Northern Ireland Water Internal Audit - January 2010 [+ February review]
Good practice in risk management - Northern Ireland Audit ...
Transcript of Good practice in risk management - Northern Ireland Audit ...
![Page 1: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/1.jpg)
Good practice inrisk management
REPORT BY THE COMPTROLLER AND AUDITOR GENERAL8 June 2011
![Page 2: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/2.jpg)
![Page 3: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/3.jpg)
BELFAST:TheStationeryOffice £5.00
ReportbytheComptrollerandAuditorGeneralforNorthernIreland
Goodpracticeinriskmanagement
![Page 4: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/4.jpg)
![Page 5: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/5.jpg)
ThisreporthasbeenpreparedunderArticle8oftheAudit(NorthernIreland)Order1987forpresentationtotheNorthernIrelandAssemblyinaccordancewithArticle11ofthatOrder.
KJDonnelly NorthernIrelandAuditOfficeComptrollerandAuditorGeneral 8June2011
TheComptrollerandAuditorGeneralistheheadoftheNorthernIrelandAuditOfficeemployingsome145staff.HeandtheNorthernIrelandAuditOfficearetotallyindependentofGovernment.HecertifiestheaccountsofallGovernmentDepartmentsandawiderangeofotherpublicsectorbodies;andhehasstatutoryauthoritytoreporttotheAssemblyontheeconomy,efficiencyandeffectivenesswithwhichdepartmentsandotherbodieshaveusedtheirresources.
ForfurtherinformationabouttheNorthernIrelandAuditOfficepleasecontact:
NorthernIrelandAuditOffice106UniversityStreetBELFASTBT71EU
Tel:02890251100email:[email protected]:www.niauditoffice.gov.uk
©NorthernIrelandAuditOffice2011
![Page 6: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/6.jpg)
Goodpracticeinriskmanagement
Contents
Part one Introduction 1
Part two Risk management framework 5
Part three Risk management process 13
Part four Accountability 29
Appendices 35
Appendix 1 Risk management checklist 36
Appendix 2 Participants 41
Appendix 3 HM Treasury – Key questions for an audit committee to ask 42
Appendix 4 Extract from DHSSPS communications plan 43
Appendix 5 Categories of risk 45
Appendix 6 Department for Regional Development - Risk checklist 47
Appendix 7 Department of Education - Assessment categories for impact 49 and likelihood
Appendix 8 Model of risk appetite 56
Appendix 9 Strategic Investment Board – Fraud risk assessment 58
Appendix 10 OFMDFM stewardship statements pro forma 59
![Page 7: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/7.jpg)
Goodpracticeinriskmanagement
Glossary
Horizon scanning thetechniqueusedtoidentifyrisksbyasystematicexaminationofpotentialthreats,opportunitiesandlikelyfuturedevelopments,including(butnotrestrictedto)thoseatthemarginsofcurrentthinkingandplanning
Inherent risk theexposurearisingfromaspecificriskbeforeanyactionistakentomanageit
Residual Risk theexposurearisingfromaspecificriskafteractionhasbeentakentomanageitandassumingthattheactiontakenhasbeeneffective
Risk appetite theextentofexposuretoriskthathasbeenassessedastolerableforanorganisationorbusinessactivity
Risk Register captures,maintainsandmonitorsinformationontherisktorealisationofaspecificobjectiveandtheassociatedcontrolactionsthathavebeenputinplacetomitigatethatrisk
![Page 8: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/8.jpg)
Goodpracticeinriskmanagement
Abbreviations
ALB ArmsLengthBody
BAFO BestandFinalOffer
CE ChiefExecutive
CGAC CorporateGovernanceAuditCommittee
DARD DepartmentofAgricultureandRuralDevelopment
DE DepartmentofEducation
DFP DepartmentofFinanceandPersonnel
ELB EducationandLibraryBoard
EU EuropeanUnion
IT InformationTechnology
MEMR MonthlyExpenditureandMonitoringReport
NAO NationalAuditOffice
NDPB Non-departmentalPublicBody
NIAO NorthernIrelandAuditOffice
NICS NorthernIrelandCivilService
OFMDFM OfficeofFirstMinisterandDeputyFirstMinister
OGC OfficeofGovernmentCommerce
PDP PersonalDevelopmentPlan
PPA PersonalPerformanceAssessment
PSA PublicServiceAgreement
RRG RiskReviewGroup
![Page 9: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/9.jpg)
Part One:Intoduction
![Page 10: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/10.jpg)
2Goodpracticeinriskmanagement
1.1 Riskmanagementisahighlytopicalissueforallgovernmentdepartmentsandtheirsponsoredbodiesandhasavitalroletoplayinpromotingandsecuringvalueformoneyintheuseofpublicfunds.
1.2 AsaresultofrecentpublicspendingcutsannouncedbyWestminster,publicbodiesfacegreaterchallengesinmanagingrisk.ThecutsannouncedbytheChancelloroftheExchequerintheNationalSpendingReviewinOctober2010willresultinareductionof8percentintheNorthernIrelandExecutive’sdelegatedcurrentexpenditurelimitsby2014-15.ThedelegatedexpenditurelimitforcapitalinvestmentavailabletotheNorthernIrelandExecutivewillreduceby40.1percentinrealtermsby2014-15.Itisessentialtherefore,thatpublicbodiesadoptandembraceaninnovativeapproachtomanagingrisktoassistinthedeliveryofbetter,morecosteffectivepublicservices.
1.3 Thereiscurrentlyagreatdealofriskmanagementguidanceavailable,theessenceofwhichisbroadlysimilar.ThepurposeofthispublicationistoprovideabestpracticeguidetailoredtotheexperiencesandneedsofpublicsectorbodiesinNorthernIreland.Thereportreflectsonlocalcasestudyexamplestoillustratehowwellriskisbeinghandledinpracticeandtoidentifybetterandmoreinnovativewaysofmanagingrisk.
1.4 Inproducingthisreport,wedevelopedariskmanagementchecklist(seeAppendix1),designedasatooltoenablepublicbodiestoselfassesstheircapability
andcapacitytomanagerisk.However,asaone-offexercise,wecompletedthechecklistwithalloftheNorthernIrelandCivilService(NICS)departmentsandanumberofArm’sLengthBodies,(seeAppendix2forafulllist).Thisexercisefacilitatedtheidentificationofgoodpracticeintheapplicationofriskmanagementprinciples.Thisreportexaminesgoodpracticeinthecontextof:
• theriskmanagementframework(PartTwo);
• theriskmanagementprocess(PartThree);and
• accountability(PartFour).
1.5 Overall,wefoundthatthedepartmentshaddevelopedastrongawarenessofriskandhadmadegenuineeffortstodevelopandembedaneffectiveriskmanagementstrategy.Traditionallypublicsectorbodiesdisplaymanyofthecharacteristicsassociatedwithahighlyriskaverseculture,however,bestpracticeguidanceonriskmanagementemphasisesthattheconsequencesofriskcanbepositiveornegative.Wellmanagedrisktakingcanproducebenefitsfortheorganisationintermsofopportunities,butequallycanpresentthreatsthatultimatelymayimpactonanorganisation’sabilitytomeetitsstrategicobjectives.RiskmanagementisanimportantaspectofgoodgovernanceandisausefultoolincontributingtotheachievementofoutcomesandensuringthatpublicbodiesmeettheirobjectivesasthefollowingCaseStudyillustrates.
Part One:Introduction
![Page 11: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/11.jpg)
Goodpracticeinriskmanagement3
Case Study 1 Department of Education – Managing risk to achieve outcomes
Followingsubstantialoverspendsin2003-04and2004-05bytwoEducationandLibraryBoards(ELBs),theDepartmentofEducation(DE)introducedaseriesofmeasurestoensuretighterfinancialmonitoringandcontrolwiththeaimofpreventingrecurrence.Thisincludedtheintroductionof:
• arevisedMonthlyExpenditureandMonitoringReport(MEMR)toprovidemorerelevantanddetailedinformation;
• asignedassurancestatementfromtheChiefExecutiveastotheaccuracyoftheinformationprovidedandacommitmenttoremainwithinbudget;
• monthlymeetingswitheachChiefFinanceOfficertodiscussindetailtheinformationontheMEMRandreducetheriskofunder/overspendattheyearend;
• reconciliationandreviewofdetailsprovidedintheMEMRswithdetailsheldinDEtoreducetheriskoferrorsinfiguresbeingusedbyELBsandDE;and
• keepingtheDEBoardinformedtoaidbetterdecisionmaking.
Followingtheimplementationofthesemeasures,theELBshaveremainedwithinbudgetsince2004-05.
Source: Department of Education
Case Study 2 The Fermanagh Flooding – Managing risk to achieve outcomes
DuringthecourseoflateOctoberandNovember2009,CountyFermanaghexperiencedunprecedentedlevelsofrainfall.Theareawassubjecttowidespreadflooding,leadingtosignificantdisruptiontolifeinthecountyatbothindividualandcommunitylevel.TheNorthernIrelandExecutivedecided,atitsmeetingon3December2009,thataFloodingTaskforceshouldbeestablishedtoinvestigatethecausesoftheflooding,identifylessonslearnedandconsidermeasuresrequiredtomitigatetheimpactofanyfutureflooding.Thiscross-departmentalTaskforcegatheredevidencefrommembersofthepublicintheaffectedareas,businesspeople,localrepresentativesandstakeholderorganisations.TheTaskforcealsotookfullaccountoftheissuesidentifiedbyaReviewoftheFloodResponseconductedbytheRiversAgency,DepartmentofAgriculture&RuralDevelopment.
![Page 12: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/12.jpg)
4Goodpracticeinriskmanagement
FollowingdetailedexaminationofalltheevidencetheTaskforcepresentedanumberofrecommendationstotheNorthernIrelandExecutiveon22July2010.Theseincluded:
• conductinganin-depthreviewoftheManagementoftheOperatingRegimefortheErneSystem;
• undertakingaprogrammeofroadimprovementworks;
• conductingafeasibilitystudytoconsideroptionsforafloodalleviationscheme;
• undertakingaprogrammeofworktoimprovethelevelofprotectionfromfloodrisk;
• maintainingandfurtherdevelopingemergencyplanningarrangementsandnetworks;
• ensuringthatrobustcontingencyarrangementsareinplacefortheprovisionofessentialservicestothelocalcommunity;and
• developinganeducationandpublicawarenessprogrammetoinformthelocalcommunityaboutfloodingintheFermanaghareaandhowtodealwithit.
TherecommendationsoutlinedabovewereapprovedbytheNorthernIrelandExecutiveon22July2010andOfficeofFirstMinisterandDeputyFirstMinisteradvisedusthatconsiderableprogresshassincebeenmadeontheirimplementation.
RainfalllevelsinCountyFermanaghhavenotreachedtheunprecedentedlevelsexperiencedinNovember2009sinceandthemeasuresoutlinedabovehavenot,therefore,beentestedinaliveenvironment.However,ifthesecontrolmeasuresprovetobeeffective,thiscasedemonstratestheprinciplesofeffectiveriskmanagement.Asaresult,anyadverseimpactonthecommunityonthescaleofthatexperiencedinNovember2009shouldbeaverted.
Source: Department of Agriculture and Rural Development
Part One:Introduction
![Page 13: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/13.jpg)
Part Two:Risk management framework
![Page 14: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/14.jpg)
6Goodpracticeinriskmanagement
Risk management function
2.1 Thestructureofanorganisation’sriskmanagementfunctionwillvaryaccordingtoitssize,natureandresourceconstraints.Theriskmanagementfunctionmayrangefromasingleindividualriskchampionormanagertoawholeriskmanagementdepartment.Figure1providesasummaryoftherolesandresponsibilitiesthatmaybedelegatedto,andcoordinatedby,theriskmanagementfunction.
Figure 1 – Risk management function: roles and responsibilities
Good Practice – Forums for exchanging knowledge and working practices
HMTreasurycurrentlyrunsariskimprovementgroupthatmeetstwiceayear.Thisprovidesagoodnetworkingopportunityandenablesattendeestomeetexpertsinthefield.Guestspeakersareinvitedtoattendthemeetingsandshareexperiencesincludingcasestudiesandguidance.Theforumplaysausefulroleinspreadingandembeddinggoodpractice.
