Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Scottish Children’s Reporter Administration
Developing SCRA’s approach to Risk Management – Phase 1 February 2015
SCRA (February 2015) Audit Committee: Item 9.5
Scottish Children’s Reporter Administration
Developing SCRA’s approach to Risk Management – Phase 1
Introduction 1
Summary of findings 2
Appendix 1 – Progress against outstanding actions 5
Appendix 2 – Gap Analysis 7
Appendix 3 – Options for development 13
Appendix 4 – Diagrams 15
Appendix 5 – Management Action Plan 16
scott-moncrieff.com Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 1
Introduction This paper sets out the results of our high-level review of SCRA’s risk management arrangements.
Background
Throughout our appointment as internal auditors to SCRA, we have identified areas where SCRA could
enhance its approach to risk management across the organisation. Whilst SCRA’s management has taken
steps to address these issues there are still a number of outstanding risk management related audit actions.
We have set out the progress against each of the outstanding recommendations at Appendix 1.
Management asked us to develop a discussion paper to set out options for SCRA to further develop and
embed its approach to risk management throughout the organisation. We presented our paper on Developing
SCRA’s approach to Risk Management to the Audit Committee in May 2014. The paper set out three overall
options which could be pursued by SCRA. The Audit Committee approved option one, which was a high-level
review of SCRA’s risk management arrangements against internationally recognised best practice.
This report sets out the results from our review, as well as recommendations to further develop SCRA’s risk
management arrangements.
Approach
We have performed a high-level review of SCRA’s risk management arrangements. This included a
preliminary assessment of SCRA’s risk maturity. We then benchmarked SCRA’s risk management
arrangements against ISO 31000. ISO 31000, Risk management – Principles and guidelines, provides
principles, framework and a process for managing risk. It can be used by any organisation regardless of its
size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives,
improve the identification of opportunities and threats, and effectively allocate and use resources for risk
treatment.
The findings from our review are set out below in the summary of findings.
2 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Summary of findings Conclusion
SCRA is at a stage where it has taken some action to address the weaknesses previously identified in its risk
management arrangements. However, as shown through this review and our discussions with relevant staff,
further work is required to help embed risk management throughout the organisation. We have set out in
Appendix 3 and the Findings and recommendations section below, some further options for development of the
risk management process. These aim to identify practical ways in which good practice arrangements can be
applied consistently, and within the limitations of the resources available.
The majority of the previous internal audit recommendations that related to risk management have been
superseded by the issues raised through this report (see appendix 1).
Findings and recommendations
1. Risk Management Strategy
SCRA has a Risk Management Policy in place, which was approved by the Board in June 2012. The Policy
provides high-level guidance on SCRA’s risk management arrangements, as well as SCRA’s risk appetite and
the day-to-day operation of strategic and operational risk registers. However, SCRA does not have a Risk
Management Strategy in place. A risk management strategy would set out the long term vision of SCRA’s risk
management arrangements, recognising the strengths and weaknesses of current arrangements, whilst setting
out practical objectives for the development of SCRA’s risk management arrangements within the limitations of
the resources that are available.
Recommendation:
A Risk Management Strategy could be developed to help SCRA articulate its long term vision and objectives for
the risk management process. However, in practice, this could be done by expanding upon the existing risk
management policy. This will help SCRA align risk management with SCRA’s corporate strategy and help to
ensure that any developments can be managed in a planned and coordinated manner.
Linked to the development of the strategy/ revised policy, is the need to incorporate a risk management training
needs analysis as part of the annual training plan process. This needs to be an ongoing process to ensure that
the key concepts of good practice risk management are adopted and applied consistently across the
organisation
.Risk Management Policy Gap Analysis
We have performed a review of SCRA’s Risk Management Policy against ISO 31000. We have concluded that
SCRA has a robust Risk Management Policy in place, although some further improvements have been
identified which would help ensure it is aligned to recognised good practice and standards. The potential
improvements have been set out at Appendix 2.
