquestionsaretobeconsideredwhendevisingtheCommunicationsStrategy.

• Whatisthenatureoftheeventorincidentthathasoccurredandhasacommonlyunderstoodpictureoftheincidentbeenreached?

• DoestheincidentpointtoadeeperissueorproblemthatcouldimpactuponthereputationoftheDepartment?

• Hastheincidentfinishedoristherepotentialformoretocomeandifsowhatarethetimescales?

• Howbadcouldthisgetandwhatisthemostrealisticworst-casescenario?

• Whatwillourstakeholders(internalandexternal)makeofthissituation?

• WhatdoestheDepartmentstandtolosebecauseofthisincident?

• WhatalliescantheDepartmentinvolve?

Key Message Checklist

Thefollowingshouldbeconsideredinrelationtomessagecontentandtone:

• Provideasmuchinformationontheincidentthatisavailableandverifiedasfactual.

• ProvideahumanfacethatshowstheDepartmentcares.

Appendix 4Department of Health, Social Services and Public SafetyExtract from communications plan(paragraph 2.12)

• Providereassurancethatanyriskshavepassed,orthatactionisunderwaytomitigateanyrisksandtellpeoplewhattheytoocando.

• Outlineasolidhistoryinregardstoincidentsandincidentmanagement.

• Providedetailsofwhenandhowfurtherinformationwillbemadeavailable.

• ProvidewrittenbackgroundbriefsontheDepartmentoutliningtheroleoftheDHSSPSanditsmainservices.

• Providedetailedevidencetobackanyclaimsmade.


The following steps form a useful guide for Communications Planning:

Design andissue a holding

Starement

Assess thesituation

Select acommunications

strategy and targetaudiences

Implement thecommunications

plan

Inform staff andensure information

is centralised &coordinated

Select the mostappropriate

messages andmeans of delivery

When askedprovide

information andreassurance

Avoidconfrontation and

remain flexible

Consider the longterm strategicimplications

Appendix 4Department of Health, Social Services and Public SafetyExtract from communications plan(paragraph 2.12)


External (arising from the external environment, not wholly within the organisation’s control, but where action can be taken to mitigate it)

Political Changeofgovernment;crosscuttingpolicydecisions;machineryofgovernmentchanges(egdevolution)

Economic Abilitytoattractandretainstaffinthelabourmarket;exchangeratesaffectcostsofinternationaltransactions;effectofglobaleconomyonNIeconomy

Socio-cultural Demographicchangesaffectsdemandforservices;stakeholdersexpectationschange

Technological Obsolenceofcurrentsystems;costofprocuringbesttechnologyavailable;opportunityarisingfromtechnologicaldevelopment

Legal/regulatory EUrequirements/lawswhichimposerequirements(suchashealthandsafetyoremploymentlegislation)

Environmental Buildingsneedtocomplywithchangingstandards;disposalofrubbishandsurplusequipmentneedstocomplywithchangingstandards

Operational (relating to existing operations – both current delivery and building and maintaining capacity and capability)

Service/productfailure Failtodelivertheservicetotheuserwithinagreed/setterms

Projectdelivery Failtodeliverontime/budget/specification

Resources Financial(insufficientfunding,poorbudgetmanagement,fraud)HR(staffcapacity,skills,recruitmentandretention)Information(adequacyfordecisionmaking,protectionofprivacy)Physicalassets(loss,damage,theft)

Relationships Deliverypartners(threatstocommitmenttorelationship,clarityofroles)Customers/serviceusers(satisfactionwithdelivery)Accountability(particularlytotheAssembly)

Operations Overallcapacityandcapabilitytodeliver

Reputation Confidenceandtrustwhichstakeholdershaveinanorganisation

Governance Regularityandpropriety/compliancewithrelevantrequirements/ethicalconsiderations

Scanning Failuretoidentifythreatsandopportunities

Resilience Capacityofsystems/accomodation/ITtowithstandadverseimpactsandcrises(includingwarandterroristattack)Disasterrecovery/contingencyplanning