Provides regularupdates and
communicationon risk
managementissues
RiskManagement
Function
Providesguidance andadvice to staff
Produces riskmanagement
strategy
Maintains riskregisters
Provides riskmanagement
trainingto staff
Monitorscontect of
registers andstatus of actions
Part Two:Risk management framework
![Page 15: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/15.jpg)
Goodpracticeinriskmanagement7
Leadership
2.2 InpublicbodiestheAccountingOfficerhasresponsibilityformaintainingasoundsystemofinternalcontrolthatsupportstheachievementofpolicies,aimsandobjectives,whilstsafeguardingthepublicfundsanddepartmentalassets.Thisinvolvesputtingasysteminplacetoensurethatallbusinessareasidentifythekeyriskstotheachievementoftheorganisation’sobjectives.TheAccountingOfficermustreportannuallyontheorganisation’ssystemofinternalcontrolintheStatementonInternalControl.Thestatementshouldhighlightanykeyinternalcontrolissuesthathavebeenencounteredthroughoutthatyear.
2.3 StrongleadershipandclearownershipatAccountingOfficerlevelisessentialinembeddinganorganisationalriskmanagementculture.Anorganisation’sriskmanagementstrategyshouldoutlineclearlytherolesandresponsibilitiesforriskmanagement,includingthatoftheAccountingOfficer.
2.4 Inaddition,thecorporategovernanceframeworkofpublicsectorbodieswillincludeaBoard,anAuditCommitteeandaninternalauditservice,allofwhichwillassumesomeresponsibilityforseekingandprovidingassuranceinrelationtoriskmanagement.Themanagementofriskhowever,alwaysremainsanexecutiveresponsibility.
2.5 AccordingtoHMTreasuryguidance,“theBoardshouldensurethateffectiveriskmanagementarrangementsare
inplacetoprovideassuranceonriskmanagement,governanceandinternalcontrol”.1Dependingonanorganisation’scircumstancesitmaychoosetoestablishaseparateriskcommittee.However,frequentlytheroleoftheAuditCommitteewillbeextendedtoincludeseekingassurancesinrelationtoriskmanagement.ForthisreasontheAuditCommitteeissometimesreferredtoastheAuditandRiskCommittee.TheAuditCommitteewillsupporttheBoardandtheAccountingOfficerbygatheringassuranceandprovidingadvicetotheBoardonriskmanagement,governanceandcontrolissues.HMTreasuryguidancereflectsthat,“theAuditCommitteeischargedwithensuringthattheBoardandAccountingOfficeroftheorganisationgaintheassurancetheyneedonriskmanagement,governanceandinternalcontrol”.2TheguidanceprovidesalistofquestionsthatanAuditCommitteemaywishtoaskinseekingassuranceonriskmanagementissues(Appendix3).Itisessential,however,thatauditcommitteesmaintaintheirindependenceanddonotbecomeoperationallyinvolvedinriskmanagement.
2.6 InternalAuditshouldadoptariskbasedapproachtoplanningitsprogrammeofworkwhichwillrefertoorganisationalriskregisterstoidentifytopicsforreview.Inadditiontoindividualauditreports,InternalAuditprovidesanindependentopinionontheoveralladequacyandeffectivenessoftheframeworkofgovernance,riskmanagementandinternalcontrolwhichshouldsupportandinformtheAccountingOfficer’sStatementonInternalControl.
1 HMTreasuryguidance-Corporategovernanceincentralgovernmentdepartments:CodeofGoodPractice.2 HMTreasury–AuditCommitteeHandbook.
![Page 16: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/16.jpg)
8Goodpracticeinriskmanagement
Figure 2 – Risk management in practice: roles and responsibilities
• Retainsultimateresponsibilityfortheorganisation’ssystemofinternalcontrolandensuresthataneffectiveriskmanagementprocessisinplaceandisregularlyreviewed
• Providescleardirectiontostaff• Establishes,promotesandembedsanorganisationalriskculture• ReportstotheBoardandtheAuditCommittee
• Establishesandoverseesriskmanagementprocedures• Endorsestheriskmanagementstrategy/policies• Ensuresappropriatemonitoringandmanagementofsignificantrisksbymanagement• Challengesriskmanagementtoensurethatallkeyriskshavebeenidentified• Isawareofanyinstanceswhererisksarerealised
• ReportstotheBoardontheeffectivenessofthesystemofinternalcontrolandalertstheBoardmemberstoanyemergingissues
• Endorsestheorganisation’sriskmanagementstrategy/policies• Takesresponsibilityfortheoversightoftheriskmanagementprocess• Reviewsriskregisterstoprovidechallengeandadvice(notinanexecutivecapacity)
• ActsonbehalfoftheBoardandwill:• determinetheorganisation’sapproachtoriskmanagement• implementpoliciesonriskmanagementandinternalcontrol• discussandapproveissuesthatsignificantlyaffecttheorganistion’sriskprofileor
exposure• continuallymonitortheidentificationandmanagementofsignificantrisksandensurethat
actionstoremedycontrolweaknessareimplemented• reportchangesinriskassessmenttotheBoardonanexceptionbasis• annuallyreviewtheorganisation’sapproachtoriskmanagementandapprovechanges
orimprovementstokeyelementsofitsprocessesandprocedures• reporttotheAuditCommitteeandtotheBoardonriskmanagementmatters
• Providessubsidiarymanagement/internalcontrolstatementstotheAccountingOfficer
• Identifiesandassessesindividualrisks• Decideswhetherariskissufficientlyserioustobeescalatedtothenextlevelofthe
organisation• Ensuresthatactionstotreatorcontroltheriskarecarriedoutandinformstheriskmanagerof
anyconsequentupdatestotheriskregister• Reviewstheriskratingandthenecessitytokeeptheriskontheregister
Accounting Officer
Board
Audit (& Risk) Committee
Senior Management
Risk Owner
Part Two:Risk management framework
![Page 17: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/17.jpg)
Goodpracticeinriskmanagement9
Risk management strategy and policies
2.7 Publicbodiesshoulddocumentformallytheirapproachtoriskmanagementinariskmanagementstrategy.ThiswillassisttheAccountingOfficer,theBoardandtheseniormanagementteaminpromotingandembeddingriskmanagementinthecultureoftheorganisation.Theriskmanagementstrategywillusuallybepublishedinaseparatedocumentbutmaybeintegratedwithestablishedpoliciesfordepartmentalbusinessactivities.Regardlessofhoworganisationschoosetopresenttheirriskmanagementstrategy,thereareanumberofkeyissuesthatshouldbeaddressed.
1. Thestrategyshouldoutlinetheorganisation’sapproachtoriskmanagementandshoulddefineitsriskappetite.
2. Therolesandresponsibilitiesforthemanagementandownershipofriskshouldbedocumentedtoensurethat
allstaffhaveaclearunderstandingoftheirremit.
3. Theriskmanagementprocessadoptedbytheorganisationshouldbeclearlyoutlinedinthestrategy.
4. Thestrategyshoulddefinehowriskswillbeevaluatedorranked.Thisshouldassistinidentifyingkeyrisks.
5. Riskregistersshouldberegularlyreviewedandthisprocessshouldbeidentifiedinthestrategy.
6. Theprocessformonitoringandreviewingriskmanagementproceduresshouldbedocumented.
7. TheprocessbywhichtheAccountingOfficersatisfieshimself/herselfthatthereisanadequatesystemofinternalcontrolinplaceshouldbeoutlinedinthestrategy.
• Maintainstheriskregisterunderthedirectionofriskownersandupdatesoramendstheriskregisterasnecessary
• Regularlyreviewsthecontentofriskregisterswithaviewtoensuringthatriskactionsarebeingcompletedandthatalldetailsontheriskregisterarecorrect
• Carryoutriskactionsidentifiedanddelegatedbytheriskowners• Maintainsawarenessoftheorganisation’sriskmanagementstrategyandthekeyrisksfaced
bytheorganisation• Ensuresthatdutiesrelatingtocontrolsarecarriedout
• Providesindependentopinionontheoveralladequacyandeffectivenessoftheorganisation’sframeworkofgovernance,riskmanagementandinternalcontroltotheAccountingOfficer(andAuditCommittee)
Risk Management Functione.g. risk champion/manager/co-ordinator/department
Staff
Internal Audit
![Page 18: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/18.jpg)
10Goodpracticeinriskmanagement
2.8 Theriskmanagementstrategyisakeydocumentwhichshouldunderpintheorganisation’sriskmanagementculture.Itisessential,therefore,thatitisendorsedbytheAccountingOfficer,theBoardandtheAuditCommitteegiventheirrespectiverolesandresponsibilitiesinrelationtoriskmanagement.
Good Practice - Risk management guidance
Inadditiontoitsriskmanagementstrategy,theDepartmentofJusticehasproduced‘apracticalguide’toriskmanagementwhichaimstoassiststaffininterpretingtheguidanceandaddressescommonissues.TheDepartmentinformedusthatthisdocumentismadeavailabletoallstaffandsupplementsanytrainingprovided.Theguideisuserfriendlyandwouldbeofparticularbenefittothosestaffwhomaynothavedirectresponsibilityforriskmanagement,butneedtobeawareofthekeyconcepts.
Communicating the risk management strategy
2.9 OncetheriskmanagementstrategyhasbeenapprovedbytheBoard,(anysubsequentupdatesshouldalsobeapprovedbytheBoard)itisessentialthatthedocumentispublicisedthroughouttheorganisationandmadeavailabletoallstaff.Thiscaninvolveholdingtrainingsessionstailoredtotheneedsofdifferentlevelsofstaffthroughouttheorganisation,sendingoutupdatesbyemailandpublishingthedocumentontheorganisation’sintranet.Oneofthekey
waysofgainingstaffbuy-inisforseniormanagementtopromotetheimportanceofriskmanagement.Thismightinvolveseniormanagementfacilitatingstaffmeetingsanddeliveringriskawarenesssessionstostaff.
Good Practice – Embedding risk management
EmbeddingeffectiveriskmanagementprocessesacrosstheDepartmentforSocialDevelopmentanditssponsoredbodiesisacontinuousprocessratherthanaone-offannualexercise.Ithasinvolvedlookingbelowthesurfaceofpoliciesandprocedurestoidentifywhatisactuallyhappeningontheground.Takingonboardtheprinciplethatthisaffectsawiderangeofpeople,theDepartmenthasadoptedanallinclusiveprocessdrivenbytheBoardandtheAuditCommittee.Peopleareengagedcontinuallythroughongoingsupportandchallengebyadedicatedteamofstaff.Recognisingthebenefitsthataseparatesetofviewscanbring,apeerreviewprocesshasbeenusedtoobtainanexternalperspectiveonriskmanagementarrangements.Toensurecontinualrefreshmentoftheprocess,managersfromacrosstheDepartmentanditssponsoredbodieshavebeenbroughttogetherforaseriesofexternallyfacilitatedworkshopstoprovidetimeforreflection,anopportunitytochallengeeachothers’thinkingandtoassesstheadequacyofcurrentriskmanagementarrangementsinthecontextofidentifiedgoodpracticeoutsidetheNICS.TheworkshopsprovidedaforumforsharingknowledgeandexperienceandtheoutputinformedtheongoingreviewoftheDepartment’sriskmanagementstrategy.Thisincludedtheinvolvementofstaffinthedevelopmentofdefinitionstohelpbuild
Part Two:Risk management framework
![Page 19: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/19.jpg)
Goodpracticeinriskmanagement11
managementstrategywhichdidnot,inourview,dealadequatelywithexternalcommunications.TheDepartmentofHealth,SocialServicesandPublicSafetyhasdevelopedacommunicationsplanasanannextoitsbusinesscontinuityplanwhichfocusesontheexternalaspectsofcommunication.Theplanidentifiesalistofquestionsforconsiderationwhendevisingacommunicationsstrategyinresponsetoaneventthatmayimpactadverselyontheorganisationandasummaryofthekeystepsthatshouldbeapplied.AnextractfromtheplanisprovidedatAppendix4.