Recommendation:
Consider updating the Risk Management Policy in line with the gap analysis at Appendix 2. By adopting the
areas suggested, this will ensure that there is clarity regarding key risk management concepts and theory. It
scott-moncrieff.com Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 3
will also ensure that the policy is aligned to good practice and a recognised risk management standard. To
assist SCRA in improving its risk management policy, we have highlighted the key areas for development.
Furthermore, to address a previous internal audit recommendation, the policy should also be updated to set out
the organisation’s expectations for each business area/locality, in terms of the risk identification and evaluation
tools that should be applied and their frequency.
2. Risk appetite
The Scottish Public Finance Manual describes the concept of risk appetite as: “key to achieving effective risk
management and it is essential to consider it before moving on to consideration of how risks can be
addressed“.
SCRA has taken steps to define and apply its risk appetite. The SCRA Risk Management Policy includes an
outline of SCRA’s risk appetite as well as standard risk appetite definitions, ranging from “risk averse” to “risk
hungry”, in line with HM Treasury guidance on Managing your risk appetite: A practitioner’s guide. Target risk
scores are also identified for each risk, so that mitigating actions are focused on reducing risk to an appropriate
level.
SCRA has also agreed its risk appetite for different risk categories, such as strategic/policy risks, finance risks,
and accountability/governance risks. However, as risk appetite is fundamental to the risk management
process, it is important that it is regularly reviewed to ensure that it is meaningful, appropriate and responsive to
changes to the organisation’s risk profile. SCRA’s risk appetite was agreed by the Board in June 2012, but has
not been reviewed since then.
Recommendation:
The SCRA Board should review its risk appetite to determine if this is still appropriate. Appetite levels should
thereafter be subject to regular review, at least annually.
In addition, SCRA may wish to further enhance its risk appetite by agreeing risk appetites for different levels
within the organisation. For example, the current risk categories are clearly linked to key strategic matters.
However, this could be further refined to provide an appetite for risks which are delegated to locality and project
level. Such operational/project level risk appetites can then be compared to the agreed appetites as defined by
the Board; and thereafter, overseen by senior management to help identify key risk areas/themes. This may
help to embed risk management processes throughout the organisation by reflecting that risk responses and
tolerances will change depending on the context of the risk and/or the nature of different operational teams and
groups.
3. Risk register action plans
Where a residual risk score is not aligned with SCRA’s risk appetite the risk owner must identify appropriate
actions and timescales to further mitigate the risk so that the residual risk score is equal to the target risk score.
There is a column within SCRA’s updated risk register template to record this. However, from a review of
SCRA’s Strategic Risk Register and Operational Risk Register, we noted that although there are some
mitigating actions listed, there were rarely timescales or action owners, and some of the actions were
statements rather than actions.
Recommendation:
4 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
SCRA should ensure that risk mitigating actions, timescales, and action owners are captured either through the
risk registers, or through supporting action plans which are then subsequently referred to in the risk registers.
This will help ensure that risk mitigating actions are implemented in a timely manner. Where actions are not
implemented as expected, it will provide a clearer mechanism for action owners to be held accountable by
senior management and/or the Board.
4. Locality risk management arrangements
Each locality has an annual Locality Plan in place. The locality plans will identify the risks to achieving the plan.
The risks will then be added to the locality risk register. Per the Risk Management Policy the locality risks
should be formally reviewed and assessed quarterly. However, from our desktop review it is unclear how
consistent the risk management procedures are applied across each locality and whether the risk management
framework is used as an effective management tool. From discussions held, we understand that SCRA wants
to further develop risk management within individual localities in order to “make it real”.
Recommendation:
We have set out at appendix 3, options to develop the operational risk management process at SCRA, which
are in line with our initial risk options paper.
