Scottish Children’s Reporter Administration · 4 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com SCRA

Scottish Children’s Reporter Administration

Developing SCRA’s approach to Risk Management – Phase 1 February 2015

SCRA (February 2015) Audit Committee: Item 9.5

Scottish Children’s Reporter Administration

Developing SCRA’s approach to Risk Management – Phase 1

Introduction 1

Summary of findings 2

Appendix 1 – Progress against outstanding actions 5

Appendix 2 – Gap Analysis 7

Appendix 3 – Options for development 13

Appendix 4 – Diagrams 15

Appendix 5 – Management Action Plan 16

scott-moncrieff.com Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 1

Introduction This paper sets out the results of our high-level review of SCRA’s risk management arrangements.

Background

Throughout our appointment as internal auditors to SCRA, we have identified areas where SCRA could

enhance its approach to risk management across the organisation. Whilst SCRA’s management has taken

steps to address these issues there are still a number of outstanding risk management related audit actions.

We have set out the progress against each of the outstanding recommendations at Appendix 1.

Management asked us to develop a discussion paper to set out options for SCRA to further develop and

embed its approach to risk management throughout the organisation. We presented our paper on Developing

SCRA’s approach to Risk Management to the Audit Committee in May 2014. The paper set out three overall

options which could be pursued by SCRA. The Audit Committee approved option one, which was a high-level

review of SCRA’s risk management arrangements against internationally recognised best practice.

This report sets out the results from our review, as well as recommendations to further develop SCRA’s risk

management arrangements.

Approach

We have performed a high-level review of SCRA’s risk management arrangements. This included a

preliminary assessment of SCRA’s risk maturity. We then benchmarked SCRA’s risk management

arrangements against ISO 31000. ISO 31000, Risk management – Principles and guidelines, provides

principles, framework and a process for managing risk. It can be used by any organisation regardless of its

size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives,

improve the identification of opportunities and threats, and effectively allocate and use resources for risk

treatment.

The findings from our review are set out below in the summary of findings.

2 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com

Summary of findings Conclusion

SCRA is at a stage where it has taken some action to address the weaknesses previously identified in its risk

management arrangements. However, as shown through this review and our discussions with relevant staff,

further work is required to help embed risk management throughout the organisation. We have set out in

Appendix 3 and the Findings and recommendations section below, some further options for development of the

risk management process. These aim to identify practical ways in which good practice arrangements can be

applied consistently, and within the limitations of the resources available.

The majority of the previous internal audit recommendations that related to risk management have been

superseded by the issues raised through this report (see appendix 1).

Findings and recommendations

1. Risk Management Strategy

SCRA has a Risk Management Policy in place, which was approved by the Board in June 2012. The Policy

provides high-level guidance on SCRA’s risk management arrangements, as well as SCRA’s risk appetite and

the day-to-day operation of strategic and operational risk registers. However, SCRA does not have a Risk

Management Strategy in place. A risk management strategy would set out the long term vision of SCRA’s risk

management arrangements, recognising the strengths and weaknesses of current arrangements, whilst setting

out practical objectives for the development of SCRA’s risk management arrangements within the limitations of

the resources that are available.

Recommendation:

A Risk Management Strategy could be developed to help SCRA articulate its long term vision and objectives for

the risk management process. However, in practice, this could be done by expanding upon the existing risk

management policy. This will help SCRA align risk management with SCRA’s corporate strategy and help to

ensure that any developments can be managed in a planned and coordinated manner.

Linked to the development of the strategy/ revised policy, is the need to incorporate a risk management training

needs analysis as part of the annual training plan process. This needs to be an ongoing process to ensure that

the key concepts of good practice risk management are adopted and applied consistently across the

organisation

.Risk Management Policy Gap Analysis

We have performed a review of SCRA’s Risk Management Policy against ISO 31000. We have concluded that

SCRA has a robust Risk Management Policy in place, although some further improvements have been

identified which would help ensure it is aligned to recognised good practice and standards. The potential

improvements have been set out at Appendix 2.