Security Ofassetsandinformation

Appendix 5HM Treasury Orange BookCategories of risk(paragraph 3.2)


Change (risks created by decisions to pursue new endeavours beyond current capability)

PSAtargets NewPSAtargetschallengetheorganisation’scapacitytodeliver/abilitytoequiptheorganisationtodeliver

ChangeProgramme Programmesfororganisationalorculturalchangethreatencurrentcapacitytodeliveraswellasprovidingopportunitytoenhancecapacity

Newprojects Makingoptimalinvestmentdecisions/prioritisingbetweenprojectswhicharecompetingforresources

Newpolicies Policydecisionscreateexpectationswheretheorganisationhasuncertaintyaboutdelivery

Appendix 5HM Treasury Orange BookCategories of risk(paragraph 3.2)


Ariskchecklistisanin-houselistofrisksthatwereidentifiedoroccurredduringpreviousorganisationalactivities.Theypermitmanagerstocapturelessonslearnedandassesswhethersimilarrisksarerelevanttocurrentactivities.

Thischecklistshouldbeusedasameansofkickstartingandfacilitatingdiscussionsonriskswhich

Appendix 6Department for Regional Development – Risk checklist(paragraph 3.3)

mayimpactontheachievementofbusinessobjectives.Itshouldbenotedthattheserisksarenotexhaustiveanditisexpectedthatbusinessareaswilldevelopandtailorthistomeettheirownneedsasspecificbusinessrisksareidentified.ThechecklistwillbeupdatedannuallyfollowinginputfromDepartmentalRiskCoordinators.

• Willthebusinessareahavethepersonnelinplacetomeetbusinessobjectives?• Doeseveryoneknowandunderstandtheirrolesandresponsibilities?• DowehaveclearJobDescriptions,PPAsandPDPs?• Dowehavetheprocessesandproceduresinplacetofacilitaterecruitment?• Doweknowtheknowledge,skillsandexperiencerequiredtodothejob?• Arestaffappropriatelytrainedtodeliverbusinessobjectives?• ArestaffappropriatelytrainedinnavigatingtheHRConnectsystem?

• Hastheachievementofthebusinessobjectivesbeeneffectivelybudgetedforinterms

offinancialresources?• Arecontrolsinplacetomonitorfinancialperformanceagainstbusinessobjectives?• Doesthebusinessareahaveappropriatesystemsinplacetoreportonfinancial

performance?• ArestaffappropriatelytrainedonAccountNIprocedures?

• Canthebusinessareabeassuredthatpersonaldetailsofstaffand/orthepublicaresufficientlysafeguarded?

• Doesthebusinessareahavesuitabledatamanagement/ICTsystemsinplace?• Howdoesthebusinessareastoreandtransportconfidential/sensitiveinformation?• Arepasswordsregularlychangedandupdated?• IseveryoneawareoftheDepartmentalDataManagementandSecurityarrangements?• ArestafftrainedinusingtheTRIMsystem?

People

Finance

DataManagement


• Doesthesponsoringdivisionhaveappropriategovernancearrangementswithitssponsororganisation?

• IsperformanceoftheArmsLengthBodymonitoredandreportedtoSeniorManagementintheDepartment?

• AretheobjectivesoftheALBinlinewithDepartmentalobjectives?

• IsthebusinessareacontentthatitscontractsandSLAswithserviceprovidersareadequateandreflecttheneedsoftheDepartment?

• IsthebehaviourandperformanceofServiceProvidersmonitoredandreportedtoSeniorManagement?

• Areprojectmanagementarrangementsinplacetoensuretheeffectiveandtimelydeliveryofpolicy?

• Doesthebusinessareahavepoliticalagreementforanypolicydecisions?• Havetheviewsofstakeholdersandthepublicbeenfactoredintothedecision

makingprocess?