A Risk Management Group should be established within SCRA to take forward the development of risk
management arrangements within localities. We have identified some suggested areas for inclusion in the
group’s remit:
• Group should comprise of representatives from each locality and business area to act as a champion for
risk issues, providing advice on the application of SCRA’s risk management policy;
• Risk leads to coordinate operational and locality input to risk registers, identifying and sharing good practice
and providing periodic summaries and reports to the group for monitoring and review purposes;
• Group to meet regularly throughout the year to provide oversight to operational and locality risk
management arrangements;
• Group to consider whether risks are being adequately being managed within agreed appetites and
tolerances;
• Group to make recommendations to senior management regarding the escalation of specific operational
risk matters, which can no longer be managed within the resources allocated at operational/locality level;
and
• Risk leads to ensure that each business area and locality is regularly carrying out risk identification and
assessment exercises to ensure that risk registers are accurate and up to date.
The ability of the group to understand and apply best practice would be essential. We therefore recommend
that the Risk Management Group are provided initial training and support through facilitated training sessions
delivered by Scott-Moncrieff.
Furthermore, locality level risk identification and evaluation workshops should be carried out periodically to
ensure that the SCRA risk management policy is applied, and that a risk aware culture is embedded throughout
the organisation. We therefore propose that Scott-Moncrieff facilitate an initial locality risk identification
workshop with members of the Risk Management Group, with a focus on developing a locality risk register
(including both generic and specific locality risks), which can then be rolled out by the RMG to each locality,
with the support of the Head of Finance and Resources and the Executive Assistant.
scott-moncrieff.com Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 5
Appendix 1 – Progress against outstanding actions The following table provides a summary of management’s progress against the outstanding risk management
actions:
Review Action Progress to date
Strategic and
Operational Planning
(2010/11)
Expanding risk
management
training.
Recommendation partly addressed
Training is an ongoing matter, however Locality Managers
have now been provided with risk management training.
However, the identification of risk management training
needs should be incorporated as part of the annual training
plan cycle – See Recommendation 1 above.
Corporate Governance
and Risk Management
(2012/13)
Embedding risk
management –
locality risk
registers.
Recommendation superseded
Each locality must have an annual locality plan in place.
The locality plan will set out the aims and objectives of the
locality for the year ahead. The locality must then identify
the risks to achieving the objectives. The risks are then
added to a locality risk register. However, as noted in the
main body of the report, it is unclear how consistent the
risk management arrangements are across each locality
and whether the risk management arrangements are as
dynamic as the Risk Management Policy suggests they
should be.
Recommendations to develop locality level risk
management processes are set out in Recommendation 5
above.
Corporate Governance
and Risk Management
(2012/13)
Risk identification
and evaluation
tools.
Recommendation superseded
The Risk Management Policy states that it is the
responsibility of groups/teams to identify risks. A workshop
approach is often an effective tool for identifying risk and
this is referred to within the policy. However, there is little
evidence that this approach is used by each group/team.
The policy should therefore be updated to set out the
expectations for each group/team in terms of the risk
identification and evaluation tools that should be applied
and their frequency.
See Recommendation 2.
Localities Review
(2013/14)
Risk management
procedures in
Recommendation superseded
Each locality must have an annual locality plan in place.
6 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Review Action Progress to date
localities/risk
workshops.
The locality plan will set out the aims and objectives of the
locality for the year ahead. The locality must also identify
the risks to achieving the objectives. The risks are then
added to a locality risk register.
However, as noted in the main body of the report, it is
unclear how consistent the risk management
arrangements are across each locality and whether the risk
management framework is used as an effective
management tool.
Recommendations to develop locality level risk
management processes are set out in Recommendation 5
above.
scott-moncrieff.com Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 7
Appendix 2 – Gap Analysis We have found that SCRA’s risk management arrangements are generally compliant with ISO 31000. Our
areas for further improvement are set out below:
ISO
31000
Section
No.
Section Name Description Possible Improvements Scott-Moncrieff
prioritisation
(* denotes key
area)
2.1 Terms &
Definitions: Risk
A risk is the effect of
uncertainty on
objectives
The definition of a risk should be
added to Section 1 of SCRA’s
Risk Management Policy.
*
2.15 Terms &
Definitions: Risk
identification
Risk identification is
the process of finding,
recognising and
describing risks.
Risks should be described using
the following methodology:
There is a risk of X, resulting in
Y, which will have an impact on
Z.