Recommendation:

Consider updating the Risk Management Policy in line with the gap analysis at Appendix 2. By adopting the

areas suggested, this will ensure that there is clarity regarding key risk management concepts and theory. It


will also ensure that the policy is aligned to good practice and a recognised risk management standard. To

assist SCRA in improving its risk management policy, we have highlighted the key areas for development.

Furthermore, to address a previous internal audit recommendation, the policy should also be updated to set out

the organisation’s expectations for each business area/locality, in terms of the risk identification and evaluation

tools that should be applied and their frequency.

2. Risk appetite

The Scottish Public Finance Manual describes the concept of risk appetite as: “key to achieving effective risk

management and it is essential to consider it before moving on to consideration of how risks can be

addressed“.

SCRA has taken steps to define and apply its risk appetite. The SCRA Risk Management Policy includes an

outline of SCRA’s risk appetite as well as standard risk appetite definitions, ranging from “risk averse” to “risk

hungry”, in line with HM Treasury guidance on Managing your risk appetite: A practitioner’s guide. Target risk

scores are also identified for each risk, so that mitigating actions are focused on reducing risk to an appropriate

level.

SCRA has also agreed its risk appetite for different risk categories, such as strategic/policy risks, finance risks,

and accountability/governance risks. However, as risk appetite is fundamental to the risk management

process, it is important that it is regularly reviewed to ensure that it is meaningful, appropriate and responsive to

changes to the organisation’s risk profile. SCRA’s risk appetite was agreed by the Board in June 2012, but has

not been reviewed since then.

Recommendation:

The SCRA Board should review its risk appetite to determine if this is still appropriate. Appetite levels should

thereafter be subject to regular review, at least annually.

In addition, SCRA may wish to further enhance its risk appetite by agreeing risk appetites for different levels

within the organisation. For example, the current risk categories are clearly linked to key strategic matters.

However, this could be further refined to provide an appetite for risks which are delegated to locality and project

level. Such operational/project level risk appetites can then be compared to the agreed appetites as defined by

the Board; and thereafter, overseen by senior management to help identify key risk areas/themes. This may

help to embed risk management processes throughout the organisation by reflecting that risk responses and

tolerances will change depending on the context of the risk and/or the nature of different operational teams and

groups.

3. Risk register action plans

Where a residual risk score is not aligned with SCRA’s risk appetite the risk owner must identify appropriate

actions and timescales to further mitigate the risk so that the residual risk score is equal to the target risk score.

There is a column within SCRA’s updated risk register template to record this. However, from a review of

SCRA’s Strategic Risk Register and Operational Risk Register, we noted that although there are some

mitigating actions listed, there were rarely timescales or action owners, and some of the actions were

statements rather than actions.

Recommendation:


SCRA should ensure that risk mitigating actions, timescales, and action owners are captured either through the

risk registers, or through supporting action plans which are then subsequently referred to in the risk registers.

This will help ensure that risk mitigating actions are implemented in a timely manner. Where actions are not

implemented as expected, it will provide a clearer mechanism for action owners to be held accountable by

senior management and/or the Board.

4. Locality risk management arrangements

Each locality has an annual Locality Plan in place. The locality plans will identify the risks to achieving the plan.

The risks will then be added to the locality risk register. Per the Risk Management Policy the locality risks

should be formally reviewed and assessed quarterly. However, from our desktop review it is unclear how

consistent the risk management procedures are applied across each locality and whether the risk management

framework is used as an effective management tool. From discussions held, we understand that SCRA wants

to further develop risk management within individual localities in order to “make it real”.

Recommendation:

We have set out at appendix 3, options to develop the operational risk management process at SCRA, which

are in line with our initial risk options paper.

