Risk management – good practice in the Scottish public sector
1. This section gives guidance on the basic principles of risk management. The guidance is aimed at all organisations to which the Scottish Public Finance Manual (SPFM) is directly applicable.
2. This guide section highlights key point that should be considered when developing your organisation’s risk approach:
- Tied to Objectives: Risk Management needs to be tied to your purpose and your objectives essentially what you are trying to achieve. If you aren’t clear what your aims are then you can't identify your risks effectively.
- Systematically approached: There is no single right way to identify and record an organisation's risk profile, but taking a systematic approach to identifying risks and maintaining a clear record is critical to effective risk management.
- Clearly described: Risks should be prioritised in relation to objectives. A risk description should be a combination of both the possible cause and the possible impact to your objective.
- Responsibly owned: All risks, once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored appropriately.
- Supported by a defined framework: It is important to develop a framework for assessing risks which evaluates both the likelihood of the risk being realised, and of the impact if the risk is realised. Risk assessment should be recorded in a way that demonstrates clearly the key stages of the process.
- Identified risk appetites: Determining your "risk appetite" is key to achieving effective risk management and is essential to support decision making and supports how risks can ultimately be addressed.
- Regularly Monitored: The management of risk should be reviewed regularly to monitor whether or not the risk profile is changing, to gain assurance that risk management is effective, and to identify when further action is necessary.
- Effectively communicated: Raising awareness about potential problems and sharing important information can ensure better problem solving, provide effective challenge and support and support effective escalation.
3. A risk is anything that can impede or enhance our ability to meet our current or future objectives. The delivery of an organisation's objectives is surrounded by uncertainty which both poses threats to success and offers opportunity for increasing success. Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. The Scottish Government’s risk management principles are to:
- align with outcomes – being responsive to change to achieve objectives
- engage stakeholders – recognising capabilities to deliver our outcomes
- provide clear direction – understanding roles and responsibilities
- inform decision-making – linking with business planning and monitoring
- enable continuous improvement – using lessons learned to avoid waste
- create a supportive culture – embracing considered risk-taking
- achieve measureable value – using resources effectively, improving governance
4. Each public sector organisation's internal control systems should include embedded arrangements for identifying, assessing, addressing, reviewing and reporting their risks. This should be integrated into normal management systems and closely linked to the business planning process. Each organisation's governing body should make a considered choice about its desired risk profile, taking account of its legal obligations, ministers' policy decisions, its business objectives, and public expectations of what it should deliver. This can mean that different organisations take very different approaches to similar risks. Detailed guidance on the arrangements adopted within the SG is available to all SG staff on the SG Intranet.
5. Identifying risks is the first step in building the organisation's risk profile. There is no single right way to do this but taking a systematic approach will ensure a complete risk profile is considered. This can be achieved via various methods found in the SG Risk Guide, the Orange book and other risk resources as noted below.
6. Qualitative and quantitative data is also really important, wherever possible it should be used to ensure that risk identification and assessment is based on evidence. Intelligence and political awareness is really important but ensuring you are also using as much information available as possible assists in making robust and informed decisions. Maintaining a record of these risks once identified is then critical to effective risk management.
7. A statement of a risk should encompass both the possible cause and the impact to the objective which might arise. The identification of risk can be separated into two distinct phases:
- initial risk identification (for an organisation which has not previously identified its risks in a structured way, or for a new organisation, or perhaps for a new project or activity within an organisation); and
- ongoing risk identification (which is necessary to identify new risks which did not previously arise, changes in existing risks, or risks which did exist ceasing to be relevant to the organisation).
8. As well as drawing on risk assessment from within the organisation, it may be valuable to use an external source to make sure that nothing important has been overlooked. Sometimes different public sector organisations can help each other out in this way, to their mutual advantage, it can also be useful to get staff to work together to consider the subject, e.g. in facilitated groups.
Ownership of risk
9. All risks, once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored effectively. A risk owner, in line with their accountability for managing the risk, should have sufficient authority to ensure this. The risk owner need not be the person who actually takes the direct action to address the risk but should however have responsibility for the delivery of the related objective, they must also exercise their judgement in ensuring that the risk is escalated to the appropriate level of management where necessary for further support or raise awareness of the risk as required.
14. It is important to establish a clearly structured process in which both likelihood and impact are considered for each risk and that the assessment of risk is recorded in a way that facilitates monitoring and prioritisation. It will be necessary to develop a framework for assessing risks that evaluates both the likelihood of the risk being realised, and of the impact if the risk is realised. A categorisation of high / medium / low in respect of each may be sufficient. There is no absolute standard for this - each organisation should reach a judgement on the most productive level of analysis for its circumstances.