The criteria should be added to
Section 7 of SCRA’s Risk
Management Policy and SCRA’s
risk registers updated.
*
2.17 Terms &
Definitions: Event
An event is the
occurrence or change
of a particular set of
circumstances.
The description of an event
should be included within
SCRA’s Risk Management
Policy.
*
8 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
2.25 Terms &
Definitions: Risk
treatment
Risk treatment is the
process to modify
risk.
SCRA should use the TARA
(Transfer, Avoid, Reduce,
Accept) methodology to
categorise its risk treatment
strategies.
Appendix 3 of the Risk
Management Policy should be
updated to provide the definition
of each risk treatment strategy
as well as when each should be
adopted.
The Risk Owner should be
asked to include their chosen
risk treatment (Transfer, Avoid,
Reduce, Accept) in the risk
register.
2.27 Terms &
Definitions:
Residual risk
Residual risk is the
risk remaining after
the risk treatment.
SCRA’s Risk Management
Policy should be updated to
explicitly define residual risk, as
well as demonstrate how it is
calculated.
*
2.28 Terms &
Definitions:
Monitoring
Monitoring is
continually checking,
supervising, critically
observing or
determining the
status in order to
identify change from
the performance level
required or expected.
SCRA’s Risk Management
Policy should set out that Risk
Owners are expected to monitor
controls and use known
intelligence (such as internal
audit findings) to assess the
strength of controls and adjust
the risk assessment accordingly.
*
scott-moncrieff.com Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 9
3 (a) Principles: Risk
management
creates and
protects value
Risk management
contributes to the
demonstrable
achievement of
objectives and
improvement of
performance in, for
example, human
health and safety,
security, legal and
regulatory
compliance, public
acceptance,
environmental
protection, product
quality, project
management,
efficiency in
operations,
governance and
reputation.
Section 2.3 of the Risk
Management Policy should be
expanded to include this key
principle of risk management.
3 (e) Principles: Risk
management is
systematic,
structured and
timely.
A systematic, timely
and structured
approach to risk
management
contributes to
efficiency and to
consistent,
comparable and
reliable results.
Section 2 of the Risk
Management Policy should
include this definition.
10 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
3 (f) Principles: Risk
management is
based on the best
available
information.
The inputs to the
process of managing
risks are based on
information sources
such as historical
data, experience,
stakeholder feedback,
observation, forecasts
and expert
judgement. However,
decision makers
should inform
themselves of, and
should take into
account, any
limitations of the data
or modelling used or
the possibility of
divergence among
experts.
Section 2 of the Risk
Management Policy should
include this definition.
3 (h) Principles: Risk
management takes
human and cultural
factors into
account.
Risk management
recognises the
capabilities,
perceptions and
intentions of external
and internal people
that can facilitate or
hinder achievement
of the organisation’s
objectives.
Section 2 of the Risk
Management Policy should
include this definition.
3 (j) Principles: Risk
management is
dynamic, iterative
and responsive to
change.
Risk management
continually senses
and responds to
change. As external
and internal events
occur, context and
knowledge change,
monitoring and review
of risks take place,
new risks emerge,
some change, and
others disappear.
Section 2.3 of the Risk
Management Policy should be
expanded to include this key
principle of risk management.
scott-moncrieff.com Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 11
4 Framework:
Relationship
between the
components of the
framework for
managing risk
See Diagram 1 at
Appendix 4.
Diagram 1 per Appendix 4
should be added to SCRA’s Risk
Management Policy.
*
4.3.1 Framework:
Understanding of
the organisation
and its context
Before starting the
design and
implementation of the
framework for
managing risk, it is
important to evaluate
and understand both
the external and
internal context of the
organisation, since
these can significantly
influence the design
of the framework.
Section 2 of the Risk
Management Policy should be
updated to include how SCRA’s
risk management framework
was designed, taking account of
internal and external factors.
4.3.6 Framework:
Establishing
internal
communications
and reporting
mechanisms
The organisation
should establish
internal
communication and
reporting
mechanisms to in
order to support and
encourage
accountability and
ownership of risk.