A Risk Management Group should be established within SCRA to take forward the development of risk

management arrangements within localities. We have identified some suggested areas for inclusion in the

group’s remit:

• Group should comprise of representatives from each locality and business area to act as a champion for

risk issues, providing advice on the application of SCRA’s risk management policy;

• Risk leads to coordinate operational and locality input to risk registers, identifying and sharing good practice

and providing periodic summaries and reports to the group for monitoring and review purposes;

• Group to meet regularly throughout the year to provide oversight to operational and locality risk

management arrangements;

• Group to consider whether risks are being adequately being managed within agreed appetites and

tolerances;

• Group to make recommendations to senior management regarding the escalation of specific operational

risk matters, which can no longer be managed within the resources allocated at operational/locality level;

and

• Risk leads to ensure that each business area and locality is regularly carrying out risk identification and

assessment exercises to ensure that risk registers are accurate and up to date.

The ability of the group to understand and apply best practice would be essential. We therefore recommend

that the Risk Management Group are provided initial training and support through facilitated training sessions

delivered by Scott-Moncrieff.

Furthermore, locality level risk identification and evaluation workshops should be carried out periodically to

ensure that the SCRA risk management policy is applied, and that a risk aware culture is embedded throughout

the organisation. We therefore propose that Scott-Moncrieff facilitate an initial locality risk identification

workshop with members of the Risk Management Group, with a focus on developing a locality risk register

(including both generic and specific locality risks), which can then be rolled out by the RMG to each locality,

with the support of the Head of Finance and Resources and the Executive Assistant.


Appendix 1 – Progress against outstanding actions The following table provides a summary of management’s progress against the outstanding risk management

actions:

Review Action Progress to date

Strategic and

Operational Planning

(2010/11)

Expanding risk

management

training.

Recommendation partly addressed

Training is an ongoing matter, however Locality Managers

have now been provided with risk management training.

However, the identification of risk management training

needs should be incorporated as part of the annual training

plan cycle – See Recommendation 1 above.

Corporate Governance

and Risk Management

(2012/13)

Embedding risk

management –

locality risk

registers.

Recommendation superseded

Each locality must have an annual locality plan in place.

The locality plan will set out the aims and objectives of the

locality for the year ahead. The locality must then identify

the risks to achieving the objectives. The risks are then

added to a locality risk register. However, as noted in the

main body of the report, it is unclear how consistent the

risk management arrangements are across each locality

and whether the risk management arrangements are as

dynamic as the Risk Management Policy suggests they

should be.

Recommendations to develop locality level risk

management processes are set out in Recommendation 5

above.

Corporate Governance

and Risk Management

(2012/13)

Risk identification

and evaluation

tools.


The Risk Management Policy states that it is the

responsibility of groups/teams to identify risks. A workshop

approach is often an effective tool for identifying risk and

this is referred to within the policy. However, there is little

evidence that this approach is used by each group/team.

The policy should therefore be updated to set out the

expectations for each group/team in terms of the risk

identification and evaluation tools that should be applied

and their frequency.

See Recommendation 2.

Localities Review

(2013/14)

Risk management

procedures in


Each locality must have an annual locality plan in place.


Review Action Progress to date

localities/risk

workshops.

The locality plan will set out the aims and objectives of the

locality for the year ahead. The locality must also identify

the risks to achieving the objectives. The risks are then

added to a locality risk register.

However, as noted in the main body of the report, it is

unclear how consistent the risk management

arrangements are across each locality and whether the risk

management framework is used as an effective

management tool.

Recommendations to develop locality level risk

management processes are set out in Recommendation 5

above.


Appendix 2 – Gap Analysis We have found that SCRA’s risk management arrangements are generally compliant with ISO 31000. Our

areas for further improvement are set out below:

ISO

31000

Section

No.

Section Name Description Possible Improvements Scott-Moncrieff

prioritisation

(* denotes key

area)

2.1 Terms &

Definitions: Risk

A risk is the effect of

uncertainty on

objectives

The definition of a risk should be

added to Section 1 of SCRA’s

Risk Management Policy.