Arm’s length bodies
2.13 Riskmanagementisanimportantaspectinthegovernanceofarm’slengthbodies(ALBs).HMTreasuryguidanceindicatesthateffectiveriskmanagementneedstogivefullconsiderationtothecontextinwhichthedepartmentfunctionsandtotheriskprioritiesofpartnerorganisations.Forexample,departmentsdelegateaspectsofservicedeliverytoALBs.IfALBsfailtomanagethesedelegatedrisksappropriatelythiscouldimpactonthedepartment’sachievementofobjectives.Inaddition,anyreputationalriskfacedbyanALBcanalsoimpactonthereputationofthesponsoringdepartment.Itisessentialtherefore,thatdepartmentsseekassurancesthattheirALBsaremanagingriskatanacceptablelevel.ManagingPublicMoneyNorthernIrelandstatesthat‘theAccountingOfficerofadepartmentwhichsponsorsanALBshouldmakearrangementstosatisfyhimself/herself
consistencyintheriskassessmentprocesswhichhashelpedtokeepriskmanagementattheforefrontofdecision-making.
Source: Department for Social Development
Contingency and business continuity plans
2.10 Itisessentialthatpublicservicescanbemaintainedintheeventofadisaster.Contingencyplanningisthereforevitalinensuringthatthenegativeimpactassociatedwithrisksoccurringismanagedandthatthereisminimalinterruptiontoservicedelivery.Contingencyplansshouldbeputinplaceandregularlyreviewedandtestedtoensurethattheyprovideadequatecoverintheeventofadisaster.
2.11 Duetothenatureofthepublicsector,theservicesitprovides,andthewayinwhichitisfunded,publicbodiesmustmanagereputationalrisk.Riskcannothoweverbeeliminatedentirelyandtherewillalwaysbearesidualrisktothereputationofanorganisationintheeventofariskmaturing.Inordertominimisethepotentialimpactthatthismayhave,publicbodiesshouldensurethattheyarewellequippedtodealwiththeevent.Thisinvolvesdevelopingacommunicationsstrategyandprovidingtrainingtorelevantstaffonitsapplication.
2.12 Weaskeddepartmentstocommentonandprovideacopyoftheircommunicationsstrategy.Asignificantnumberofthepublicbodieswereviewedreferredustotheirrisk
![Page 20: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/20.jpg)
12Goodpracticeinriskmanagement
thattheAccountingOfficeriscarryingouthis/herresponsibilities’.
2.14 TheapproachadoptedbydepartmentswillbeinfluencedbythenumberofALBstheyprovidefundingtoandtheriskprofileofthoseALBs.DepartmentsandALBsneedtoworktogethertoidentifysharedrisksanddevelopappropriateefficientriskmanagementapproaches.DepartmentsshouldregularlyreviewtheriskprofileoftheirALBsandensurethatappropriateandeffectiveriskmanagementprocessesareinplace,including:
• structuredprocessesforidentifyingandmanagingrisksassociatedwithdepartmentalsponsorshipresponsibilities;
• regularreviewofprocessesforgainingassurancesonALBs’managementofriskstoensurethatappropriateandeffectivecontrolsareinplace;and
• regularandopendiscussionofriskissuesbetweendepartmentsandtheirALBs.
2.15 DepartmentshavedevelopedanumberoftechniquesforgainingassurancesonthegovernanceandriskmanagementoftheirALBs.
Good Practice – managing risks in arm’s length bodies
• TheAccountingOfficerofeachALBisrequiredtocompleteanannual‘SubsidiaryStatementonInternalControl’confirmingthatriskswithintheirorganisationhavebeenidentified,evaluatedandmanagedappropriately.ThisstatementistimedtosupportthedepartmentalStatementonInternalControlwhichwillreflectanysignificantcontrolfailuresreportedwithinALBs.
• TheheadofInternalAuditineachALBprovidesanannualopinionontheadequacyoftheorganisation’sriskmanagement,controlandgovernanceprocess.ThisreportshouldbetimedtosupporttheAccountingOfficerineachALBpreparehis/herStatementonInternalControl.
• TrainingisprovidedforBoardmembersofALBsontheirrolesandresponsibilities.
• TheDepartmentattendsinanobservercapacityatthemeetingsoftheALB’sAuditandRiskCommitteetoensurealignmentofrisks,monitortheeffectivenessofsystemsinplaceandmaintainawarenessofkeyrisks.
• ALBrepresentativesattendthedepartmentalAuditandRiskCommitteeinanobservercapacityonmatterswhichimpactonboth,toofferreassurancethatappropriategovernancearrangementsareinplaceandworking.
• ProceduresaredocumentedandembeddedtoensurethatnewrisksidentifiedintheALBsareescalatedtotheDepartmentonatimelybasis.
Part Two:Risk management framework
![Page 21: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/21.jpg)
Part Three:Risk management process
![Page 22: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/22.jpg)
14Goodpracticeinriskmanagement
3.1 Thereisnoonesizefitsallapproachtotheriskmanagementprocessforpublicsectorbodies.However,allriskmanagementprocessesshouldincorporatefivecorestagesandtheseshouldbeoutlinedintheriskmanagementstrategy.
Step 1: Risk identification
3.2 Riskidentificationistheprocessofidentifyingriskswhichmayimpacton
Figure 3 - Risk management process
2. Riskassessment
3. Riskappetite
4. Addressingrisk
1. Riskidentification
5. Reviewingand
reporting risk
theorganisation’sabilitytoachieveitsobjectives.Theaimistoidentifywhat,when,where,whyandhoweventscouldprevent,degrade,delayorenhanceachievementofobjectives.Appendix5providesabreakdownofthe3maincategoriesofriskwhichincludes:
• externalrisks;
• operationalrisks;and
• changerisks.
Part Three:Risk management process
![Page 23: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/23.jpg)
Goodpracticeinriskmanagement15
3.3 Riskidentificationshouldbeapproachedinamethodicalwaytoensurethatallsignificantactivitieswithinthedepartmenthavebeenidentifiedandallrisksflowingfromtheseactivitiesdefined.Riskshouldalwaysberelatedtoobjectives.Departmentsuseanumberofmethodsforidentifyingrisksincludingfacilitatedworkshops,brainstorming,usingpastexperience,auditreportssuchasinternalaudit,NIAOandotherauditinstitutions.AspartofitsriskmanagementproceduremanualtheDepartmentforRegionalDevelopmenthascompiledariskchecklistasatooltofacilitatetheconsiderationofriskforanybusinessactivity.Althoughnotexhaustiveitprovidesastartingpointforbusinessareastoassessrisk(seeAppendix6).
3.4 Anumberofdepartmentsalsouseatechniquecalled“horizonscanning”whichidentifiesrisksthatarelikelytoariseinthefuture.HorizonscanningisdefinedbytheGovernmentOfficeforScienceas‘the systematic examination of potential threats, opportunities and likely future developments, including (but not restricted to) those at the margins of current thinking and planning.’
3.5 Theidentificationofriskcanbeseparatedinto2stages:
Initial risk identification shouldbecompletedbythosebodieswhichhavenotpreviouslyidentifiedrisksinastructuredway,neworganisations,orwhenanorganisationundertakesanewprojectoractivity.
Continuous risk identificationisaprocessofreviewtoidentfynewrisksastheyarise,changestoexistingrisks,oreliminateriskswhicharenolongerrelevant.
3.6 Inthecurrenteconomicclimateitisparticularlyimportantthatpublicsectorbodiesareresponsivetochangesintheiroperatingenvironment.Organisationsmustengageintheprocessofcontinuousriskidentificationtoidentifyandmanagethreatstothebusinessthatmayariseasaresultofchangestotheoperatingenvironment.Theprocessshouldnotonlyinvolveidentifyingnewrisks,butshouldincorporateareviewofthedocumentedriskswhichmaynolongerbevalidorwhichmayhavebeenfullyaddressed.Theserisksshouldberemovedfromtheriskregister.Frequently,organisationsaddnewriskstotheregisterbutfailtoremoverisksthathavebeenaddressedandthatarenolongercurrent.Thiscanresultin:
• theriskregisterprovidinganinaccurateprofileoftheorganisation’scorporaterisks;
• theriskregisterbecoming‘cluttered’withrisksthatarenolongercurrent,makingitdifficulttoidentifythemostsignificantstrategiclevelrisksfacedbytheorganisation;and
• theriskregisterbecomingburdensometomaintainandreview.
3.7 Riskassessmentandmanagementshouldbearoutineelementofallpolicydevelopmentandimplementation.Risks
![Page 24: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/24.jpg)
16Goodpracticeinriskmanagement
consideredshouldnotonlyincludethosewhichthreatentheachievementofobjectives,butalsothoseoffailingtoidentifyandexploitopportunitiestodothingsdifferentlyorbetter(missedopportunities).
Risk ownership
3.8 PublicbodiesmustestablishappropriateaccountabilityarrangementstoprovideassurancesonriskmanagementtotheBoardandtheAuditCommittee.Thiswillinvolveassigningeachoftherisksidentifiedtoanownerwhowillberesponsibleforensuringthattheriskismanagedandmonitoredovertime.Inordertopromoteaccountability,riskownersshouldbenamedindividualsandnotgroups,forexample‘FinanceDirector’ratherthan‘SeniorManagementTeam’.
3.9 Ownershipofkey strategic risks willusuallybeassignedatseniormanagement/Boardlevel.Theownershipofoperational risks willbeallocatedtoheadofdivisionorheadofbranchleveldependingonthenatureoftheidentifiedriskandthepotentialimpactonbusiness.TheserisksmaynotbeincludedonthecorporateriskregisterorreportedtotheAuditCommittee.Inpromotingtheneedforaccountability,organisationsshouldlinktheownershipofrisktoanindividual’sperformanceobjectives.
3.10 Itisessentialthatriskownersreceivethesupporttheyrequireinordertomanagethoserisksthathavebeenassignedtothemandthattheyhavetheauthorityto
assignresourcestomanagekeyrisks.Theywillberesponsibleforensuringtheriskframeworkisappliedatalllevelsthroughouttheirbusinessarea.
Step 2: Risk assessment
3.11 Thenextstepintheprocessistoassessthe“inherent”risktoaorganisation’sactivity.Inherentriskcanbedescribedastheexposurearisingfromaspecificriskbeforeanyactionistakentomanageit.
3.12 Thisinvolvesassessingthe‘likelihood’ofariskoccuringanditspotential‘impact’ontherelevantbusinessobjective.Theimpactandlikelihoodofrisksoccuringwillbereassessedlaterintheriskmanagementprocess(step4)toreflecthowtheriskexposurehaschangedasaresultoftheriskresponse.Thisisreferredtoas“residual”riskandcanbedescribedastheexposurearisingfromaspecificriskafteractionhasbeentakentomanageitandmakingtheassumptionthattheactioniseffective.
3.13 Asaminimumtheimpactandlikelihoodshouldbeassessedashigh,mediumorlowinasimple3x3riskmatrixasillustratedinfigure4.Amoredetailedanalyticalscalecanbeappliedifappropriate:Appendix7showshowtheDepartmentofEducationhasdevelopeditsownmodel.Eachdepartmentshouldreachajudgementaboutthelevelofanalysisthatismostsuitableforitscircumstances.
Part Three:Risk management process
![Page 25: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/25.jpg)
Goodpracticeinriskmanagement17
3.14 Thisinitialriskassessmentfocusesoninherentrisk.Onceorganisationshavecompletedstep4intheriskmanagementprocesstheriskwillbereassessedto
Figure 4 – Simple 3x3 risk assessment matrix
AMBER RED RED
GREEN AMBER RED
GREEN GREEN AMBER
Likelihood
Impact
High
Medium
Low
Low Medium High
identifytheresidualrisk.Figure5providesanexampleofhowthisinformationmightbepresentedinariskregister.
Figure 5 – Extract from risk register
Risk Inherent Risk Assessment (Impact/ Likelihood)
Risk Response Residual Risk Assessment (Impact/ Likelihood)
Projectdeadlinewillnotbemet.