Section 3 of the Risk
Management Policy should
outline how staff have been
made aware of the Policy.
5 Process: Risk
management
process
See Diagram 2 at
Appendix 4.
Diagram 2 per Appendix 4
should be added to SCRA’s Risk
Management Policy.
*
5.5.1 Risk treatment:
General
Risk treatment
involves selecting one
or more options for
modifying risks, and
implementing those
options. Once
implemented,
treatments provide or
modify the controls.
Appendix 3 of the Risk
Management Policy should be
updated to define the risk
treatment options (Transfer,
Avoid, Reduce, and Accept).
12 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
5.5.2 Risk treatment:
Selection of risk
treatment options
When selecting the
risk treatment
options, the
organisation should
consider the values
and perceptions of
stakeholders and the
most appropriate
ways to communicate
with them.
SCRA should liaise with
stakeholders where risk
treatment options will affect
them, and this requirement
should be emphasised in the
Risk Management Policy.
5.5.2 Risk treatment:
Selection of risk
treatment options
The risk treatment
plan should clearly
identify the priority
order in which
individual risk
treatments should be
implemented.
Action owners should be asked
to prioritise risk mitigating
actions according to their
importance. This could be
captured through the risk
registers.
13 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Appendix 3 – Options for development The following options are taken from our original paper on Developing SCRA’s approach to risk management.
These options still remain relevant and could be used to help SCRA address the issues set out above.
Option 1: Enhancing strategic risk management
The board of every public body is responsible for overseeing the risk management arrangements of an
organisation. The board, each committee and every member of staff have a role to play in embedding a culture
of risk management within an organisation.
We can provide a programme of facilitated workshops to help an organisation review and revise its risk
management arrangements. The purpose of these workshops is to enable board members and members of an
organisation’s senior management to consider its risk management arrangements and to identify additional
risks which could impact on the delivery of its strategic objectives. The workshop provides the opportunity for a
body to consider how this can be achieved over the medium and longer term.
The workshop can be used to not only identify the key risks to an organisation but also to:
• Review and reaffirm the reporting framework which allows the Audit Committee and senior
management to receive regular reports and assurance on risk management arrangements; and
• Continue the process of embedding risk management and risk awareness of board members and
senior management.
An effective risk management framework should be designed to support the delivery of an organisation’s
strategic objectives. The framework and the risk strategy must promote widespread understanding of risk
across the organisation and assist staff to effectively assess and mitigate risk, and support continuous
improvement
The workshops will ensure SCRA has a robust risk management framework with a high level strategic risk
register. We will help SCRA confirm the risks which could prevent the organisation from achieving its strategic
objectives. We will support the Board in setting the likelihood of the risk occurring and the impact it would have
on SCRA if there were no controls in place (raw risk). It also sets out the likelihood of each risk occurring and
the impact the risk would have on SCRA given the controls in place (residual risk).
The workshops will also look at risk appetite. This is an area often not fully developed in many public sector
organisations. The board of every public body is responsible for describing its attitude to risk, often known as
its risk appetite. Risk appetite can be defined as the level of risk the board is willing to take in pursuit of its
objectives. Risk appetite varies for every organisation and varies within an organisation for different types of
risks and over time.
As part of the workshop we will assess board members’ and management’s perceived levels of current risk
taking in the organisation. These will be assessed across five categories of risk as defined by recognised
national risk management guidance.
Following the risk workshop, we will produce a tailored report setting out the findings and issues identified
through the workshop. Our report will be directly targeted to support the management team develop a revised
risk management policy and develop an enhanced strategic risk register. Our report can also outline what
14 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
changes and improvements need to be made to current controls to bring risk levels in line with the agreed risk
appetites.
Management can use our findings to develop a programme setting out the prioritisation and timescales for
implementing the changes and improvements to controls. This can then be agreed with the Audit Committee,
who should then monitor and seek assurance that all risks are being managed within the agreed risk appetites
Option 2: Embedding risk management at an operational level
To support the effective management of risk at a strategic level, SCRA must have effective risk management
arrangements throughout the organisation. In its review of localities, we found that risk management
arrangements have consistently been underdeveloped or inconsistent.