15. Risk assessment should be recorded in a way that demonstrates clearly the key stages of the process. Documenting risk assessment creates a risk profile for the organisation that:
- facilitates identification of risk priorities (in particular to identify the most significant risk issues with which senior management should concern themselves);
- captures the reasons for decisions made about what is and is not tolerable exposure;
- facilitates recording of the way in which it is decided to address risk;
- allows all those concerned with risk management to see the overall risk profile and how their areas of particular responsibility fit into it; and
- facilitates review and monitoring of risks
16. Once risks have been assessed, the risk priorities for the organisation will emerge. The less acceptable the exposure in respect of a risk, the higher the priority which should be given to addressing it. The highest priority risks (the key risks) should be given regular attention at the highest level of the organisation.
17. The concept of a "risk appetite" is key to achieving effective risk management and it is essential to consider it before moving on to consideration of how risks can be addressed. The concept may be looked at in different ways depending on whether the risk being considered is a threat or an opportunity:
- when considering threats the concept of risk appetite embraces the level of exposure which is considered tolerable and justifiable should it be realised. In this sense it is about comparing the cost (financial or otherwise) of constraining the risk with the cost of the exposure should the exposure become a reality and finding an acceptable balance;
- when considering opportunities the concept embraces consideration of how much one is prepared to actively put at risk in order to obtain the benefits of the opportunity. In this sense it is about comparing the value (financial or otherwise) of potential benefits with the losses which might be incurred (some losses may be incurred with or without realising the benefits).
18. It should be noted that some risk is unavoidable and it is not within the ability of the organisation to completely manage it to a tolerable level - for example many organisations have to accept that there is a risk arising from terrorist activity which they cannot control. In these cases the organisation needs to make contingency plans.
Response to risk
19. Response to risk can be to:
- tolerate: for unavoidable risks, or those so mild or remote as to make avoidance action disproportionate or unattractive;
- treat: for risks that can be reduced or eliminated by prevention or other control action;
- transfer: where another party can take on some or all of the risk more economically or more effectively, e.g. sharing risk with a contractor, or management techniques such as public-private partnership; or
- terminate: for intolerable risks, but only where it is possible for the organisation to exit.
20. In choosing between these responses, factors to consider include cost, feasibility, probability and the potential impact. Another factor to consider is the opportunity to exploit the positive impact that might arise whenever tolerating, treating or transferring a risk i.e. where the potential gain seems likely to outweigh the potential downside. It is also important to be aware that excessive caution can be as damaging as unnecessary risk taking.
Reviewing and reporting
21. The management of risk should be reviewed regularly to monitor whether or not the risk profile is changing, to gain assurance that risk management is effective, and to identify when further action is necessary. Procedures should be put in place to review regularly whether risks still exist, whether new risks have arisen, whether the likelihood and impact of risks has changed, report significant changes which adjust risk priorities, and deliver assurance on the effectiveness of control. In addition, the overall risk management process should be reviewed at least once a year to deliver assurance that it remains appropriate and effective.
It is good practice for organisation’s to consider risk regularly as part of its normal flow of management information about the organisation’s activities with each layer of management providing upward assurance about its performance, so reinforcing responsibility through the structure.
22. Key players in the review and reporting processes are Audit Committees and the assurance and advisory work of Internal Audit. However, it is important to note that neither Audit Committees nor Internal Audit can substitute for management ownership of risk or for an embedded review system carried out by the various staff who have executive responsibility for the achievement of organisational objectives.
Communication and learning
Organisations should make sure that lessons are learned from experience. This applies particularly to perceived failures, e.g. an unforeseen risk or a crystallised risk which turned out more damaging than expected. But it is equally true of successes, especially those where risk was managed well, to see whether there is anything to be gained by repeating effective techniques elsewhere.
People view risk differently, team members, programme boards, senior management, Ministers, stakeholders and the public.
Ensuring that we tap into these diverse views and utilise other people’s experiences and perspectives can help us to identify and manage our risks better.
23. Further guidance on risk management is available in the Orange Book published by HM Treasury, and on which this section of the SPFM is largely based and other Treasury risk guidance:
Detailed guidance on risk management is also published online by a number of professional organisations, including the Chartered Institute of Public Finance and Accountancy (CIPFA)
Page reviewed: March 2019