• Doesthebusinessareahaveadequatecontingencyplanningarrangementsinplaceintheeventofanemergency?

• Arestaffand/orthepublic(whereappropriate)awareoftheemergencyarrangements?

Arms LengthBodies

Service Providers

Policy Issues

EmergencyPlanning

Appendix 6Department for Regional Development – Risk checklist(paragraph 3.3)


Category Minor (low) Moderate (low-medium)

Significant (medium)

Major(medium-high)

Critical(high)

Achievement of Objectives

NorisktoDEdemonstratingachievementofitskeyobjectives(todeliverontime,withinbudgetetc.).

FailuretodelivermorethanoneDirectorate/Programmelevelobjective.

Oneormorekeyobjectiveisonlyjustdelivered(eg.significantdelayoradownwardtrend).

Failuretodeliveronekeyobjective.

Failuretodelivermorethanonekeyobjective.

FailuretodeliverthemajorityofDEkeyobjectives(PSA’s/MinisterialPriorities)

Operational Delivery

Nointerruptiontoservice.Minorindustrialprotest.

Somedisruptionmanageablebyalteredoperationalroutine.

Disruptiontoanumberofoperationalareaswithinalocationandpossibleflowontootherlocations.

Alloperationalareasofalocationcompromised.Otherlocationsmaybeaffected.

Totalsystemdysfunction.Totalshutdownofoperations.

Financial Financialloss,lossoffundingorinescapableunfundedpressuresunder£20K

+/-1%variancetobudget.

Financialloss,lossoffundingorinescapableunfundedpressuresunder£100K


NIAOcriticism

Financialloss,lossoffundingorinescapableunfundedpressuresunder£250K


NIAOqualificationofaccounts

Fraud,corruptionandseriousirregularitybelowSCSorwithinNDPBs.

Financialloss,lossoffundingorinescapableunfundedpressuresunder£500k



Fraud,corruptionandseriousirregularityatSCSorNDPBSeniorManagementlevel.

Financialloss,lossoffundingorinescapableunfundedpressuresover£1m



Fraud,corruptionandseriousirregularityatMinisterial/BoardorNDPBCElevel.

Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)

Risk Evaluation - Impact




Major(medium-high)

Critical(high)

Compliance/Regulatory/Legal

Breachoflocalproceduresnotrequiringexternalintervention/sanction.

BreachofNationalProcedures/Standards.

PotentialforminorlegalchallengetoDE.

Breachofsubordinatelegislation.

Failuretocomplywithrelevantguidanceresultsinexpenditurebeingdeemedirregular.

PotentialformoderatelegalchallengetoDE.

PotentialformoderatelegalchallengetoDE.

BreachofPrimarylegislation.

PotentialforsignificantlegalchallengetoDE.LikelihoodthatdamageswillbeawardedagainstDEorchangeswillberequiredtosubordinatelegislationtoensurecompliance

Breachofnationalorinternationalstatutoryduties.

Legalchallengewhichhaltsdeliveryofpolicy.

MajordamagesawardedagainstDEorchangeswillberequiredtoprimarylegislationtoensurecompliance

Security Non-notifiableorreportableincident.

Localisedincident.

Noeffectonoperations.

Localisedincident.

Significanteffectonoperations.

Significantincidentinvolvingmultiplelocations.

Extremeincidentseriouslyaffectingcontinuityofoperations.

Health & Well-being

Isolatedincident–nosignificanthealthimpact.

Smallnumberofminorinjuriesrequiringfirstaidtreatment.

Compensatableinjury/stress.

Seriousinjury/stressresultinginhospitalisation.

Possiblefatalities.

LocalChildProtectionissue.

Fatality

WidespreadChildProtectionIssue





Major(medium-high)

Critical(high)

Reputational Minoradversepublicityinlocalmedia

Eventthatwillleadtopubliccriticismbyexternalstakeholdersasanticipated.

Significantadversepublicityinlocalmedia

IncreasedAssembly/Westminsterscrutiny.