We would deliver a series of workshops with SCRA’s localities. These workshops will be used to develop
consistent risk management frameworks within each locality. We will also help operational management to
understand how to identify risks and, where appropriate, to escalate risks to the strategic risk register.
It is essential that the Board's attitude to risk is communicated to the whole organisation. This attitude should
be reflected in the prioritisation of policies, work streams, programmes, projects, operational service delivery,
and the funding that goes with them.
The workshops will identify operational managements’ view on the current levels of risk taking in the
organisation and consider the implications, from a management perspective, of implementing the Board’s risk
appetite.
We will use the sessions with locality managers to identify where SCRA may need to make changes to existing
control arrangements. For example, there may be areas where risks are currently over-controlled and where
efficiencies could therefore be generated by reducing controls. In other areas, controls may need to be
strengthened, e.g. where more innovative or high risk programmes and projects are undertaken. In these
areas, the likelihood of success may be uncertain and/or long term but where the potential rewards, in terms of
positive outcomes, could be great. Managing risks in these areas will therefore require robust controls over
programme and project planning, approval, reporting, monitoring and evaluation, as well as effective
stakeholder engagement.
Following the operational risk workshops we will produce a report outlining the findings of the workshop and
identifying key issues to be addressed. We will provide clear actions on how SCRA could develop its control
environment to reflect the Board’s risk management approach and defined risk appetite.
15 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Appendix 4 – Diagrams Diagram 1: Relationship between the components of t he framework for managing risks:
Diagram 2: Risk management process:
Mandate and Commitment
Design of framework for managing risk • Understanding the organisation and its context • Establishing the risk management policy • Accountability • Integration into organisational processes • Resources • Establishing internal communication and reporting
mechanisms • Establishing external communication and reporting
mechanisms
Implementing risk management • Implementing the framework for managing risk • Implementing the risk management process
Monitoring and review of the framework
Continual improvement of the framework
Communication and consultation
Establishing the context
Risk analysis
Risk evaluation
Risk treatment
Risk identification
Monitoring and review
16 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Appendix 5 – Management Action Plan The following table provides a summary of the recommendations and response from management:
Recommendation Management Response Actioned by/ Implementation date
1. Risk Management Strategy
a) A Risk Management Strategy could be
developed to help SCRA articulate its
long term vision and objectives for the
risk management process. However,
in practice, this could be done by
expanding upon the existing risk
management policy. This will help
SCRA align risk management with
SCRA’s corporate strategy and help to
ensure that any developments can be
managed in a planned and
coordinated manner.
b) Linked to the development of the
strategy/ revised policy, is the need to
incorporate a risk management
training needs analysis as part of the
annual training plan process. This
needs to be an ongoing process to
ensure that the key concepts of good
practice risk management are adopted
and applied consistently across the
organisation.
a) Agreed. The Risk Management
will be expanded to include
vision and objectives for the risk
management process.
b) Agreed. Risk management
training needs analysis will be
incorporated into the annual
training plan process.
a) Head of Finance
and Resources.
June 2015.
b) Head of Finance
and Resources.
March 2016
2. Risk Management Policy Gap
Analysis
Consider updating the Risk Management
Policy in line with the gap analysis at
Appendix 2. By adopting the areas
suggested, this will ensure that there is
clarity regarding key risk management
concepts and theory. It will also ensure
that the policy is aligned to good practice
and a recognised risk management
standard. To assist SCRA in improving its
risk management policy, we have
Agreed. The policy will be updated to
set out risk management
expectations of business
areas/localities.
Head of Finance and
Resources. June 2015.
17 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Recommendation Management Response Actioned by/ Implementation date
highlighted the key areas for development.
Furthermore, to address a previous
internal audit recommendation, the policy
should also be updated to set out the
organisation’s expectations for each
business area/locality, in terms of the risk
identification and evaluation tools that
should be applied and their frequency.