H H Controls:1. ProjectBoardestablishedand
SeniorResponsibleOwneridentifiedtomanageproject
2. Regularmonitoringofreportedprogressagainstmilestones
3. Contractpenalitesforprojectoverruns
M L
![Page 26: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/26.jpg)
18Goodpracticeinriskmanagement
Step 3: Risk appetite
3.15 Anorganisation’sriskappetiteistheextentofexposuretoriskthatisjudgedtolerableforthatorganisation.Theconceptmaybelookedatindifferentwaysdependingonwhethertheriskbeingconsideredisathreatoranopportunity.
• Whenconsideringthreats,riskappetiteclarifiesthelevelofexposurewhichisconsideredtolerableandjustifiableshoulditberealised.Itisaboutcomparingthecost(financialorotherwise)ofconstrainingtheriskwiththecostoftheexposureshouldtheexposurebecomearealityandfindinganacceptablebalance;or
• Whenconsideringopportunities,riskappetiteclarifieshowmuchoneispreparedtoactivelyputatriskinordertoobtainthebenefitsoftheopportunity.Itisaboutcomparingthevalue(financialorotherwise)ofpotentialbenefitswiththelosseswhichmightbeincurred(somelossesmaybeincurredwithorwithoutrealisingthebenefits).
3.16 Somerisksareunavoidableanditisnotalwayswithintheabilityoftheorganisationtomanagerisktoatolerablelevel–forexample,manyorganisationshavetoacceptthattherearerisksarisingfromterroristactivities,extremeweather,industrialactionetcwhichtheycannotcontrol.Inthiscasetheorganisationneedstomakecontingency planstominimiseanypotentialnegativeimpactofariskmaturing.
Setting the risk appetite
3.17 Riskappetitewillbestbeexpressedasaseriesofboundaries,appropriatelyauthorisedbymanagement,whichgiveeachleveloftheorganisationclearguidanceonthelimitsofriskwhichtheycantake,whethertheirconsiderationisofathreatandthecostofcontrol,orofanopportunityandthecostsoftryingtoexploitit.Riskappetitewillbeexpressedinthesametermsasthoseusedinassessingrisk.Anorganisation’sriskappetiteisnotnecessarilystatic;inparticulartheBoardwillhavefreedomtovarytheamountofriskwhichitispreparedtotakedependingonthecircumstancesatthetime.Riskappetiteshouldbeconsideredatdifferentlevelsincluding:
• corporateriskappetite;
• delegatedriskappetite;and
• projectriskappetite.
Appendix8explorestheseconceptsinmoredetailinamodelofriskappetitethatwasdevelopedbyHMTreasury.
Applications of risk appetite
3.18 AspartofitsproceduremanualtheDepartmentforRegionalDevelopmenthasdevelopedagrid(seefigure7)whichidentifieshowriskappetitewillinfluencethebehaviourofdecisionmakerswhenconsideringthevariouscategoriesofrisk.
Part Three:Risk management process
![Page 27: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/27.jpg)
Goodpracticeinriskmanagement19
Averse Open Hungry
Avoidanceofriskanduncertaintyorforsafeoptionsthathavealowdegreeofinherentriskandmayonlyhavelimitedpotentialforrewardisakeyobjective.
Willingtoconsideralloptionsandchoosetheonethatismostlikelytoresultinsuccessfuldeliverywhilealsoprovidinganacceptablelevelofreward.
Eagertobeinnovativeandtochooseoptionsbasedonpotentialhigherrewards(despitegreaterinherentrisk).
CategoryofRisk Example behaviours when taking key decisions…
Reputation, Political and Societal
•MinimaltoleranceforanydecisionsthatcouldleadtoscrutinyoftheDepartmentorAgencyislimitedtothoseeventswherethereislittlechanceofanysignificantrepercussionshouldtherebeafailure
•AppetitetotakedecisionswithpotentialtoexposetheDepartmentorAgencytoadditionalscrutinybutonlywhereappropriatestepshavebeentakentominimiseexposure
•AppetitetotakedecisionswhicharelikelytobringscrutinyoftheDepartmentorAgencybutwherepotentialbenefitsoutweightherisks
Operational •Defensiveapproachtoobjectives–aimtomaintainorprotect,ratherthantocreate.Innovationsgenerallyavoidedunlessnecessary
•Priorityfortightmanagementcontrolsandoversightwithlimiteddevolveddecisionmakingauthority
•Decisionmakingauthoritygenerallyheldbyseniormanagement
•Generalavoidanceofsystems/technologydevelopments.Occasionaldevelopmentsarelimitedtoimprovementstoprotectionofcurrentoperations
•Innovationsupported,withdemonstrationofcommensurateimprovementsinmanagementcontrol
•Systems/technologydevelopmentsconsideredtoenableoperationaldelivery
•Responsibilityfornon-criticaldecisionsmaybedevolved
•Innovationpursued–desireto‘breakthemould’andchallengecurrentworkingpractices
•Newtechnologiesviewedasakeyenablerofoperationaldelivery
•Highlevelsofdevolvedauthority–managementbytrustratherthantightcontrol
Figure 7: Department for Regional Development: Risk appetite and categories
![Page 28: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/28.jpg)
20Goodpracticeinriskmanagement
CategoryofRisk Example behaviours when taking key decisions…
Financial •Avoidance/limitedfinanciallossisakeyobjective
•Onlywillingtoacceptthelowcostoption
•Resourceswithdrawnfromnon-essentialactivitiesorrestrictedtocoreoperationaltargets
•Preparedtoinvestforrewardandminimisethepossibilityoffinanciallossbymanagingtheriskstoatolerablelevel
•Valueandbenefitsconsidered(notjustcheapestprice)
•Resourcesallocatedinordertocapitiliseonpotentialopportunites
•Preparedtoinvestforthebestpossiblerewardandacceptthepossibilityoffinancialloss(althoughcontrolsmaybeinplace).
•Resourcesallocatedwithoutfirmguaranteeofreturn–‘investmentcapital’typeapproach
Compliance – legal / environmental
•Avoidmostthingswhichcouldbechallenged,evenunsuccessfully
•Limitedtoleranceforstickingneckout.Wouldwanttobereasonablysureofsuccessfuloutcomeofanychallenge
•Playsafe
•Challengewillbeproblematicbutwearelikelytowinitandthegainwilloutweightheadverseconsequences
•Chancesoflosingarehighandconsequencesserious.Butawinwouldbeseenasagreatcoup
Step 4: Addressing the risk
3.19 Therearefourstandardtraditionalresponsestoaddressingrisk(seefigure8).Thechoiceofapproachtaken
willdependonfactorssuchascost,feasibility,probabilityandpotentialimpact.Byaddressingtherisksidentified,organisationscanconstrainthreatsandtakeadvantageofopportunities.
Part Three:Risk management process
![Page 29: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/29.jpg)
Goodpracticeinriskmanagement21
Figure 8: Actions to address risk
Adecisionismadenottotaketheriskorceasetheactivitywhichcausestherisk.Wheretherisksoutweighthepossiblebenefits,riskcanbeterminatedbydoingthingsdifferentlyandthusremovingtherisk,whereitisfeasibletodoso.Thisisnotalwayspossibleintheprovisionofpublicservicesormandatedorregulatorymeasuresbuttheoptionofclosingdownaprojectorprogrammewherethebenefitsareindoubtmustbearealone.For example, DFP took the decision to terminate Procurement for the Workplace 2010 programme when it became apparent in late 2008 that the prevailing conditions in the financial markets meant that it would be extremely difficult for bidders to raise the finance required to fund the project. This, coupled with the fact that the two companies shortlisted to submit best and final offers (BAFOs) announced a possible merger during the BAFO process, meant there was a serious risk that value for money could not be achieved on the project.
Accepttherisk.Thismaybewheretheriskisexternalandthereforetheopportunitytocontrolitislimited,orwheretheprobabilityorimpactissolowthatthecostofmanagingitwouldbegreaterthanthecostoftheriskbeingrealised.Thisoptionmaybesupplementedbycontingencyplanningforhandlingtheimpactsthatwillariseiftheriskisrealised.For example, cuts in departments’ budgets presents a serious risk to the delivery of some services. However, cuts to budgets are outside the control of public bodies and departments must accept the cuts and develop a plan for dealing with the loss of resources.
Whereanotherpartycantakeonsomeoralloftheriskmoreeconomicallyormoreeffectively.Forexample,throughanotherorganisationundertakingtheactivityorthroughobtaininginsurance.Itisimportanttonotethatsomerisksarenot(fully)transferable-inparticularitisgenerallynotpossibletotransferreputationalriskevenifthedeliveryoftheserviceiscontractedout.Therelationshipwiththethirdpartytowhichtheriskistranferredneedstobecarefullymanagedtoensuresuccessfultransferofrisk.For example, PPP projects such as the Roads Service Westlink project and the Department of Education’s Pathfinders project are examples of where risk has, to some extent, been transferred to third parties.
Mitigatetherisk.Inpractice,thisisthemostcommonresponsetorisk.Itisachievedbyeliminatingtheriskorreducingittoanacceptablelevelbypreventionoranothercontrolaction.Case Studies 3 and 4 illustrate the steps taken by Invest NI to reduce risk to an acceptable level when supporting two manufacturing projects.
Terminate
Tolerate
Transfer
Treat
![Page 30: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/30.jpg)
22Goodpracticeinriskmanagement
3.20 Organisationsmayalsowanttoexploittheopportunitythatariskpresentsandprovidedthisismanagedwell,itshouldbeencouraged.Therearetwoaspectstothis:
• atthesametimeasmitigatingthreats,anopportunityarisestoexploitpositiveimpact.Forexample,ifalargesumofcapitalfundingistobeputatriskinamajorproject,aretherelevantcontrolsjudgedtobegoodenoughtojustifyincreasingthesumofmoneyatstaketogainevengreateradvantages;and
• circumstancesarisewhich,whilstnotgeneratingthreats,offerpositiveopportunitiesforexample,adropin
Part Three:Risk management process
thecostofgoodsorservicesfreesupresourceswhichcanberedeployed.
3.21 InvestNorthernIreland’s(InvestNI)roleistogrowtheeconomybyhelpingnewandexistingbusinessestocompeteinternationally,andbyattractingnewinvestmenttoNorthernIreland.InordertodeliveronitsbusinessobjectivesandsupporteconomicgrowthinNorthernIreland,InvestNImustembracerisktoagreaterextentthanotherpublicsectorbodies.Therefore,InvestNIwillhaveagreaterappetiteforriskthanotherpublicsectorbodies.WhileInvestNIhasauniqueoutlookonriskasaresultofitsoperatingenvironment,therearelessonsthatcanbelearntbyotherpublicsectorbodies.
Case Study 3Invest NI - Risk management in a successful project
Background: InvestNIprovidedapproximately£3.5millionofa£10millioninvestmenttosupportahightechnologymanufacturingcompanyinBelfastwhoseparentcompanyhadwithdrawnitssupport.Theprojectproposedthecreationof52newposts,manyofwhichwouldbefilledbyhighlyskilledPhDengineersandscientists.
Risk assessment: InvestNIundertookariskassessmentoftheprojectandidentifiedtheprojectashighriskforthefollowingreasons:• Salesachievability-afunctioningprototypehadnotachievedcommercialisation;• Aspecifictechnicalissueinthemanufacturingprocessrequiredresolution;• Therewasadependencyoncustomerstoincorporatethecompany’sproductintotheirown
products;and• Therewasarelianceonasmallnumberofkeyindividuals.
Rationale for proceeding:Whilsttheprojectwasregardedashighrisk,theappraisalidentifiedthepotentialforsignificantcommercialreturns.Themanagementteamwasassessedtobecredible;aclearmarketopportunityhadbeenidentifiedandverifiedbyadetailedmarketappraisal;anexternaltechnicalappraisalidentifiedtherewasareasonableexpectationthattheResearchandDevelopment
![Page 31: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/31.jpg)
Goodpracticeinriskmanagement23
requiredtodeveloptheproductwasachievable;anditwascheckedandconfirmedthatthepromotershadownershipoftheintellectualpropertyunderpinningtheirproduct.
