Preparing Scotland: Scottish Guidance on Resilience
i DUTY TO ASSESS RISK
|Mandatory requirements: Category 1 responders must: |
|1 From time to time assess the risk of an emergency occurring - Section 2(1)(a)19 - but need only perform this duty in relation to an emergency which affects or may affect the area in which the organisation exercises its functions - Regulation 1020. |
|2 From time to time assess the risk of an emergency making it necessary or expedient for the organisation to perform any of its functions - Section 2(1)(b). |
|3 Consider whether a risk assessment is necessary in relation to an emergency or type of emergency. A risk assessment is necessary if: |
- the emergency would be likely to seriously obstruct the performance of your functions - Section 2(2)(a)
- the organisation considers it necessary or desirable to take action to prevent the emergency, to reduce, control or mitigate its effects or take other action in connection with the emergency
- the organisation would be unable to act without changing the deployment of resources or acquiring additional resources - Section 2(2)(b).
|4 Take into account any guidance and adopt any assessment issued by Scottish Ministers in relation to: |
- the likelihood of a particular emergency or emergency of a particular kind occurring
- the extent to which such an emergency would or might cause damage to human welfare or the environment in Scotland or the security of the UK - Regulation 11.
|5 Co-operate with other Category 1 responders operating in your Strategic Co‑ordinating Group (SCG) area to maintain a Community Risk Register (CRR) - Regulation 12(1). This involves: |
- from time to time sharing your individual risk assessments, where possible, with the other Category 1 responders in your SCG area - Regulation 12(2);
- having regard to the CRR when producing your own risk assessments - Regulation 12(4).
|6 Arrange for the publication of any risk assessments made where publication is necessary or desirable to: |
- prevent an emergency
- reduce, control or mitigate the effects of an emergency
- enable another action to be taken in connection with an emergency - Section 2(1)(f).
|Issues to consider and recommended good practice (duty to assess risk): |
|7 Having regard for guidance in Preparing Scotland: Resilience Framework Cycle (interim). |
|8 Adopting a systematic risk assessment process for threats and hazards21 in the local area. This process should cover: |
- area-specific health, social, economic, and environmental factors - the wider risk context, drawing on Government guidance (Scottish and UK, as appropriate)
- the context within which risks exists. This includes:
The risk assessment process should be monitored and reviewed on a regular basis and in accordance with guidance below. For further information see Preparing Scotland: Resilience Framework Cycle (interim).
- the likelihood of occurrence
- possible impacts
- capabilities that exist to prepare for, respond to and recover from emergencies caused by the identified threats and hazards
- the identification of potential capability gaps
- the sharing of information amongst all relevant bodies.
|9 Reviewing the CRR and individual risk assessments as often as is necessary to ensure that you are in a reasonable position to maintain and update your emergency and business continuity plans and comply with your CCA duties. Scottish Government advice is, in broad terms, to review plans: |
- annually for very high and high risk elements
- approximately three-yearly for medium risk
- approximately five-yearly for low risk
- in the event of a significant change in circumstances.
|10 Setting up a local multi-agency group to co-operate in the risk assessment process for the area and to develop and maintain the Community Risk Register (CRR). |
|11 Being aware of potential security considerations around some risk-related matters - notably but not exclusively relating to threats - and ensure information is handled appropriately. Consider use of the Government Protective Marking Scheme (GovernmentProtectiveMarkingScheme) and the Security Policy Framework (CO_Security_Policy_Framework) to inform decision-making regarding information security. |
|12 Within the constraints of information security, consulting widely (internally and externally) during the risk assessment process. Consultation could include: |
- key officers responsible for delivering your organisation's functions in an emergency
- Category 1 and 2 responders
- those who are not responders, for example in the voluntary sector or parts of the wider community.
|13 Taking account of "out of area" hazards (including across SCG boundaries, national or transnational22) which could affect your organisation and its locality. |
|14 Sharing the area's CRR with neighbouring Category 1 responders in contiguous resilience/SCG areas. |
|15 Considering sharing your CRR, or sections of it, with other non-neighbouring resilience areas. |
|16 Ensuring that the Scottish Government is kept properly apprised of risk assessment in your area and by your organisation. |
|Indicators of good practice (duty to assess risk): |
|17 Collectively, being able to demonstrate that responders in the area work together effectively, maximising the use of relevant expertise and avoiding duplication of effort. |
|18 Being able to provide documentary evidence of a regular process for monitoring, reviewing and updating risk assessments. This should include: |
- audit trails recording any updates made
- version control
- a list of contributors
- reference and list sources used (including government guidance).
|19 Being able to demonstrate that your risk assessment - as an organisation and collectively within the area - is based on a rigorous analysis of threats and hazards within the organisational and local context. |
|20 Being able to show how your risk assessment - as an organisation and collectively within the area - aligns with national risk assessments (Scottish and UK, as appropriate) and more generally with relevant government guidance. |
Page updated: Friday, March 16, 2012