Scottish Public Finance Manual

The Scottish Public Finance Manual (SPFM) is issued by the Scottish Ministers to provide guidance on the proper handling and reporting of public funds.


Risk management

Scope:

This section gives guidance on the fundamental principles of risk management.

Applicability:

The guidance is aimed at all organisations to which the Scottish Public Finance Manual (SPFM) is directly applicable.

Definitions:

The SPFM contains a variety of terms to support in the implementation of these principles. These terms will be used throughout the SPFM.

Term Intention

Shall

Denotes a requirement; a mandatory element

Should

Denotes a recommendation; an advisory element

May

Denotes approval

Might

Denotes a possibility

Can

Denotes both capability and possibility

Is/are

Denotes a description

Links to relevant guidance:

Principle/Guidance Links
Principles Defined in the PFA Act under sections (eg Public Finance and Accountability Act (Scotland) sections 1-20
SG Guidance Can be found on the SG Intranet
Detailed SG Procedural Guidance Can be found on the SG Intranet
Public Sector Bodies Guidance Public Sector Bodies can use core SG Guidance as applicable and where not applicable are required to use the principles defined in the SPFM to develop their own guidance and procedures.

Review/update

Lead area: Scottish Government Finance Directorate; Risk Control & Assurance Division - Risk Branch
For update/review of this principle please refer to the Guidance and Procedure available on the SG intranet or from the Governance and Accountability team, this includes information on ministerial approval
Accessibility guidance is available on the SG intranet

1. Risk management - good practice in the Scottish public sector

1.1 Each organisation shall have arrangements in place to identify, assess, address, review, report and communicate the risks and opportunities inherent in the delivery of the objectives set out in its business plan. Whilst these arrangements may differ from one organisation to another, the principles should remain the same.

1.2 To support these arrangements, the ‘top management’ of the organisation should define its desired appetite for risk and the extent of the exposure it is willing to accept in pursuit of opportunities and benefits.  In doing so, the organisation should take into account its legal obligations, ministers' policy decisions, its business objectives, and public expectations of what it should deliver. This can mean that different organisations take very different approaches to similar risks.

1.3 The delivery of an organisation's objectives is surrounded by uncertainties that pose a threat to success and offer the opportunity for increasing success. Risk is defined as the uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.

2. Principles of risk management

2.1 The Scottish Government’s risk management principles are to:

  • align to outcomes by being responsive to changes in the delivery environment

  • engage stakeholders to recognise capabilities that could help or hinder the delivery of outcomes

  • provide clear direction by ensuring that everyone understands their  role and responsibilities

  • inform decision-making by linking risk management with business planning, delivery progress and performance monitoring

  • enable continuous improvement by using lessons learned to avoid waste and capitalise on good practice

  • create a supportive culture by promoting considered and well-managed risk-taking

  • achieve measurable value through the effective use and deployment of resources

3. Roles, Responsibilities and structure for identifying risks

3.1 The Accountable Officer, supported by the organisation’s board, shall be responsible for ensuring that the risk management arrangements are in place and appropriate to the size and scale of the organisation’s activities. Responsibilities for the operation of the organisation’s risk management processes be delegated, as appropriate, throughout the organisation to ensure risk management activity is embedded and integrated into normal management systems and closely linked to the business planning and delivery processes.  

3.2 It is good practice for organisations to regularly consider risk  as part of its normal flow of management information about the organisation’s activities with each layer of management providing upward assurance on performance, so reinforcing responsibility through the structure.

3.3 Key roles in the review and reporting processes are Audit Committees and the assurance and advisory work of Internal Audit. However, it is important to note that neither Audit Committees nor Internal Audit are substitutes for management ownership of risk; neither are they substitutes for an embedded review system carried out by those with executive responsibility for the achievement of organisational objectives. The role of the Audit Committee and Internal Audit with regards to risk management is set out elsewhere in the SPFM.

3.4 Each organisation’s approach to risk management should consider the following in relation to risk management:

  • Tied to Objectives: Risk Management needs to be tied to your purpose and your objectives; essentially what you are trying to achieve. If you aren’t clear what your aims are then you can't identify your risks effectively.

  • Systematically approached: There is no single right way to identify and record an organisation's risk profile, but taking a systematic approach to identifying risks and maintaining a clear record is critical to effective risk management.

  • Clearly described: Risks should be prioritised in relation to objectives. A risk description should be a combination of both the possible cause and the possible impact to your objective.

  • Responsibly owned: All risks, once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored appropriately.

  • Supported by a defined framework: It is important to develop a framework for assessing risks which evaluates both the likelihood of the risk being realised, and of the impact if the risk is realised. Risk assessment should be recorded in a way that demonstrates clearly the key stages of the process.

  • Identified risk appetites: Determining your "risk appetite" is key to achieving effective risk management and is essential to support decision making and supports how risks can ultimately be addressed.

  • Regularly Monitored: The management of risk should be reviewed regularly to monitor whether or not the risk profile is changing, to gain assurance that risk management is effective, and to identify when further action is necessary.

  • Effectively communicated: Raising awareness about potential problems and sharing important information can ensure better problem solving, provide effective challenge and support and support effective escalation.

4. Risk management framework

4.1 The Risk Management Framework set out below is designed to allow each organisation to implement a structured and systematic approach to the identification, management and review of their risks in support of a continuous cycle of assessment and feedback.  Such an approach will ensure that the organisation’s risk profile responds to new information and developments.

4.2 Identifying risk – Using a systematic approach to build and document a risk profile that provides an overview of the medium to long-term risks that may affect the delivery of your objectives. This activity may be supported by the use of qualitative and/or quantitative data and other sources of information. Identification activity should be continuous to ensure that it identifies new, emerging and changing risks.

4.3 Assessing risk - Applying assessment or scoring criteria for likelihood of the risk materialising and impact of the risk should it materialise.  This activity will allow you to prioritise your risks in relation to your objectives.  Your risk assessment should be considered alongside the organisation’s agreed risk appetite to ensure that the risks outwith appetite are recognised and prioritised accordingly.

4.4 Addressing risks - Determining the approaches you can take to control or mitigate the risks you have identified. Various factors will influence the risk response approach, including cost, feasibility, probability and potential impact.   Another factor to consider is the opportunity to exploit the positive impact that might arise whenever tolerating, treating or transferring a risk i.e. where the potential gain seems likely to outweigh the potential downside.

​​​​​​​4.5 Recording, reviewing and reporting – Documenting your risks (in a risk register, for example) and reviewing them to ensure they remain relevant to the delivery of your objectives and new threats and/or changes to existing risks are identified.  Reporting risks to ensure effective risk discussion and early decision making at key governance meetings as well as assessments regarding the effectiveness of the risk management processes in place to ensure that they remain appropriate and effective.

​​​​​​​4.6 Communication and learning - Developing a positive risk culture through a cycle of continuous improvement that values diverse perspectives, open and transparent communication and learning through experience (both positive and negative).

5. Further guidance

  • The Scottish Government Risk Guide (SG Risk Guide) has been developed to provide SG Directorates with support to implement their arrangements.  Public Sector Bodies can use core SG guidance as applicable and where not applicable are required to use the principles defined in the SPFM to develop their own guidance and procedures.
  • Further guidance on risk management is available in the Orange Book published by HM Treasury.
  • Detailed guidance on risk management is also published online by a number of professional organisations, including the Chartered Institute of Public Finance and Accountancy (CIPFA) and ALARM.

 

Page reviewed: February 2025

Back to top