How Invest NI ensured that risk was reduced to an acceptable level: Reflectingthebalancebetweenprojectriskandthepotentialcommercialreturn,InvestNI’sfinancialassistancecontainedasignificantelementofordinarysharecapitalofferingareturntothetaxpayershouldtheprojectbeimplementedsuccessfully.
Useofpre-conditions(tobesatisfiedinfullbeforeanyassistancecouldbepaid)andgeneralconditionsofferedclarityandsuretyaround:
• accessto,andrightsover,intellectualproperty;• evidenceofintroductionofcashbyotherinvestors;• timelyprovisionofmanagementandyearendaccountstoInvestNI;• restrictionsonmakingloans,payingdividendsandremunerationlevelstodirectorsandsenior
managers;and• paymentoffinancialassistancedependentontheachievementofspecifiedmilestonesincludingthe
introductionofadditionalcapitalbythepromoters.
Outcome of this project: Theproject,whichwasinitiatedin2005,iscurrentlythesubjectofaPostProjectEvaluation.Whilstlossmaking,manufacturingoperationscontinueatthepremises,employmentisinlinewithprojectionsandtheResearchandDevelopmentobjectivesoftheprojecthavebeenlargelymet.Onthebasisofthelatestfundinground,thereisevidencetosuggestthatthevalueofInvestNI’sshareholdinghasincreasedmeasurablyandthereisthepotentialthatInvestNI’sinvestmentcanbere-coupedeitherbyadditionalexternalinvestmentorfurtherinvestmentbyexistingshareholders.
How risk management contributed to the outcome: Theriskelementofthisprojectwasmanagedbymaintainingacloserelationshipwiththecompany;byensuringthatallpre-conditionsweremetbeforeanypaymentofgrantwasmade;thatallgeneralconditionswerefullyappliedandmet;andbyregularmonitoringofperformanceagainsttargetsandmilestones,includingreceiptofcopiesofpapersrelatedtothecompany’sBoardmeetings.
Source Invest NI
![Page 32: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/32.jpg)
24Goodpracticeinriskmanagement
Case Study 4Limiting exposure in an unsuccessful project through risk management
Background:AsmallandtechnicallyskilledmanagementteamestablishedacompanyhavingpreviouslyworkedattheNorthernIrelandsiteofalargeinternationalorganisation.Thepromotershadidentifiedanumberofcomplexsoftwaresolutionsforglobalmarkets.Anestimated80jobsweretobecreated.
InvestNIprovidedgrantsupportofsome£85,000andpreferencesharecapitalofapproximately£1.2mtothenewventuretoassistinthedevelopmentofanumberofsoftwareapplicationstoamarketablepoint.
Risk assessment: AsastartupventurewithnotrackrecordandsubstantialResearch&Developmenttocarryout,theprojectwasregardedashighrisk,forthefollowingreasons:
• whilstsomeapplicationsweretechnicallyfeasibleandmarketready,nosaleshadbeenachievedtodate;
• furtherproductsrequiredsubstantialdevelopment;• relianceon3rdpartyjointventuresandalliancestodevelopmarketopportunities;• timeslippage;• management–technicallyablebutlackingincommercialexperienceandacumen;and• cashflowandfunding–thecompanyrequiredskilledandexpensiveengineerstodevelopand
supportthesoftwareapplications.
Rationale for proceeding: Whilsttheprojectwasregardedashighrisk,independentcommercialappraisalidentifiedacrediblemarketopportunity.
Thecompanyhadsecuredventurecapitalfundingandanumberofproductsweremarketready.ThemanagementteamhadbeenstrengthenedandInvestNIhadstructureditsinvestmenttominimiserisks.
How Invest NI ensured that risk was reduced to an acceptable level:InvestNIsupportedtheprojectbyconvertibleredeemablepreferencesharesofferingareturntothetaxpayerandanoptiontoconverttoordinarysharecapital.InvestNIfundswerereleasedintranchesagainstspecifiedmilestonessuchastheintroductionofmatchfundingfromthepromotersandsecuringadditionalbankfunding.
Themanagementteamwasstrengthenedbytheintroductionofmarketingexpertiseandanexperiencedcompanychairman.
InvestNImadeitsinvestmentpaymentsintranchesinordertoensurethatsufficientprogresshadbeenmadeagainstproductdevelopmentobjectives.
Part Three:Risk management process(paragraph 1.4)
![Page 33: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/33.jpg)
Goodpracticeinriskmanagement25
avoidacultureofblamebutshouldtaketheopportunitytoidentifylessonsthatcanbeappliedinthefuture.
• Thecasestudiesoutlinedaboveillustratethatprojectsmayhaveentirelydifferentoutcomesdespitemanagingrisksinaconsistentmanner.Thisisbecauseitisnotpossibletoentirelyeliminaterisk;therewillalwaysbealevelofresidualriskthatcannotbeaddressed.Itisessential,therefore,thatpublicbodiesidentifytheirriskappetiteandminimiserisktoanacceptablelevel.
• Allprojectsshouldbesubjecttoapostprojectevaluationtoidentifyandpromulgateanylessonslearnt.
Good Practice - Pursuing opportunities
• Organisationsshouldgivecarefulconsiderationtotheopportunitythatrisksmaypresentwhendesigningtheirriskresponses.TheprojectidentifiedinCaseStudy1wasconsideredtobehighriskhowever,thiswasoutweighedbythepotentialopportunitythattheprojectpresentedfortheNIeconomy.Theprojecthasbeenverysuccessfultodatedespitetheinitialriskassessmentandthisisduelargelytoriskbeingmanagedwell.
• Itisimportanttorecognisethatalthoughriskmaybemanagedwell,aprojectmaynotachievethedesiredoutcomes.Providedthereissufficientevidencethatriskhasbeenmanagedappropriately,organisationsshould
Outcome of this project: Theprojectdidnotsucceedasplanned.Saleswereslowerthanexpected,cashflowbecamecriticalandthecompanywasunabletocompleteafurtherfundinground.
ThecompanywentintoadministrationapproximatelythreeyearsafterInvestNI’sinitialfunding.InvestNIsoughttorecovermoniespaidtothecompany,buttherewereinsufficientassets.
How risk management contributed to the outcome:InvestNIrecognisedthatthisprojectpresentedsignificantchallenges.Thetechnicalskillsofthepromotersandemployeeswereimpressiveandindependentappraisalshadconfirmedthepotentialmarketopportunity.Theprojectwascloselymonitored,whichallowedInvestNItolimititsexposurewhentherisksbecametoogreattoaddto.
Thecompany’stechnologyandbusinessweresubsequentlytakenonbyanewlyestablishedcompanyundernewcontrol.Thiscompanycontinuestotradesuccessfullywithanumberofemployeesfromtheoriginalcompany.
Source: Invest NI
![Page 34: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/34.jpg)
26Goodpracticeinriskmanagement
3.22 Theoptionto“treat”inaddressingriskcanbefurtheranalysedintofourdifferenttypesofcontrols:
Preventative controlsaredesignedtolimitthepossibilityofanundesirableoutcomebeingrealised.Themajorityofcontrolsimplementedbelongtothiscategory.Examplesincludepasswordaccesstocomputers,supervisorychecksandindependentauthorisationsonpaymentsmadetosuppliers.
Directive controls aredesignedtoensurethataparticularoutcomeisachieved.Examplesincludearequirementthatprotectiveclothingbewornduringtheperformanceofdangerousduties,orthatstaffaretrainedbeforebeingallowedtoworkunsupervised.
Corrective controls (reversibility) aredesignedtocorrectundesirableoutcomeswhichhavebeenrealised.Appliedaftertheevent,thesemayconsistofcontractualremediestorecoveroverpaymentsorobtaindamagesoradetailedcontingencyplanthatwillbetriggeredbyanevent(e.g.disasterrecoveryorbusinesscontingencyplans).
Detective controlsaredesignedtoidentifyoccasionsofundesirableoutcomeshavingbeenrealised.Bydefinitiontheseareaftertheevent,sotheyareonlyappropriatewhenitispossibletoacceptthelossordamageincurred.Examplesofdetectivecontrolsincludestockorassetchecks,reconciliations,postimplementationreviews.
3.23 HMTreasury’s‘OrangeBook’3emphasisesthatindesigningcontrols,“it is important that the control put in place is proportional to the risk. Apart from the most extreme undesirable outcome (such as loss of human life) it is normally sufficient to design controls to give reasonable assurance of confining likely loss within the risk appetite of the organisation. Every control action has an associated cost and it is important that the control action offers value for money in relation to the risk that it is controlling. Generally speaking the purpose of control is to constrain risk rather than eliminate it.”
3.24 Takingaccountofthecontrolsthathavebeenputinplaceorganisationsshouldrepeattheearlierriskassessmentintermsoflikelihoodandimpacttoidentifythe“residual”risk.Thisriskassessmentwillgenerallyresultinalowerratingforlikelihood.Theimpactofariskmaturingcanbereducedbyputtinginplaceacontingencyplanthatwilladdresshowtheriskwillbedealtwithintheeventofitmaturing.
Step 5: Recording and reviewing risk
3.25 Theriskmanagementprocessisevidencedthroughthemaintenanceofriskregisters.Riskregistersshouldbemaintainedthroughouttheorganisationatbothoperationalandstrategiclevel.Theaimoftheriskregisteristocapture,maintainandmonitorinformationontherisktorealisationofaspecificobjectiveandtheassociatedcontrolactionsthathavebeenputinplacetomitigatethat
3 TheOrangeBook:ManagementofRisk–PrinciplesandConcepts,HMTreasury,October2004.
Part Three:Risk management process
![Page 35: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/35.jpg)
Goodpracticeinriskmanagement27
risk.Althougheachdepartmentwilldevelopitsowntemplateforrecordingrisk,thekeycomponentsareasfollows(seeAppendix7forillustration):
• thebusiness/corporateobjectiveaffected;
• detailsofrisk(s);
• inherentriskassessment–impactandlikelihood;
• riskresponse;
• residualriskassessment–impactandlikelihood;
• plannedaction;
• targetdate;and
• riskownership.
Riskregistersarelivingdocumentswhichshouldbeupdatedregularly.
Good Practice – Use of Information Technology
ManypublicbodiesuseMicrosoftExceltorecordandmonitortheirriskregisters.TheDepartmentofFinanceandPersonnel(DFP)hasdevelopedandimplementedabespokeInformationTechnologysystemwhichrecordsthedepartment’stargets,objectivesandassociatedrisksandisusedtoprovidequarterlyinformationtotheBoardandtheAuditandRiskCommittee.Theapplicationenablesindividualbusiness
areastoupdatedepartmentaltargetsandrisksandcanalsobeusedtomonitorprogressagainstbusinessplans.
DFPidentifiedanumberofbenefitsofusingthisapplication:
• Itprovidestheabilitytolinkriskstobusinessplantargets;
• Itprovidestheabilityforbusinessareastoupdatetheriskstatusandthecontrolsandmanagementactionsthathavebeenputinplacetomitigateagainsttherisks;
• Itassignsriskownersatdepartmentalboardlevelforcorporaterisks;
• Riskscanbeescalatedtodivisional,directorateanddepartmentallevelsasappropriate;and
• ItproducesthecorporateriskregisterwhichisprovidedtoboththeBoardandtheAuditandRiskCommittee.
Fraud risk assessment
3.26 Allorganisationsaresubjecttofraudrisksandthereforeshouldcompleteafraudriskassessmentonaperiodicbasis.Adetailedfraudassessmentneedstobeperformedbydivisionand/orfunction.Functionsandservicesthatneedtobeincludedintheassessmentarefinanceandaccounting,humanresourcesmanagement(payroll),purchasingandcontracting,andinformationtechnology.Asapartoftheassessment,organisations
![Page 36: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/36.jpg)
28Goodpracticeinriskmanagement
needtolookatthecontrolenvironmentandinformationtechnology,asbothhaveasignificanteffectonfraudriskformostfunctions.
3.27 Aneffectivefraudriskmanagementassessmentshouldidentifywherefraudmayoccurandwhotheperpetratorsmightbe.Controlactivitiesshouldalwaysconsiderbothinternalandexternalfraud.