*

2.15 Terms &

Definitions: Risk

identification

Risk identification is

the process of finding,

recognising and

describing risks.

Risks should be described using

the following methodology:

There is a risk of X, resulting in

Y, which will have an impact on

Z.

The criteria should be added to

Section 7 of SCRA’s Risk

Management Policy and SCRA’s

risk registers updated.

*

2.17 Terms &

Definitions: Event

An event is the

occurrence or change

of a particular set of

circumstances.

The description of an event

should be included within

SCRA’s Risk Management

Policy.

*


2.25 Terms &

Definitions: Risk

treatment

Risk treatment is the

process to modify

risk.

SCRA should use the TARA

(Transfer, Avoid, Reduce,

Accept) methodology to

categorise its risk treatment

strategies.

Appendix 3 of the Risk

Management Policy should be

updated to provide the definition

of each risk treatment strategy

as well as when each should be

adopted.

The Risk Owner should be

asked to include their chosen

risk treatment (Transfer, Avoid,

Reduce, Accept) in the risk

register.

2.27 Terms &

Definitions:

Residual risk

Residual risk is the

risk remaining after

the risk treatment.


Policy should be updated to

explicitly define residual risk, as

well as demonstrate how it is

calculated.

*

2.28 Terms &

Definitions:

Monitoring

Monitoring is

continually checking,

supervising, critically

observing or

determining the

status in order to

identify change from

the performance level

required or expected.


Policy should set out that Risk

Owners are expected to monitor

controls and use known

intelligence (such as internal

audit findings) to assess the

strength of controls and adjust

the risk assessment accordingly.

*


3 (a) Principles: Risk

management

creates and

protects value

Risk management

contributes to the

demonstrable

achievement of

objectives and

improvement of

performance in, for

example, human

health and safety,

security, legal and

regulatory

compliance, public

acceptance,

environmental

protection, product

quality, project

management,

efficiency in

operations,

governance and

reputation.

Section 2.3 of the Risk


expanded to include this key

principle of risk management.

3 (e) Principles: Risk

management is

systematic,

structured and

timely.

A systematic, timely

and structured

approach to risk

management

contributes to

efficiency and to

consistent,

comparable and

reliable results.

Section 2 of the Risk

Management Policy should

include this definition.


3 (f) Principles: Risk

management is

based on the best

available

information.

The inputs to the

process of managing

risks are based on

information sources

such as historical

data, experience,

stakeholder feedback,

observation, forecasts

and expert

judgement. However,

decision makers

should inform

themselves of, and

should take into

account, any

limitations of the data

or modelling used or

the possibility of

divergence among

experts.




3 (h) Principles: Risk

management takes

human and cultural

factors into

account.

Risk management

recognises the

capabilities,

perceptions and

intentions of external

and internal people

that can facilitate or

hinder achievement

of the organisation’s

objectives.




3 (j) Principles: Risk

management is

dynamic, iterative

and responsive to

change.

Risk management

continually senses

and responds to

change. As external

and internal events

occur, context and

knowledge change,

monitoring and review

of risks take place,

new risks emerge,

some change, and

others disappear.

Section 2.3 of the Risk


expanded to include this key

principle of risk management.


4 Framework:

Relationship

between the

components of the

framework for

managing risk

See Diagram 1 at

Appendix 4.

Diagram 1 per Appendix 4

should be added to SCRA’s Risk

Management Policy.

*

4.3.1 Framework:

Understanding of

the organisation

and its context

Before starting the

design and

implementation of the

framework for

managing risk, it is

important to evaluate

and understand both

the external and

internal context of the

organisation, since

these can significantly

influence the design

of the framework.



updated to include how SCRA’s

risk management framework

was designed, taking account of

internal and external factors.

4.3.6 Framework:

Establishing

internal

communications

and reporting

mechanisms

The organisation

should establish

internal

communication and

reporting

mechanisms to in

order to support and

encourage

accountability and

ownership of risk.



outline how staff have been

made aware of the Policy.

