We are testing a new beta website for gov.scot go to new site

Preparing Scotland: Scottish Guidance on Resilience



Mandatory requirements: Category 1 responders must:
1 From time to time assess the risk of an emergency occurring - Section 2(1)(a)19 - but need only perform this duty in relation to an emergency which affects or may affect the area in which the organisation exercises its functions - Regulation 1020.
2 From time to time assess the risk of an emergency making it necessary or expedient for the organisation to perform any of its functions - Section 2(1)(b).
3 Consider whether a risk assessment is necessary in relation to an emergency or type of emergency. A risk assessment is necessary if:
  • the emergency would be likely to seriously obstruct the performance of your functions - Section 2(2)(a)
  • the organisation considers it necessary or desirable to take action to prevent the emergency, to reduce, control or mitigate its effects or take other action in connection with the emergency
  • the organisation would be unable to act without changing the deployment of resources or acquiring additional resources - Section 2(2)(b).
4 Take into account any guidance and adopt any assessment issued by Scottish Ministers in relation to:
  • the likelihood of a particular emergency or emergency of a particular kind occurring
  • the extent to which such an emergency would or might cause damage to human welfare or the environment in Scotland or the security of the UK - Regulation 11.
5 Co-operate with other Category 1 responders operating in your Strategic Co‑ordinating Group (SCG) area to maintain a Community Risk Register (CRR) - Regulation 12(1). This involves:
  • from time to time sharing your individual risk assessments, where possible, with the other Category 1 responders in your SCG area - Regulation 12(2);
  • having regard to the CRR when producing your own risk assessments - Regulation 12(4).
6 Arrange for the publication of any risk assessments made where publication is necessary or desirable to:
  • prevent an emergency
  • reduce, control or mitigate the effects of an emergency
  • enable another action to be taken in connection with an emergency - Section 2(1)(f).

Issues to consider and recommended good practice (duty to assess risk):
7 Having regard for guidance in Preparing Scotland: Resilience Framework Cycle (interim).
8 Adopting a systematic risk assessment process for threats and hazards21 in the local area. This process should cover:
  • the context within which risks exists. This includes:
- area-specific health, social, economic, and environmental factors - the wider risk context, drawing on Government guidance (Scottish and UK, as appropriate)
  • the likelihood of occurrence
  • possible impacts
  • capabilities that exist to prepare for, respond to and recover from emergencies caused by the identified threats and hazards
  • the identification of potential capability gaps
  • the sharing of information amongst all relevant bodies.
The risk assessment process should be monitored and reviewed on a regular basis and in accordance with guidance below. For further information see Preparing Scotland: Resilience Framework Cycle (interim).
9 Reviewing the CRR and individual risk assessments as often as is necessary to ensure that you are in a reasonable position to maintain and update your emergency and business continuity plans and comply with your CCA duties. Scottish Government advice is, in broad terms, to review plans:
  • annually for very high and high risk elements
  • approximately three-yearly for medium risk
  • approximately five-yearly for low risk
  • in the event of a significant change in circumstances.
10 Setting up a local multi-agency group to co-operate in the risk assessment process for the area and to develop and maintain the Community Risk Register (CRR).
11 Being aware of potential security considerations around some risk-related matters - notably but not exclusively relating to threats - and ensure information is handled appropriately. Consider use of the Government Protective Marking Scheme (GovernmentProtectiveMarkingScheme) and the Security Policy Framework (CO_Security_Policy_Framework) to inform decision-making regarding information security.
12 Within the constraints of information security, consulting widely (internally and externally) during the risk assessment process. Consultation could include:
  • key officers responsible for delivering your organisation's functions in an emergency
  • Category 1 and 2 responders
  • those who are not responders, for example in the voluntary sector or parts of the wider community.
13 Taking account of "out of area" hazards (including across SCG boundaries, national or transnational22) which could affect your organisation and its locality.
14 Sharing the area's CRR with neighbouring Category 1 responders in contiguous resilience/SCG areas.
15 Considering sharing your CRR, or sections of it, with other non-neighbouring resilience areas.
16 Ensuring that the Scottish Government is kept properly apprised of risk assessment in your area and by your organisation.

Indicators of good practice (duty to assess risk):
17 Collectively, being able to demonstrate that responders in the area work together effectively, maximising the use of relevant expertise and avoiding duplication of effort.
18 Being able to provide documentary evidence of a regular process for monitoring, reviewing and updating risk assessments. This should include:
  • audit trails recording any updates made
  • version control
  • a list of contributors
  • reference and list sources used (including government guidance).
19 Being able to demonstrate that your risk assessment - as an organisation and collectively within the area - is based on a rigorous analysis of threats and hazards within the organisational and local context.
20 Being able to show how your risk assessment - as an organisation and collectively within the area - aligns with national risk assessments (Scottish and UK, as appropriate) and more generally with relevant government guidance.