Eventthatmayleadtowidespreadpubliccriticism.

SignificantAssembly/Westminsterscrutiny

Formalcommunicationrequiredwithpublic.

Significantadversepublicityinnationalmedia

Incompetence/maladmin-istrationorothereventthatwillunderminepublictrustorakeyrelationshipforashortperiod.

OralStatementRequiredinAssembly

Sustainedadversepublicityinnationalmedia.

Incompetence/maladmin-istrationorothereventthatwillunderminepublictrustorakeyrelationshipforasustainedperiodoratacriticalmoment.

Ministerial/Board/CE(NDPB)/SeniorManagementresignation/removal

Incompetence/maladmin-istrationorothereventthatwilldestroypublictrustorakeyrelationship.


Descriptor Detailed Description

1.Unlikely(low)

>10%chanceofoccurrence.Mayoccuronlyinexceptionalcircumstances.HasneveroccurredbeforewithintheremitofDEoranyotherDepartment.Unlikelytooccurduringthelifespanofthepolicy/programme/project/operation.

2.Remote(low-medium)

11-30%chanceofoccurrence.Mightconceivablyoccuratsometime.Morelikelynottooccurthantooccur.HasnotoccurredrecentlywithintheremitofDEoranyotherDepartment.Thereisasmallchancethatthismayoccuratsomestageduringthelifespanofthepolicy/programme/project/operation.

3.Possible(medium)

31-59%chanceofoccurrence.Couldoccuratsometime.HasoccurredrecentlywithintheremitofanotherDepartment.Mightoccuratsomestageduringthelifespanofthepolicy/programme/project/operation.

4.Probable(medium-high)

60-84%chanceofoccurrence.Willprobablyoccurinmostcircumstances.Morelikelytooccurthannottooccur.HasoccurredrecentlywithintheremitofDEoranotherDepartment.Likelytooccurwithinthenext1-2yearsorduringthelifespanofthepolicy/programme/project/operation.

5.AlmostCertain(high)

85%chanceofoccurrence.Isexpectedtooccurinmostcircumstances.Thisisknowntooccurinsimilarprojectsandprogrammes.HappensfrequentlywithintheremitofDEorotherDepartments.Highlylikelytooccurwithinthefinancialyearorlifespanofthepolicy/programme/project/operation–probablyearlyonandpossiblymorethanonce.

Risk Evaluation - Likelihood



Escalation Triggers Inordertoensurethatrisksarebeingmanagedatanappropriatelevel,thereareanumberoftriggerpointswhererisksshouldbeescalatedtospecifiedlevelsofmanagementastheyapproachorexceedtheiragreedriskappetite.Thesearesetoutbelow.However, in all cases where a risk is assessed as ‘Orange’, it should be brought to the attention of the DE Board. In all cases where a risk is assessed as ‘Red’, it should be brought to the attention of the DE Board and Minister.

Impa

ct

Critical 55 10 15 20 25

Major 4 4 8 12 16 20

Significant 3 3 6 9 12 15

Moderate 2 2 4 6 8 10

Minor 1 1 2 3 4 5

Unlikely (>10%)

Remote (11-30%)

Possible (31-59%)

Probable (60-84%)

Almost Certain (85%+)

1 2 3 4 5

Likelihood

Risk Assessment Matrix


Escalation Triggers

Risk Category Risk Appetite Acceptable Range

(Up to and including)

Escalation

Health and Well-being

Averse Green RisksshouldbeelevatedtoDirectorlevelforconsiderationifassessedasAmberorhigher.

Financial/VFM Risks

Compliance/ Legal/

Regulatory Risks

Information and Security

Modest / Cautious

Amber RisksshouldbeelevatedtoDirectorlevelassessedasAmberorhigher.

Operational and Policy Delivery

Risks

Reputation and Credibility

Open/Hungry Orange Regardlessoftheriskappetite,DEBoardshouldbemadeawareofanyDirectorateRisksassessedasOrangeandcontingencyplansshouldbedeveloped.