5 Process: Risk

management

process

See Diagram 2 at

Appendix 4.

Diagram 2 per Appendix 4

should be added to SCRA’s Risk

Management Policy.

*

5.5.1 Risk treatment:

General

Risk treatment

involves selecting one

or more options for

modifying risks, and

implementing those

options. Once

implemented,

treatments provide or

modify the controls.

Appendix 3 of the Risk


updated to define the risk

treatment options (Transfer,

Avoid, Reduce, and Accept).



Selection of risk

treatment options

When selecting the

risk treatment

options, the

organisation should

consider the values

and perceptions of

stakeholders and the

most appropriate

ways to communicate

with them.

SCRA should liaise with

stakeholders where risk

treatment options will affect

them, and this requirement

should be emphasised in the

Risk Management Policy.


Selection of risk

treatment options

The risk treatment

plan should clearly

identify the priority

order in which

individual risk

treatments should be

implemented.

Action owners should be asked

to prioritise risk mitigating

actions according to their

importance. This could be

captured through the risk

registers.


Appendix 3 – Options for development The following options are taken from our original paper on Developing SCRA’s approach to risk management.

These options still remain relevant and could be used to help SCRA address the issues set out above.

Option 1: Enhancing strategic risk management

The board of every public body is responsible for overseeing the risk management arrangements of an

organisation. The board, each committee and every member of staff have a role to play in embedding a culture

of risk management within an organisation.

We can provide a programme of facilitated workshops to help an organisation review and revise its risk

management arrangements. The purpose of these workshops is to enable board members and members of an

organisation’s senior management to consider its risk management arrangements and to identify additional

risks which could impact on the delivery of its strategic objectives. The workshop provides the opportunity for a

body to consider how this can be achieved over the medium and longer term.

The workshop can be used to not only identify the key risks to an organisation but also to:

• Review and reaffirm the reporting framework which allows the Audit Committee and senior

management to receive regular reports and assurance on risk management arrangements; and

• Continue the process of embedding risk management and risk awareness of board members and

senior management.

An effective risk management framework should be designed to support the delivery of an organisation’s

strategic objectives. The framework and the risk strategy must promote widespread understanding of risk

across the organisation and assist staff to effectively assess and mitigate risk, and support continuous

improvement

The workshops will ensure SCRA has a robust risk management framework with a high level strategic risk

register. We will help SCRA confirm the risks which could prevent the organisation from achieving its strategic

objectives. We will support the Board in setting the likelihood of the risk occurring and the impact it would have

on SCRA if there were no controls in place (raw risk). It also sets out the likelihood of each risk occurring and

the impact the risk would have on SCRA given the controls in place (residual risk).

The workshops will also look at risk appetite. This is an area often not fully developed in many public sector

organisations. The board of every public body is responsible for describing its attitude to risk, often known as

its risk appetite. Risk appetite can be defined as the level of risk the board is willing to take in pursuit of its

objectives. Risk appetite varies for every organisation and varies within an organisation for different types of

risks and over time.

As part of the workshop we will assess board members’ and management’s perceived levels of current risk

taking in the organisation. These will be assessed across five categories of risk as defined by recognised

national risk management guidance.

Following the risk workshop, we will produce a tailored report setting out the findings and issues identified

through the workshop. Our report will be directly targeted to support the management team develop a revised

risk management policy and develop an enhanced strategic risk register. Our report can also outline what


changes and improvements need to be made to current controls to bring risk levels in line with the agreed risk

appetites.

Management can use our findings to develop a programme setting out the prioritisation and timescales for

implementing the changes and improvements to controls. This can then be agreed with the Audit Committee,

who should then monitor and seek assurance that all risks are being managed within the agreed risk appetites

Option 2: Embedding risk management at an operational level

To support the effective management of risk at a strategic level, SCRA must have effective risk management

arrangements throughout the organisation. In its review of localities, we found that risk management

arrangements have consistently been underdeveloped or inconsistent.