3.28 Afraudriskassessmentwillincludethesamethreekeyelementsofanyotherriskassessment:
• Identify inherent fraud risk —Gatherinformationtoobtainthepopulationoffraudrisksthatcouldapplytotheorganisation.Includedinthisprocessistheexplicitconsiderationofalltypesoffraudscenarios;incentives,
pressures,andopportunitiestocommitfraud;andITfraudrisksspecifictotheorganisation;
• Assess likelihood and significance of inherent fraud risk —Assesstherelativelikelihoodandpotentialsignificanceofidentifiedfraudrisksbasedonhistoricalinformation,knownfraudschemes,andinterviewswithrelevantstaff,includingbusinessprocessowners;and
• Respond to reasonably likely and significant inherent and residual fraud risks —Decidewhattheresponseshouldbetoaddresstheidentifiedrisks.
Appendix9providesapracticalexampleofafraudriskassessment.
![Page 37: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/37.jpg)
Part Four:Accountability
![Page 38: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/38.jpg)
30Goodpracticeinriskmanagement
Responsibilities
4.1 Withtherightcultureriskmanagementshouldbecomeinherentintheorganisation’soperationsandintherolesandresponsibilitiesofstaff.Inordertopromoteandembedsuchariskmanagementcultureorganisationsshouldfocusonthefollowingkeydrivers:
• Communication:Everyoneshouldbeawareoftheorganisation’sriskappetite,alongwiththecorrespondingpolicy,strategyandprocesses.Staffshouldbeawareoftheprocesstoraiseriskrelatedissueswhichshouldbeclearlydocumentedandcommunicated.Itisimportantthatstafffeelconfidentinraisingriskrelatedissuesevenwhenthismaypresentnegativeimpactsfortheorganisation.Staffmustalsobeconfidentthatanyissuesorconcernsthattheyraisewillbeconsideredatanappropriatelevelandwill,wherenecessary,beactedupon;
• Leadership: TheAccountingOfficerandseniormanagershaveakeyroleinembeddingtheriskmanagementculture.Theyshouldpromoteriskmanagementthroughtheirownbehavioursandactionsbyencouragingothers;
• Resource:Riskownersshouldhavethenecessaryresourcesattheirdisposaltoimplementriskresponses.Theyshouldalsobewellequippedandsupportedtomanagerisk.Thiswill
involveprovidingtherelevanttrainingandaccesstoriskmanagementadviceandexpertise;and
• Ownership and responsibility:Riskmanagementresponsibilitiesshouldbeclearlylinkedtopersonalobjectivesandtotheperformanceappraisalsystem.Relevantstaffshouldbeempoweredtotakewellmanagedrisksintheknowledgethattheywillnotbeblamedforanynegativeoutcomesprovidingriskhasbeenmanagedinawaywhichisconsistentwiththeorganisation’sriskappetite.
Governance
4.2 Apublicbody’sBoardandAuditandRiskCommitteehavevitalrolestoplayinthegovernanceofriskmanagement(seefigure2).Inlinewithgoodgovernance,theBoardshouldincludenon-executivedirectorsandtheAuditandRiskCommitteeshouldbechairedbyanon-executivedirector.Thisshouldcontributetoanindependentreviewoftheriskmanagementstrategyandthecorporateriskregister.
Good Practice – Risk review group
TheDepartmentofAgricultureandRuralDevelopment(DARD)establishedaRiskReviewGroup(RRG)inJune2007asacommitteetocoordinateandchampionriskmanagementandreportingofrisk.TheRRGisasubgroupoftheCorporateGovernanceAuditCommittee
Part Four:Accountability
![Page 39: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/39.jpg)
Goodpracticeinriskmanagement31
4 AGoodPracticeGuidetotheStatementonInternalControl,NationalAuditOffice,20105 DAO(DFP)02/10TheStatementonInternalControlaGuideforAuditCommittees
(CGAC),ischairedbyanon-executivedirectorandcomprisesrepresentativesofallbusinessgroupswithinthedepartment.ItmeetsfourtimesperyearandreportsbacktotheCGAC.
4.3 ThepublicbodiesthatwereviewedindicatedthattheriskregisterwasastandingitemontheagendaoftheAuditandRiskCommitteeandinmostcasesthefullBoardreviewedthecorporateriskregistereithermonthlyorquarterly.
Good Practice – Provision of information to the Board
DARDcurrentlypreparesariskcommentarywhichispresentedtoandreviewedbytheBoardonamonthlybasis.TheriskcommentaryiscoordinatedbytheHeadofFinancialPolicyandcommentaryissoughtfromacrossallbusinessareas.ThisprocessassiststheBoardinconductingahighlevelreviewofthecorporateriskregisteronaregularbasis.
Reporting
4.4 Anorganisation’ssystemofinternalcontrolisdesignedtomanagerisktoanacceptablelevel.InaccordancewithManagingPublicMoneyNorthernIreland,theAccountingOfficermustreportannuallyonthesystemofinternalcontrolbypreparingandsigningaStatementonInternalControl.TheStatementonInternalControlshouldreflectonthesystemofinternalcontrolinoperationinthedepartmentanditsALBsthroughoutthe
year,andshouldhighlightanysignificantinternalcontrolweaknessesorfailures.
4.5 InordertoassisttheAccountingOfficerinfulfillinghisorherresponsibilities,departmentsindicatedthattheyhaveputinplaceaprocessforstewardshipreporting.Inmostcasesthisinvolvestheheadofeachdivisioninthecoredepartment,andtheAccountingOfficerineachALBsubmittingastewardshipstatementtotheAccountingOfficeratleastbiannually(insomecasesquarterly).ThestewardshipstatementsshouldreflectanysignificantinternalcontrolissuesintherelevantALBordivisionandshouldbetimedtosupporttheAccountingOfficerinhis/herpreparationoftheStatementonInternalControl.TheNationalAuditOfficehasproducedguidanceonthearrangementsfortheproductionoftheStatementonInternalControl4,5.
Good Practice - Stewardship reporting
TheOfficeoftheFirstMinisterandDeputyFirstMinister(OFMDFM)recentlyredesignedandexpandeditsstewardshipreportingprocesstoaddressawiderrangeofgovernanceandcontrolissuesandissuedguidanceoncorporate/businessareariskframeworkstostaff.Theframeworkprovidesachecklistforcompletionofquarterlystewardshipstatementswhichcoverselevenkeyareasofrisk(OFMDFM’sproformastewardshipstatementisprovidedatAppendix10).
Incompletingthestewardshipstatements,directorsandAccountingOfficersreflecton:
![Page 40: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/40.jpg)
32Goodpracticeinriskmanagement
• anyfindingsemergingfromrecentinternalauditreviewsundertakeninthebusinessarea;
• findingsemergingfromtheyear-endauditofthedepartment’sResourceAccountsbyNIAO;
• anycontrolandapprovalissueshighlightedbytheDepartmentofFinanceandPersonnel’sannualreviewofconsultancyspend;
• mattersarisingfromin-yearassetverificationexercises;and,
• anyissuesthatmayhaveemergedinrelationtothesponsorshipofNon-departmentalPublicBodies.
Significantinternalcontrolissuesshouldbeidentifiedandcommentedoninthestatement,includingproposedremedialactiontominimisetheimpactofidentifiedrisksmaterialising.
Assurance
4.6 HMTreasuryGuidancestatesthat“assurance draws attention to the aspects of risk management, governance and internal control that are functioning effectively and the aspects which need to be given attention to improve them. Assurance helps a Board to judge whether or not its agenda is focussing on the issues that are most significant in relation to achieving the organisation’s objectives and whether best use is being made of resources”.6Thereareanumber
ofwaysinwhichorganisationsmightseekassurancesthattheriskmanagementstrategyandproceduresinplaceprovideanadequatelevelofassurancetotheirBoardandauditcommittee:
• InternalAudit–conductandreportonanannualprogrammeofwork.TheHeadofInternalAuditwilladoptariskbasedapproachtoplanningitswork,referringtoorganisationalriskregistersinidentifyingtopicsforreview.InadditiontoindividualauditreportsthattheHeadofInternalAuditwillproducetorecordtheauditfindingsofindividualauditassignments,he/shewillprepareanannualreportgivinghis/heropiniononriskmanagement,controlandgovernancewhichisgenerallytimedtosupportandinformtheAccountingOfficer’sStatementonInternalControl.Theannualreportwillprovideanoverviewoftheinternalauditworkundertakenthroughouttheyearandwillhighlightanylimitedassuranceratings.HMTreasuryGuidancehighlightsthat,“the work of Internal Audit is likely to be the single most significant resource use by the Audit Committee in discharging its responsibilities. This is because the Head of Internal Audit, in accordance with the Government Internal Audit Standards, has a responsibility to offer an annual audit opinion on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes”.
Part Four:Accountability
6 HMTreasury–AuditCommitteeHandbook
![Page 41: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/41.jpg)
Goodpracticeinriskmanagement33
Good Practice - Internal Audit review of the risk management process
AspartoftheDepartmentofCulture,ArtsandLeisure’srecentreviewofitsriskmanagementframeworkithasintroducedarequirementforInternalAudittoperformanannualreview,withtheobjectiveofprovidingtheBoardandtheAuditandRiskCommitteewithanopinionontheDepartment’sriskmanagementprocessandriskregisters.ThisreviewwillbetimedtosupporttheAccountingOfficerinsigningtheStatementonInternalControl.
• Externalaudit–willissueareporttothosechargedwithgovernanceaspartoftheyear-endauditofthefinancialstatements.Thisreportwillhighlightanyinternalcontrolorgovernanceissuesthathavebeenidentifiedduringtheexternalauditprocedures.
• Otherauditandverificationexercises–publicbodiesmaybesubjecttoarangeofadditionalaudit,inspectionandverificationexercisesasaresultofthenatureoftheirbusinessandthefundingthathasbeenreceived.TheseexercisesmayresultinotherauditbodiesbringinginternalcontrolissuestotheattentionoftheAuditandRiskCommitteeandtheBoard.
• StatementonInternalControl–shouldbereviewedbytheAuditCommitteetoensurethattheinformationpresentedinthestatementiscompleteandaccuratelyreflectsotherinformationrelatingtorisk
andinternalcontrolthathasbeenpresentedtothecommitteethroughouttheyear.NationalAuditOfficepublishedguidancein‘TheStatementonInternalControl:AGuideforAuditCommittees’in2010.
• Self-assessment–itisrecognisedthatitisgoodpracticeforAuditandRiskCommitteestoconductaselfassessmentannually.NationalAuditOfficepublished‘TheAuditCommitteeSelf-AssessmentChecklist’inNovember2009andthisincludesasectiononinternalcontrol.
Good Practice - National Audit Office
Audit Committee self-assessment – Internal control issues for consideration
• DoestheAuditCommitteeconsiderwhethercorporategovernanceisembeddedthroughouttheorganisation,ratherthantreatedasacomplianceexercise?
• DoestheAuditCommitteeconsiderwhetherthesystemofinternalreportinggivesearlywarningofcontrolfailuresandemergingrisks?
• DoestheAuditCommitteeconsiderwhethertheStatementonInternalControlissufficientlycomprehensiveandmeaningful,andtheevidencethatunderpinsit?
• DoestheAuditCommitteesatisfyitselfthatthesystemofinternalcontrolhasoperatedeffectivelythroughoutthereportingperiod?
![Page 42: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/42.jpg)
34Goodpracticeinriskmanagement
• Doestheauditcommitteeconsiderwhetherfinancialcontrol,includingthestructureofdelegations,enablestheorganisationtoachieveitsobjectivesandachievegoodvalueformoney?
• Doestheauditcommitteemonitorwhethertheorganisation’sproceduresforidentifyingandmanagingbusinessriskhaveregardfortherelevantlegislationandregulation?
• Third-partyreview–publicbodiesmayseekindependentassurancefromthirdpartiesontheirriskmanagementprocessandriskregisters.