Red Regardlessoftheriskappetite,DEBoardandMinistershouldbemadeawareofanyDirectorateRisksassessedasredandadvisedimmediatelyofanyearlywarningsignalsthattheriskmayberealised.

Contingencyplansshouldalsobedevelopedandtested.



Example

• TeamAidentifiesarisktohealthandwell-beingthatisassessedashavingaresidualriskscoreof12.Ontheriskassessmentmatrix,12=Orange.

• TheDepartment’sriskappetiteforriskstoHealthandWell-beingisdescribedas‘Averse’.RiskstoHealthandWell-beingarethereforeonlyatanacceptablelevelwhentheyareassessedas‘Green’.AnyrisksinanareaforwhichtheDepartment’sriskappetiteis‘Averse’andwhichareassessedashigherthan‘Green’shouldthereforebereferredtotheDirectorforconsideration.

• Inaddition,anyrisksontheDirectorateRiskRegisterwhichareassessedas‘Orange’shouldbedrawntotheattentionoftheDEBoard.


Riskappetitecanbefurtheranalysedintothefollowingcategories:

Corporate risk appetiteistheoverallamountofriskjudgedappropriateforanorganisationtotolerate(pointA).Thismaynotbejustonestatement:TheOfficeofGovernmentCommerce(OGC),forexample,lookat5keyriskareas(policy/guidancerisk;peopleandinternalsystemsrisk;propriety,regularity,financeandaccountabilityrisk;reputationrisk;externalrisk)andmakeastatementonriskappetiteforeach.TheBoardandseniormanagersshouldjudgethetolerablerangeofexposurefortheorganisationandidentifygeneralboundariesforunacceptablerisk(oratleastforrisksthatshouldalwaysbereferredto/escalateduptotheBoardfordiscussionanddecisionwhentheyarise).IndoingthistheBoardmaywanttotakeMinisterialviewsonrisk-takingintoaccount.

Delegated risk appetite Theagreedcorporateriskappetitecanthenbeusedasastartingpointforcascadinglevelsoftolerancedowntheorganisation,agreeingriskappetiteindifferentlevelsoftheorganisation(pointB).Theanticipatedeffectisthatwhatisconsideredahighlevelofriskwillbecomealowerlevelofrisktoahigherlevelofmanagement.Thisfacilitatesbothariskescalationprocessforthetakingofrisk

Appendix 8HM Treasury Orange BookModel of risk appetite(paragraph 3.17)

Strategic

Programme

Operational

A. Define risk appetite

B. Identify responses to manage risks

C. Report risks (outside tolerance level)

D. Agree responses potentially including reviewing risk appetiteSet and communicate

general tolerances forrisks

decisionswhendelegatedboundariesaremetandempowerspeopletoinnovatewithintheirdelegations.

Project Risk AppetiteProjectsthatfalloutsideofday-to-daybusinessofanorganisationmayneedtheirownstatementofriskappetite.Differenttypesofprojectsmayrequiredifferentlevelsofriskappetite,forexampleanorganisationmaybepreparedtoacceptahigherlevelofriskforaprojectthatwouldbringsubstantialreward.

Differenttypesofprojectcouldbe:

• Speculative(akintoventurecapitalisminthecorporatesector):withhighrisksbutpotentiallyhighrewards,e.g.InvesttoSaveBudgetprojects;Pilotprojects.Itmaybethatthebulkoftheseprojectsareunsuccessfulbutimportantlessonsarelearnt;

• Standarddevelopmentprojects:forexampleIT,procurement,construction,etc;and

• Missioncriticalprojects:whereorganisationsneedtobesureofsuccess.

Thelevelofriskappetitewillobviouslyvary,withaspeculativeprojectpreparedtotakeonhigherlevelsofriskthana“MissionCritical”project.