We would deliver a series of workshops with SCRA’s localities. These workshops will be used to develop

consistent risk management frameworks within each locality. We will also help operational management to

understand how to identify risks and, where appropriate, to escalate risks to the strategic risk register.

It is essential that the Board's attitude to risk is communicated to the whole organisation. This attitude should

be reflected in the prioritisation of policies, work streams, programmes, projects, operational service delivery,

and the funding that goes with them.

The workshops will identify operational managements’ view on the current levels of risk taking in the

organisation and consider the implications, from a management perspective, of implementing the Board’s risk

appetite.

We will use the sessions with locality managers to identify where SCRA may need to make changes to existing

control arrangements. For example, there may be areas where risks are currently over-controlled and where

efficiencies could therefore be generated by reducing controls. In other areas, controls may need to be

strengthened, e.g. where more innovative or high risk programmes and projects are undertaken. In these

areas, the likelihood of success may be uncertain and/or long term but where the potential rewards, in terms of

positive outcomes, could be great. Managing risks in these areas will therefore require robust controls over

programme and project planning, approval, reporting, monitoring and evaluation, as well as effective

stakeholder engagement.

Following the operational risk workshops we will produce a report outlining the findings of the workshop and

identifying key issues to be addressed. We will provide clear actions on how SCRA could develop its control

environment to reflect the Board’s risk management approach and defined risk appetite.


Appendix 4 – Diagrams Diagram 1: Relationship between the components of t he framework for managing risks:

Diagram 2: Risk management process:

Mandate and Commitment

Design of framework for managing risk • Understanding the organisation and its context • Establishing the risk management policy • Accountability • Integration into organisational processes • Resources • Establishing internal communication and reporting

mechanisms • Establishing external communication and reporting

mechanisms

Implementing risk management • Implementing the framework for managing risk • Implementing the risk management process

Monitoring and review of the framework

Continual improvement of the framework

Communication and consultation

Establishing the context

Risk analysis

Risk evaluation

Risk treatment

Risk identification

Monitoring and review


Appendix 5 – Management Action Plan The following table provides a summary of the recommendations and response from management:

Recommendation Management Response Actioned by/ Implementation date

1. Risk Management Strategy

a) A Risk Management Strategy could be

developed to help SCRA articulate its

long term vision and objectives for the

risk management process. However,

in practice, this could be done by

expanding upon the existing risk

management policy. This will help

SCRA align risk management with

SCRA’s corporate strategy and help to

ensure that any developments can be

managed in a planned and

coordinated manner.

b) Linked to the development of the

strategy/ revised policy, is the need to

incorporate a risk management

training needs analysis as part of the

annual training plan process. This

needs to be an ongoing process to

ensure that the key concepts of good

practice risk management are adopted

and applied consistently across the

organisation.

a) Agreed. The Risk Management

will be expanded to include

vision and objectives for the risk

management process.

b) Agreed. Risk management

training needs analysis will be

incorporated into the annual

training plan process.

a) Head of Finance

and Resources.

June 2015.

b) Head of Finance

and Resources.

March 2016

2. Risk Management Policy Gap

Analysis

Consider updating the Risk Management

Policy in line with the gap analysis at

Appendix 2. By adopting the areas

suggested, this will ensure that there is

clarity regarding key risk management

concepts and theory. It will also ensure

that the policy is aligned to good practice

and a recognised risk management

standard. To assist SCRA in improving its

risk management policy, we have

Agreed. The policy will be updated to

set out risk management

expectations of business

areas/localities.

Head of Finance and

Resources. June 2015.



highlighted the key areas for development.

Furthermore, to address a previous

internal audit recommendation, the policy

should also be updated to set out the

organisation’s expectations for each

business area/locality, in terms of the risk

identification and evaluation tools that

should be applied and their frequency.