3. Risk Appetite
a) The SCRA Board should review its
risk appetite to determine if this is still
appropriate. Appetite levels should
thereafter be subject to regular review,
at least annually.
b) In addition, SCRA may wish to further
enhance its risk appetite by agreeing
risk appetites for different levels within
the organisation. For example, the
current risk categories are clearly
linked to key strategic matters.
However, this could be further refined
to provide an appetite for risks which
are delegated to locality and project
level. Such operational/project level
risk appetites can then be compared
to the agreed appetites as defined by
the Board; and thereafter, overseen by
senior management to help identify
key risk areas/themes. This may help
to embed risk management processes
throughout the organisation by
reflecting that risk responses and
tolerances will change depending on
the context of the risk and/or the
nature of different operational teams
and groups.
a) Agreed. The Board will review its
risk appetite as part of their
annual self-assessment
exercise.
b) Agreed. Risk appetite will be
defined for risks at locality and
project level.
a) Executive Officer.
March 2015.
b) Head of Finance
and Resources.
September 2015.
18 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Recommendation Management Response Actioned by/ Implementation date
4. Risk register action plans
SCRA should ensure that risk mitigating
actions, timescales, and action owners are
captured either through the risk registers,
or through supporting action plans which
are then subsequently referred to in the
risk registers.
This will help ensure that risk mitigating
actions are implemented in a timely
manner. Where actions are not
implemented as expected, it will provide a
clearer mechanism for action owners to be
held accountable by senior management
and/or the Board.
Agreed. Strategic and Operational
Risk Registers will be reviewed and
updated to ensure actions,
timescales and owners are fully
captured.
PR/CE. March 2015.
5. Locality risk management
arrangements
We have set out at appendix 3, options to
develop the operational risk management
process at SCRA, which are in line with
our initial risk options paper.
A Risk Management Group should be
established within SCRA to take forward
the development of risk management
arrangements within localities. We have
identified some suggested areas for
inclusion in the group’s remit:
• Group should comprise of
representatives from each locality and
business area to act as a champion for
risk issues, providing advice on the
application of SCRA’s risk management
policy;
• Risk leads to coordinate operational
and locality input to risk registers,
identifying and sharing good practice
and providing periodic summaries and
reports to the group for monitoring and
Agreed. A Risk Management Group
(RMG) will be established to oversee
management of locality risks. The
RMG will receive initial training and
support from the internal auditors
and then take part in a facilitated risk
identification and evaluation
workshop focused on locality risks.
PR/CE. June 2015.
19 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com
Recommendation Management Response Actioned by/ Implementation date
review purposes;
• Group to meet regularly throughout the
year to provide oversight to operational
and locality risk management
arrangements;
• Group to consider whether risks are
being adequately being managed within
agreed appetites and tolerances;
• Group to make recommendations to
senior management regarding the
escalation of specific operational risk
matters, which can no longer be
managed within the resources allocated
at operational/locality level; and
• Risk leads to ensure that each business
area and locality is regularly carrying
out risk identification and assessment
exercises to ensure that risk registers
are accurate and up to date.
The ability of the group to understand and
apply best practice would be essential. We
therefore recommend that the Risk
Management Group are provided initial
training and support through facilitated
training sessions delivered by Scott-
Moncrieff.
Furthermore, locality level risk identification
and evaluation workshops should be
carried out periodically to ensure that the
SCRA risk management policy is applied,
and that a risk aware culture is embedded
throughout the organisation. We therefore
propose that Scott-Moncrieff facilitate an
initial locality risk identification workshop
with members of the Risk Management
Group, with a focus on developing a locality
risk register (including both generic and
specific locality risks), which can then be
rolled out by the RMG to each locality, with
the support of the Head of Finance and
Resources and the Executive Assistant.
© Scott-Moncrieff Chartered Accountants 2015. All rights reserved. “Scott-Moncrieff” refers to Scott-Moncrieff Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of independent firms. Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of investment business activities by the Institute of Chartered Accountants of Scotland.