Good Practice – Third party reviews
Aspartofawiderreviewofitsriskmanagementprocesses,theDepartmentforSocialDevelopmentrecentlyengagedanotherNICSdepartmenttoconductareviewofitscorporateriskregister.Thisworkedwellinpracticeasitprovidedanindependentassessmentoftheriskregister.Duetothesimilarnatureofthebodyundertakingthereviewtherewasacommonunderstandingofhowriskmanagementshouldbeappliedinthepublicsectorenvironment.
TheDepartmentforRegionalDevelopmentemployedconsultantstoundertakeaperformanceassessmentofitsriskmanagementstrategy.Thisexerciseprovidedvaluablelessonsonhowtoapplybestpractice.
4.7 Theassuranceprovidedbythevariousmethodsidentifiedaboveshouldassisttheauditandriskcommitteeinidentifyingwhereriskis:
• managedadequatelyandappropriately;
• controlledinadequately;or
• controlledexcessively.
Whererisksaremanagedadequatelyandappropriatelynofurtheractionisrequiredotherthantomonitorandreviewtherisk.However,whereariskiscontrolledinadequately,measurestoimprovetheriskresponsemustbeimplemented.Inthecurrenteconomicclimatethereisanincreasingpressureonresources.Itisthereforeessentialthatpublicbodiestakeameasuredapproachinmanagingriskandconsiderthecost/benefitthatcontrolsrepresent.Duetothetraditionallyriskaversenatureofthepublicsectoritisnotuncommontofindexcessivecontrolsinoperation.Thiscanresultinsignificantwasteandbyidentifyingsuchmeasuresitmaybepossibletoidentifycostsavings.TheroleoftheAuditCommitteeistoadvisetheBoardonsuchmatters,toenableittomakeaninformeddecision.TheAuditCommitteemust,however,ensurethatitmaintainsindependencetoavoidbecominginvolvedinexecutiveriskmanagementresponsibilities.
Part Four:Accountability
![Page 43: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/43.jpg)
Appendices
![Page 44: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/44.jpg)
36Goodpracticeinriskmanagement
Appendix 1Risk management checklist(paragraph 1.4)
1. Risk Management Framework Response
1.1 Doestheorganisationhaveanestablishedriskmanagementfunction,e.g.ariskchampion,riskmanager,riskmanagementdepartment,riskcommittee?
1.2 HowisriskmanagementsponsoredbytheAccountingOfficer,andresponsibilitysharedwiththeBoardandtheSeniorManagementteam?
1.3 Istheorganisation’sapproachtoriskfullydocumentedandwidelydistributed?(i.e.riskappetite)
1.4 Howhasriskmanagementbeenembeddedinthefollowingprocesses:–Performancemanagement–Operationalmanagement–Financialmanagement–Businessplanning
1.5 Howhavethefollowingcontributedtothedevelopmentofriskmanagementwithinyourorganisation?–HMTreasuryOrangeBook–InternalAudit–ExternalAudit–Other(pleasedetail)
1.6 Doestheorganisationhaveariskmanagementstrategyand/orpolicy?
1.7 Hastheriskmanagementstrategy/policybeenendorsedbytheAccountingOfficer/Board/AuditandRiskCommittee?
![Page 45: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/45.jpg)
Goodpracticeinriskmanagement37
1.8 Howhastheriskmanagementstrategy/policybeenpromulgatedtostaff?
1.9 Howoftenistheriskmanagementstrategy/policyreviewed?Whenwasthestrategy/policylastreviewed/updated?
1.10 Howdoestheriskmanagementstrategypromotetheneedforeffectivecommunicationtoallrelevantstakeholders?
1.11 Howdoestheriskstrategy/policyoutlinehowriskshouldbeconsideredateachlevel,(strategicandoperational),throughouttheorganisation?
1.12 Whatprocessisinplaceforescalatingrisksthroughouttheorganisation?
1.13 Isthereacontingencyorbusinesscontinuityplaninplace?Ifso,howoftenisittested?
1.14 IsthereanITrecoveryplaninplaceIfso,howoftenisittested?
1.15 Isthereacommunicationsstrategyinplacethatcanbeappliedintheeventofriskmaturing?
2. Risk Management Process2.1 Aretheresponsibilitiesofallstaff
clearlydefinedandregularlyreviewed?
![Page 46: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/46.jpg)
38Goodpracticeinriskmanagement
2.2 Doriskregistersrecordthefollowinginformation:–Identifiedrisks–Inherentriskassessment (impactandlikelihood)–Responsetorisk–Residualriskassessment (impactandlikelihood)–Riskownership–Timescaleforactionsrequired
2.3 Isthereariskregisterinplacewhichhasidentifiedtheriskstotheorganisationatastrategic(organisational)level?
2.4 Areriskregistersmaintainedatanoperational(divisional)level?
2.5 Areriskregistersmaintainedataprojectlevelordoesevidenceexistthatrisksareassessedforprojectsindividually?
2.6 Howoftenareriskregistersreviewed?
2.7 Whattechniquesareusedbytheorganisationinidentifyingrisks?
2.8 Howhavetherisksidentifiedbeenlinkedtotheobjectivesoftheorganisation?
2.9 Howhaverisksbeenrankedandprioritisedforaction?
2.10 Howregularlyaretheresponsestokeyrisksmonitored?
2.11 Whoisresponsibleformonitoringtherisks?
Appendix 1Risk management checklist(paragraph 1.4)
![Page 47: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/47.jpg)
Goodpracticeinriskmanagement39
2.12 Isthereanyearlywarningsysteminplacetoidentifyanythreatsthatmaycontributetotherealisationofkeyrisks?
2.13 Isthereapolicyinplaceformanagingtherisksassociatedwithworkingwithpartnersatprojectlevel?
2.14 Howarerisksassociatedwithworkingwithpartnersatprojectlevelidentifiedandmanaged?
2.15 Whatistheprocessinplaceforreviewingtheriskassessmentthroughouttheprojectlifecycle?
2.16 Howdoestherigourofthisprocessvaryaccordingtothesize/duration/profileoftheproject?
2.17 WhatITsoftwaredoestheorganisationuseinitsriskmanagementprocess?
2.18 Howisriskmanagementincorporatedintotheorganisation’strainingprogramme?Isriskmanagementincludedininductiontrainingforallnewstaff?
2.19 Isthereanyformofongoingriskcommunicationacrosstheorganisation?
2.20 Doestheorganisationmaintainariskdatabase?
3. Accountability3.1 Haveresponsibilitiesforidentifying,
managingandreportingriskbeenestablished?Howregularlyaretheseresponsibilitiesreviewed?
![Page 48: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/48.jpg)
40Goodpracticeinriskmanagement
3.2 Areresponsibilitiesinrelationtoriskreflectedinpersonalobjectivesandtheperformanceappraisalsystem?
3.3 WhatmeasureshavetheexecutivedirectorsputinplaceforreportingontheriskmanagementprocesstotheBoardandtheAuditandRiskCommittee?
3.4 HowfrequentlydoesriskmanagementappearontheBoardagenda?
3.5 HowdoestheBoard/SeniorManagementteamassurethemselvesthattheyhaveidentifiedalloftheorganisation’srisks?
3.6 Whatreferenceshavebeenmadetotheriskmanagementprocessintheannualreport?
3.7 HaveanysignificantinternalcontrolissuesrelatingtoidentifiedrisksbeenhighlightedintheStatementonInternalControlinrecentyears?
3.8 HowdoestheInternalAuditServiceusetheriskmanagementframeworkwhenplanningtheirwork?
3.9 Howdoestheorganisationensurethatsystemsofinternalcontrolareoperatingrobustly?
3.10 Howdoestheorganisationgainindependentassuranceontheeffectivenessofitsriskmanagementprocess?
Appendix 1Risk management checklist(paragraph 1.4)
![Page 49: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/49.jpg)
Goodpracticeinriskmanagement41
Appendix 2Participants(paragraph 1.4)
Thefollowingpublicsectorbodiesassistedourreviewbycompletingtheriskmanagementchecklist.
1. DepartmentofAgricultureandRuralDevelopment
2. DepartmentofCulture,ArtsandLeisure
3. DepartmentofEducation
4. DepartmentforEmploymentandLearning
5. DepartmentofEnterprise,TradeandInvestment
6. DepartmentofFinanceandPersonnel
7. DepartmentofHealth,SocialServicesandPublicSafety
8. DepartmentoftheEnvironment
9. DepartmentofJustice
10. DepartmentforRegionalDevelopment
11. DepartmentforSocialDevelopment
12. InvestNorthernIreland
13. NorthernIrelandAssembly
14. NorthernIrelandOmbudsmanandCommissionerforComplaints
15. OfficeoftheFirstMinisterandDeputyFirstMinister
16. PublicProsecutionService
![Page 50: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/50.jpg)
42Goodpracticeinriskmanagement
On the strategic processes for risk, control and governance, how do we know:
• thattheriskmanagementcultureisappropriate?
• thatthereisacomprehensiveprocessforidentifyingandevaluatingrisk,andfordecidingwhatlevelsofriskaretolerable?
• thattheRiskRegisterisanappropriatereflectionoftherisksfacingtheorganisation?
• thatappropriateownershipofriskisinplace?
• thatmanagementhasanappropriateviewofhoweffectiveinternalcontrolis?
• thatriskmanagementiscarriedoutinawaythatreallybenefitstheorganisationorisittreatedasaboxtickingexercise?
• thattheorganisationasawholeisawareoftheimportanceofriskmanagementandoftheorganisation’sriskpriorities?
• thatthesystemofinternalcontrolwillprovideindicatorsofthingsgoingwrong?
• thattheAccountingOfficer’sannual‘StatementonInternalControl’ismeaningful,andwhatevidenceunderpinsit?
• thattheStatementonInternalControlappropriatelydisclosesactiontodealwithmaterialproblems?
• thattheBoardisappropriatelyconsideringtheresultsoftheeffectivenessreviewunderpinningtheStatementonInternalControl?
Appendix 3HM Treasury Audit Committee HandbookKey questions for an Audit Committee to ask(paragraph 2.5)
On risk management processes, how do we know:
• howseniormanagementandMinisterssupportandpromoteriskmanagement?
• howwellpeopleareequippedandsupportedtomanageriskwell?
• thatthereisaclearriskstrategyandpolicies?
• thatthereareeffectivearrangementsformanagingriskswithpartners?
• thattheorganisation’sprocessesincorporateeffectiveriskmanagement?
• ifrisksarehandledwell?
• ifriskmanagementcontributestoachievingoutcomes?
![Page 51: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/51.jpg)
Goodpracticeinriskmanagement43
Devising a Communications Strategy
ThefollowingstrategicquestionsaretobeconsideredwhendevisingtheCommunicationsStrategy.
• Whatisthenatureoftheeventorincidentthathasoccurredandhasacommonlyunderstoodpictureoftheincidentbeenreached?
• DoestheincidentpointtoadeeperissueorproblemthatcouldimpactuponthereputationoftheDepartment?
• Hastheincidentfinishedoristherepotentialformoretocomeandifsowhatarethetimescales?
• Howbadcouldthisgetandwhatisthemostrealisticworst-casescenario?
• Whatwillourstakeholders(internalandexternal)makeofthissituation?
• WhatdoestheDepartmentstandtolosebecauseofthisincident?
• WhatalliescantheDepartmentinvolve?
Key Message Checklist
Thefollowingshouldbeconsideredinrelationtomessagecontentandtone:
• Provideasmuchinformationontheincidentthatisavailableandverifiedasfactual.
• ProvideahumanfacethatshowstheDepartmentcares.
Appendix 4Department of Health, Social Services and Public SafetyExtract from communications plan(paragraph 2.12)
• Providereassurancethatanyriskshavepassed,orthatactionisunderwaytomitigateanyrisksandtellpeoplewhattheytoocando.
• Outlineasolidhistoryinregardstoincidentsandincidentmanagement.
• Providedetailsofwhenandhowfurtherinformationwillbemadeavailable.
• ProvidewrittenbackgroundbriefsontheDepartmentoutliningtheroleoftheDHSSPSanditsmainservices.
• Providedetailedevidencetobackanyclaimsmade.