3. Risk Appetite

a) The SCRA Board should review its

risk appetite to determine if this is still

appropriate. Appetite levels should

thereafter be subject to regular review,

at least annually.

b) In addition, SCRA may wish to further

enhance its risk appetite by agreeing

risk appetites for different levels within

the organisation. For example, the

current risk categories are clearly

linked to key strategic matters.

However, this could be further refined

to provide an appetite for risks which

are delegated to locality and project

level. Such operational/project level

risk appetites can then be compared

to the agreed appetites as defined by

the Board; and thereafter, overseen by

senior management to help identify

key risk areas/themes. This may help

to embed risk management processes

throughout the organisation by

reflecting that risk responses and

tolerances will change depending on

the context of the risk and/or the

nature of different operational teams

and groups.

a) Agreed. The Board will review its

risk appetite as part of their

annual self-assessment

exercise.

b) Agreed. Risk appetite will be

defined for risks at locality and

project level.

a) Executive Officer.

March 2015.

b) Head of Finance

and Resources.

September 2015.



4. Risk register action plans

SCRA should ensure that risk mitigating

actions, timescales, and action owners are

captured either through the risk registers,

or through supporting action plans which

are then subsequently referred to in the

risk registers.

This will help ensure that risk mitigating

actions are implemented in a timely

manner. Where actions are not

implemented as expected, it will provide a

clearer mechanism for action owners to be

held accountable by senior management

and/or the Board.

Agreed. Strategic and Operational

Risk Registers will be reviewed and

updated to ensure actions,

timescales and owners are fully

captured.

PR/CE. March 2015.

5. Locality risk management

arrangements

We have set out at appendix 3, options to

develop the operational risk management

process at SCRA, which are in line with

our initial risk options paper.

A Risk Management Group should be

established within SCRA to take forward

the development of risk management

arrangements within localities. We have

identified some suggested areas for

inclusion in the group’s remit:

• Group should comprise of

representatives from each locality and

business area to act as a champion for

risk issues, providing advice on the

application of SCRA’s risk management

policy;

• Risk leads to coordinate operational

and locality input to risk registers,

identifying and sharing good practice

and providing periodic summaries and

reports to the group for monitoring and

Agreed. A Risk Management Group

(RMG) will be established to oversee

management of locality risks. The

RMG will receive initial training and

support from the internal auditors

and then take part in a facilitated risk

identification and evaluation

workshop focused on locality risks.

PR/CE. June 2015.



review purposes;

• Group to meet regularly throughout the

year to provide oversight to operational

and locality risk management

arrangements;

• Group to consider whether risks are

being adequately being managed within

agreed appetites and tolerances;

• Group to make recommendations to

senior management regarding the

escalation of specific operational risk

matters, which can no longer be

managed within the resources allocated

at operational/locality level; and

• Risk leads to ensure that each business

area and locality is regularly carrying

out risk identification and assessment

exercises to ensure that risk registers

are accurate and up to date.

The ability of the group to understand and

apply best practice would be essential. We

therefore recommend that the Risk

Management Group are provided initial

training and support through facilitated

training sessions delivered by Scott-

Moncrieff.

Furthermore, locality level risk identification

and evaluation workshops should be

carried out periodically to ensure that the

SCRA risk management policy is applied,

and that a risk aware culture is embedded

throughout the organisation. We therefore

propose that Scott-Moncrieff facilitate an

initial locality risk identification workshop

with members of the Risk Management

Group, with a focus on developing a locality

risk register (including both generic and

specific locality risks), which can then be

rolled out by the RMG to each locality, with

the support of the Head of Finance and

Resources and the Executive Assistant.

© Scott-Moncrieff Chartered Accountants 2015. All rights reserved. “Scott-Moncrieff” refers to Scott-Moncrieff Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of independent firms. Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of investment business activities by the Institute of Chartered Accountants of Scotland.

Documents

Scottish Children’s Reporter Administration · 4 Scottish Children’s Reporter Administration Developing SCRA’s approach to Risk Management – Phase 1 scott-moncrieff.com SCRA