Effectivemanagementandapplicationofdelegatedriskappetiterequiresescalationprocesses.Itispossibletoset‘triggerpoints’whereriskscanbeescalatedtothenextlevelofmanagementastheyapproachorexceedtheiragreedriskappetitelevels(pointC).Thenextlevelupinthehierarchywouldthentakeappropriateaction,whichmaymeanmanagingtheriskdirectly,orcouldmeanadjustingthelevelofriskthattheyarehappyforthelevelbelowtomanage(pointD).Itisalsooftenthecasethatahigherlevelofmanagement,withawiderportfolioofrisktomanage,hasmorescopetoaccepthigherrisksinparticularareasastheycanoffsetthemagainstotherlowerrisksintheirportfolio.


ID Risk Impact Countermeasures Notes

1 Suppliersmaysubmitfraudulentinvoices.

HIGH Requirementforpaymentauthorisationbyresponsibleadviser/manager.Requirementforapprovedbusinesscasestosupportallexpenditure.

Paymentsauditedannually.SystemsubjecttointernalauditinSept2008.

2 Financestaffmayabusesystemsforpersonalgain.

HIGH Dualauthorisationsofallpayments.Separationofduties.Rotationofstaff.InsistenceonFinanceStafftakingfullleaveentitlement,includingatleastonebreakofmorethanoneweek’sduration.

Systemsauditedannually.

3 Temporaryworkerssubmitimproperlycompletedtimesheets.

LOW ChecksmadeagainstMyHoursandITSystemlog-inandlog-outrecords.Timesheetsauthorisedbysupervisor.RatescheckedbyHRManager.InvoicescheckedbyFinancestaff.

4 Improperclaimsfortravelandsubsistence.

LOW Allclaimsrequireauthorisation. Claimsauditedannually.InternalAuditReport2008

5 Improperovertimeclaims.

LOW Requirementforpriorapprovalfromlinemanager.Allclaimsrequirelinemanagementapproval.ChecksmadebyHRManageragainstMyHoursandITSystemlog-inandlog-outrecords.

Onlyadministrativestaffcanclaimforpaidovertime.

6 Staffmayabusecorporatecreditcards.

LOW Fullyitemisedexpenseclaimsrequiredforallexpenditureusingcorporatecreditcards.Lowexpenditurelimits.

InternalAuditReport2008

Appendix 9Strategic Investment Board – Fraud risk assessment(paragraph 3.28)


Business area:

Report period:

Scope of responsibility

Asthe[SeniorOfficer]responsiblefor[ ]Directorate/Division,IhaveresponsibilityformaintainingarobustsystemofinternalcontrolthatsupportstheachievementofOFMDFM’spolicies,aimsandobjectives,whilstsafeguardingthepublicfundsandDepartmentalassetsforwhichIamresponsible.

TheOFMDFMsystemofinternalcontrolhasbeeninplaceandadheredtofortheperiodofthisreportinthebusinessareaforwhichIamresponsibleandaccordswithDepartmentofFinanceandPersonnelguidance.

Capacity to handle risk

MyDirectorate/Divisioniscarryingoutappropriateprocedurestoensurethatitidentifiesitsobjectivesandrisksandacontrolstrategyhasbeendevisedforeachofthesignificantrisks.Asaresult,riskownershiphasbeenallocatedtoappropriatestaff.

Acknowledgement of ownership

IacknowledgemyresponsibilityformanagingcorporateandkeyDirectorate/Divisionalrisksandformonitoringthoserisksassignedtomembersofmymanagementteam.Thisstatementhasbeeninformedfollowingathorough

Appendix 10OFMDFM stewardship statements pro forma(paragraph 4.5)

assessmentofriskandcontrolinmybusinessareaundertakenbyeachHeadofDivision/Branchagainsteachofthefollowingriskfactorsasappropriate(outlinedinOFMDFMguidance):

• businessplanning;

• legislativeandotherauthorities;

• businesscases(includingeconomicappraisal,postprojectevaluationandconsultancy);

• consultancy;

• forecastingandmonitoringofexpenditure;

• procurement;

• informationassurance;

• staff(includingabsence,gifts&hospitality);

• ALBs,NDPBsandThirdPartyOrganisations;

• internal&externalauditreports;and

• othersignificantIssues.

