1. This section gives guidance on the basic principles of risk management. The guidance is aimed at all organisations to which the Scottish Public Finance Manual (SPFM) is directly applicable.
2. There is no single right way to record an organisation's risk profile, but maintaining a record is critical to effective risk management.
3. Risks should be prioritised in relation to objectives. A statement of a risk should encompass both the possible cause and the impact to the objective which might arise.
4. All risks, once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time.
5. It will be necessary to develop a framework for assessing risks that evaluates both the likelihood of the risk being realised, and of the impact if the risk is realised. Risk assessment should be recorded in a way that demonstrates clearly the key stages of the process.
6. The concept of a "risk appetite" is key to achieving effective risk management and it is essential to consider it before moving on to consideration of how risks can be addressed.
7. In choosing between responses to risk, factors to consider include cost, feasibility, probability and the potential impact. Another factor to consider is the opportunity to exploit the positive impact that might arise whenever tolerating, treating or transferring a risk.
8. The management of risk should be reviewed regularly to monitor whether or not the risk profile is changing, to gain assurance that risk management is effective, and to identify when further action is necessary.
9. Risk is uncertainty of outcome. The delivery of an organisation's objectives is surrounded by uncertainty which both poses threats to success and offers opportunity for increasing success. Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.
10. Each public sector organisation's internal control systems should include embedded arrangements for identifying, assessing and managing risks. Risk management should be closely linked to the business planning process. Each organisation's governing body should make a considered choice about its desired risk profile, taking account of its legal obligations, ministers' policy decisions, its business objectives, and public expectations of what it should deliver. This can mean that different organisations take very different approaches to similar risks. Detailed guidance on the arrangements adopted within the SG is available to all SG staff on the SG Intranet.
11. In order to manage risk, an organisation needs to know what risks it faces, and to evaluate them. Identifying risks is the first step in building the organisation's risk profile. There is no single right way to record an organisation's risk profile, but maintaining a record is critical to effective risk management. The identification of risk can be separated into two distinct phases. There is:
- initial risk identification (for an organisation which has not previously identified its risks in a structured way, or for a new organisation, or perhaps for a new project or activity within an organisation); and
- ongoing risk identification (which is necessary to identify new risks which did not previously arise, changes in existing risks, or risks which did exist ceasing to be relevant to the organisation).
12. In every case risks should be prioritised in relation to objectives. Care should be taken to avoid confusion between the impacts that may arise and the risks themselves, and to avoid stating risks that do not impact on objectives; equally care should be taken to avoid defining risks as simply the converse of the objectives. A statement of a risk should encompass both the possible cause and the impact to the objective which might arise.
Ownership of risk
13. Risks should be identified at a level where a specific impact can be identified and a specific action or actions to address the risk can be identified. All risks, once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time. A risk owner, in line with their accountability for managing the risk, should have sufficient authority to ensure that the risk is effectively managed. The risk owner need not be the person who actually takes the action to address the risk. Risk owners should however ensure that the risk is escalated where necessary to the appropriate level of management.
14. It is important to establish a clearly structured process in which both likelihood and impact are considered for each risk and that the assessment of risk is recorded in a way that facilitates monitoring and prioritisation. It will be necessary to develop a framework for assessing risks that evaluates both the likelihood of the risk being realised, and of the impact if the risk is realised. A categorisation of high / medium / low in respect of each may be sufficient. There is no absolute standard for this - each organisation should reach a judgement on the most productive level of analysis for its circumstances.
15. Risk assessment should be recorded in a way that demonstrates clearly the key stages of the process. Documenting risk assessment creates a risk profile for the organisation that:
- facilitates identification of risk priorities (in particular to identify the most significant risk issues with which senior management should concern themselves);
- captures the reasons for decisions made about what is and is not tolerable exposure;
- facilitates recording of the way in which it is decided to address risk;
- allows all those concerned with risk management to see the overall risk profile and how their areas of particular responsibility fit into it; and
- facilitates review and monitoring of risks
16. Once risks have been assessed, the risk priorities for the organisation will emerge. The less acceptable the exposure in respect of a risk, the higher the priority which should be given to addressing it. The highest priority risks (the key risks) should be given regular attention at the highest level of the organisation.
17. The concept of a "risk appetite" is key to achieving effective risk management and it is essential to consider it before moving on to consideration of how risks can be addressed. The concept may be looked at in different ways depending on whether the risk being considered is a threat or an opportunity:
- when considering threats the concept of risk appetite embraces the level of exposure which is considered tolerable and justifiable should it be realised. In this sense it is about comparing the cost (financial or otherwise) of constraining the risk with the cost of the exposure should the exposure become a reality and finding an acceptable balance;
- when considering opportunities the concept embraces consideration of how much one is prepared to actively put at risk in order to obtain the benefits of the opportunity. In this sense it is about comparing the value (financial or otherwise) of potential benefits with the losses which might be incurred (some losses may be incurred with or without realising the benefits).
18. It should be noted that some risk is unavoidable and it is not within the ability of the organisation to completely manage it to a tolerable level - for example many organisations have to accept that there is a risk arising from terrorist activity which they cannot control. In these cases the organisation needs to make contingency plans.
Response to risk
19. Response to risk can be to:
- tolerate: for unavoidable risks, or those so mild or remote as to make avoidance action disproportionate or unattractive;
- treat: for risks that can be reduced or eliminated by prevention or other control action;
- transfer: where another party can take on some or all of the risk more economically or more effectively, eg sharing risk with a contractor, or management techniques such as public-private partnership; or
- terminate: for intolerable risks, but only where it is possible for the organisation to exit.
20. In choosing between these responses, factors to consider include cost, feasibility, probability and the potential impact. Another factor to consider is the opportunity to exploit the positive impact that might arise whenever tolerating, treating or transferring a risk i.e. where the potential gain seems likely to outweigh the potential downside. It is also important to be aware that excessive caution can be as damaging as unnecessary risk taking.
Reviewing and reporting
21. The management of risk should be reviewed regularly to monitor whether or not the risk profile is changing, to gain assurance that risk management is effective, and to identify when further action is necessary. Procedures should be put in place to review regularly whether risks still exist, whether new risks have arisen, whether the likelihood and impact of risks has changed, report significant changes which adjust risk priorities, and deliver assurance on the effectiveness of control. In addition, the overall risk management process should be reviewed at least once a year to deliver assurance that it remains appropriate and effective.
22. Key players in the review and reporting processes are Audit Committees and the assurance and advisory work of Internal Audit. However, it is important to note that neither Audit Committees nor Internal Audit can substitute for management ownership of risk or for an embedded review system carried out by the various staff who have executive responsibility for the achievement of organisational objectives.
23. Further guidance on risk management is available in the Orange Book published by HM Treasury, and on which this section of the SPFM is largely based. Detailed guidance on risk management is also published online by a number of professional organisations, including the Chartered Institute of Public Finance and Accountancy (CIPFA).
Updated: March 2009