Risk management status

IamsatisfiedthatthecontrolsinplacetomanagerisksforwhichIamresponsibleareappropriate.Theyprovidereasonableassurancethattheriskwillnotoccurorifitdoesoccurthatitwillbedetectedandcorrectedinsufficienttimetoreducetheimpactoftherisktotolerableornegligiblelevels.


Significant internal control problems

[Insert details of significant internal control problems of which the signatory is aware and the action taken to rectify these]

Head of Directorate / Division

Date:

Appendix 10OFMDFM stewardship statements pro forma(paragraph 4.5)


Title Date Published

2010

CampsieOfficeAccommodationandSynergye-BusinessIncubator(SeBI) 24March2010

OrganisedCrime:developmentssincetheNorthernIrelandAffairs 1April2010CommitteeReport2006

MemorandumtotheCommitteeofPublicAccountsfromtheComptrollerand 1April2010AuditorGeneralforNorthernIreland:Combatingorganisedcrime

Improvingpublicsectorefficiency-Goodpracticechecklistforpublicbodies 19May2010

TheManagementofSubstitutionCoverforTeachers:Follow-upReport 26May2010

MeasuringthePerformanceofNIWater 16June2010

Schools’ViewsoftheirEducationandLibraryBoard2009 28June2010

GeneralReportontheHealthandSocialCareSectorbytheComptroller 30June2010andAuditorGeneralforNorthernIreland–2009

FinancialAuditingandReporting-ReporttotheNorthernIrelandAssemblyby 7July2010theComptrollerandAuditorGeneral2009

SchoolDesignandDelivery 25August2010

ReportontheQualityofSchoolDesignforNIAuditOffice 6September2010

ReviewoftheHealthandSafetyExecutiveforNorthernIreland 8September2010

CreatingEffectivePartnershipsbetweenGovernmentandtheVoluntaryand 15September2010CommunitySector

CORE:Acasestudyinthemanagementandcontrolofalocaleconomic 27October2010developmentinitiative

ArrangementsforEnsuringtheQualityofCareinHomesforOlderPeople 8December2010

ExaminationofProcurementBreachesinNorthernIrelandWater 14December2010

GeneralReportbytheComptrollerandAuditorGeneralforNorthern 22December2010Ireland-2010

NIAO Reports 2010-2011


Title Date Published

2011

CompensationRecoveryUnit–MaximisingtheRecoveryofSocial 26January2011SecurityBenefitsandHealthServiceCostsfromCompensators

NationalFraudInitiative2008-09 16February2011

UptakeofBenefitsbyPensioners 23February2011

SafeguardingNorthernIreland’sListedBuildings 2March2011

ReducingWaterPollutionfromAgriculturalSources: 9March2011TheFarmNutrientManagementScheme

PromotingGoodNutritionthroughHealthySchoolMeals 16March2011

ContinuousimprovementarrangementsintheNorthernIrelandPolicingBoard 25May2011

NIAO Reports 2010-2011

PrintedintheUKfortheStationeryOfficeonbehalfoftheNorthernIrelandAuditOfficePC296205/11

Published by TSO (The Stationery Office) and available from: Onlinewww.tsoshop.co.uk

Mail, Telephone, Fax & E-mailTSOPO Box 29, Norwich, NR3 1GNTelephone orders/General enquiries: 0870 600 5522Fax orders: 0870 600 5533E-mail: [email protected] 0870 240 3701

TSO@Blackwell and other Accredited Agents

Customers can also order publications from: TSO Ireland16 Arthur Street, Belfast BT1 4GDTel 028 9023 8451 Fax 028 9023 5401

Documents

Good practice in risk management - Northern Ireland Audit