![Page 52: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/52.jpg)
44Goodpracticeinriskmanagement
The following steps form a useful guide for Communications Planning:
Design andissue a holding
Starement
Assess thesituation
Select acommunications
strategy and targetaudiences
Implement thecommunications
plan
Inform staff andensure information
is centralised &coordinated
Select the mostappropriate
messages andmeans of delivery
When askedprovide
information andreassurance
Avoidconfrontation and
remain flexible
Consider the longterm strategicimplications
Appendix 4Department of Health, Social Services and Public SafetyExtract from communications plan(paragraph 2.12)
![Page 53: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/53.jpg)
Goodpracticeinriskmanagement45
External (arising from the external environment, not wholly within the organisation’s control, but where action can be taken to mitigate it)
Political Changeofgovernment;crosscuttingpolicydecisions;machineryofgovernmentchanges(egdevolution)
Economic Abilitytoattractandretainstaffinthelabourmarket;exchangeratesaffectcostsofinternationaltransactions;effectofglobaleconomyonNIeconomy
Socio-cultural Demographicchangesaffectsdemandforservices;stakeholdersexpectationschange
Technological Obsolenceofcurrentsystems;costofprocuringbesttechnologyavailable;opportunityarisingfromtechnologicaldevelopment
Legal/regulatory EUrequirements/lawswhichimposerequirements(suchashealthandsafetyoremploymentlegislation)
Environmental Buildingsneedtocomplywithchangingstandards;disposalofrubbishandsurplusequipmentneedstocomplywithchangingstandards
Operational (relating to existing operations – both current delivery and building and maintaining capacity and capability)
Service/productfailure Failtodelivertheservicetotheuserwithinagreed/setterms
Projectdelivery Failtodeliverontime/budget/specification
Resources Financial(insufficientfunding,poorbudgetmanagement,fraud)HR(staffcapacity,skills,recruitmentandretention)Information(adequacyfordecisionmaking,protectionofprivacy)Physicalassets(loss,damage,theft)
Relationships Deliverypartners(threatstocommitmenttorelationship,clarityofroles)Customers/serviceusers(satisfactionwithdelivery)Accountability(particularlytotheAssembly)
Operations Overallcapacityandcapabilitytodeliver
Reputation Confidenceandtrustwhichstakeholdershaveinanorganisation
Governance Regularityandpropriety/compliancewithrelevantrequirements/ethicalconsiderations
Scanning Failuretoidentifythreatsandopportunities
Resilience Capacityofsystems/accomodation/ITtowithstandadverseimpactsandcrises(includingwarandterroristattack)Disasterrecovery/contingencyplanning
Security Ofassetsandinformation
Appendix 5HM Treasury Orange BookCategories of risk(paragraph 3.2)
![Page 54: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/54.jpg)
46Goodpracticeinriskmanagement
Change (risks created by decisions to pursue new endeavours beyond current capability)
PSAtargets NewPSAtargetschallengetheorganisation’scapacitytodeliver/abilitytoequiptheorganisationtodeliver
ChangeProgramme Programmesfororganisationalorculturalchangethreatencurrentcapacitytodeliveraswellasprovidingopportunitytoenhancecapacity
Newprojects Makingoptimalinvestmentdecisions/prioritisingbetweenprojectswhicharecompetingforresources
Newpolicies Policydecisionscreateexpectationswheretheorganisationhasuncertaintyaboutdelivery
Appendix 5HM Treasury Orange BookCategories of risk(paragraph 3.2)
![Page 55: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/55.jpg)
Goodpracticeinriskmanagement47
Ariskchecklistisanin-houselistofrisksthatwereidentifiedoroccurredduringpreviousorganisationalactivities.Theypermitmanagerstocapturelessonslearnedandassesswhethersimilarrisksarerelevanttocurrentactivities.
Thischecklistshouldbeusedasameansofkickstartingandfacilitatingdiscussionsonriskswhich
Appendix 6Department for Regional Development – Risk checklist(paragraph 3.3)
mayimpactontheachievementofbusinessobjectives.Itshouldbenotedthattheserisksarenotexhaustiveanditisexpectedthatbusinessareaswilldevelopandtailorthistomeettheirownneedsasspecificbusinessrisksareidentified.ThechecklistwillbeupdatedannuallyfollowinginputfromDepartmentalRiskCoordinators.
• Willthebusinessareahavethepersonnelinplacetomeetbusinessobjectives?• Doeseveryoneknowandunderstandtheirrolesandresponsibilities?• DowehaveclearJobDescriptions,PPAsandPDPs?• Dowehavetheprocessesandproceduresinplacetofacilitaterecruitment?• Doweknowtheknowledge,skillsandexperiencerequiredtodothejob?• Arestaffappropriatelytrainedtodeliverbusinessobjectives?• ArestaffappropriatelytrainedinnavigatingtheHRConnectsystem?
• Hastheachievementofthebusinessobjectivesbeeneffectivelybudgetedforinterms
offinancialresources?• Arecontrolsinplacetomonitorfinancialperformanceagainstbusinessobjectives?• Doesthebusinessareahaveappropriatesystemsinplacetoreportonfinancial
performance?• ArestaffappropriatelytrainedonAccountNIprocedures?
• Canthebusinessareabeassuredthatpersonaldetailsofstaffand/orthepublicaresufficientlysafeguarded?
• Doesthebusinessareahavesuitabledatamanagement/ICTsystemsinplace?• Howdoesthebusinessareastoreandtransportconfidential/sensitiveinformation?• Arepasswordsregularlychangedandupdated?• IseveryoneawareoftheDepartmentalDataManagementandSecurityarrangements?• ArestafftrainedinusingtheTRIMsystem?
People
Finance
DataManagement
![Page 56: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/56.jpg)
48Goodpracticeinriskmanagement
• Doesthesponsoringdivisionhaveappropriategovernancearrangementswithitssponsororganisation?
• IsperformanceoftheArmsLengthBodymonitoredandreportedtoSeniorManagementintheDepartment?
• AretheobjectivesoftheALBinlinewithDepartmentalobjectives?
• IsthebusinessareacontentthatitscontractsandSLAswithserviceprovidersareadequateandreflecttheneedsoftheDepartment?
• IsthebehaviourandperformanceofServiceProvidersmonitoredandreportedtoSeniorManagement?
• Areprojectmanagementarrangementsinplacetoensuretheeffectiveandtimelydeliveryofpolicy?
• Doesthebusinessareahavepoliticalagreementforanypolicydecisions?• Havetheviewsofstakeholdersandthepublicbeenfactoredintothedecision
makingprocess?
• Doesthebusinessareahaveadequatecontingencyplanningarrangementsinplaceintheeventofanemergency?
• Arestaffand/orthepublic(whereappropriate)awareoftheemergencyarrangements?
Arms LengthBodies
Service Providers
Policy Issues
EmergencyPlanning
Appendix 6Department for Regional Development – Risk checklist(paragraph 3.3)
![Page 57: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/57.jpg)
Goodpracticeinriskmanagement49
Category Minor (low) Moderate (low-medium)
Significant (medium)
Major(medium-high)
Critical(high)
Achievement of Objectives
NorisktoDEdemonstratingachievementofitskeyobjectives(todeliverontime,withinbudgetetc.).
FailuretodelivermorethanoneDirectorate/Programmelevelobjective.
Oneormorekeyobjectiveisonlyjustdelivered(eg.significantdelayoradownwardtrend).
Failuretodeliveronekeyobjective.
Failuretodelivermorethanonekeyobjective.
FailuretodeliverthemajorityofDEkeyobjectives(PSA’s/MinisterialPriorities)
Operational Delivery
Nointerruptiontoservice.Minorindustrialprotest.
Somedisruptionmanageablebyalteredoperationalroutine.
Disruptiontoanumberofoperationalareaswithinalocationandpossibleflowontootherlocations.
Alloperationalareasofalocationcompromised.Otherlocationsmaybeaffected.
Totalsystemdysfunction.Totalshutdownofoperations.
Financial Financialloss,lossoffundingorinescapableunfundedpressuresunder£20K
+/-1%variancetobudget.
Financialloss,lossoffundingorinescapableunfundedpressuresunder£100K
+/-2%variancetobudget.
NIAOcriticism
Financialloss,lossoffundingorinescapableunfundedpressuresunder£250K
+/-5%variancetobudget.
NIAOqualificationofaccounts
Fraud,corruptionandseriousirregularitybelowSCSorwithinNDPBs.
Financialloss,lossoffundingorinescapableunfundedpressuresunder£500k
+/-10%variancetobudget.
NIAOqualificationofaccounts
Fraud,corruptionandseriousirregularityatSCSorNDPBSeniorManagementlevel.
Financialloss,lossoffundingorinescapableunfundedpressuresover£1m
+/-15%variancetobudget.
NIAOqualificationofaccounts
Fraud,corruptionandseriousirregularityatMinisterial/BoardorNDPBCElevel.
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
Risk Evaluation - Impact
![Page 58: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/58.jpg)
50Goodpracticeinriskmanagement
Category Minor (low) Moderate (low-medium)
Significant (medium)
Major(medium-high)
Critical(high)
Compliance/Regulatory/Legal
Breachoflocalproceduresnotrequiringexternalintervention/sanction.
BreachofNationalProcedures/Standards.
PotentialforminorlegalchallengetoDE.
Breachofsubordinatelegislation.
Failuretocomplywithrelevantguidanceresultsinexpenditurebeingdeemedirregular.
PotentialformoderatelegalchallengetoDE.
PotentialformoderatelegalchallengetoDE.
BreachofPrimarylegislation.
PotentialforsignificantlegalchallengetoDE.LikelihoodthatdamageswillbeawardedagainstDEorchangeswillberequiredtosubordinatelegislationtoensurecompliance
Breachofnationalorinternationalstatutoryduties.
Legalchallengewhichhaltsdeliveryofpolicy.
MajordamagesawardedagainstDEorchangeswillberequiredtoprimarylegislationtoensurecompliance
Security Non-notifiableorreportableincident.
Localisedincident.
Noeffectonoperations.
Localisedincident.
Significanteffectonoperations.
Significantincidentinvolvingmultiplelocations.
Extremeincidentseriouslyaffectingcontinuityofoperations.
Health & Well-being
Isolatedincident–nosignificanthealthimpact.
Smallnumberofminorinjuriesrequiringfirstaidtreatment.
Compensatableinjury/stress.
Seriousinjury/stressresultinginhospitalisation.
Possiblefatalities.
LocalChildProtectionissue.
Fatality
WidespreadChildProtectionIssue
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
![Page 59: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/59.jpg)
Goodpracticeinriskmanagement51
Category Minor (low) Moderate (low-medium)
Significant (medium)
Major(medium-high)
Critical(high)
Reputational Minoradversepublicityinlocalmedia
Eventthatwillleadtopubliccriticismbyexternalstakeholdersasanticipated.
Significantadversepublicityinlocalmedia
IncreasedAssembly/Westminsterscrutiny.
Eventthatmayleadtowidespreadpubliccriticism.
SignificantAssembly/Westminsterscrutiny
Formalcommunicationrequiredwithpublic.
Significantadversepublicityinnationalmedia
Incompetence/maladmin-istrationorothereventthatwillunderminepublictrustorakeyrelationshipforashortperiod.
OralStatementRequiredinAssembly
Sustainedadversepublicityinnationalmedia.
Incompetence/maladmin-istrationorothereventthatwillunderminepublictrustorakeyrelationshipforasustainedperiodoratacriticalmoment.
Ministerial/Board/CE(NDPB)/SeniorManagementresignation/removal
Incompetence/maladmin-istrationorothereventthatwilldestroypublictrustorakeyrelationship.
![Page 60: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/60.jpg)
52Goodpracticeinriskmanagement
Descriptor Detailed Description
1.Unlikely(low)
>10%chanceofoccurrence.Mayoccuronlyinexceptionalcircumstances.HasneveroccurredbeforewithintheremitofDEoranyotherDepartment.Unlikelytooccurduringthelifespanofthepolicy/programme/project/operation.
2.Remote(low-medium)
11-30%chanceofoccurrence.Mightconceivablyoccuratsometime.Morelikelynottooccurthantooccur.HasnotoccurredrecentlywithintheremitofDEoranyotherDepartment.Thereisasmallchancethatthismayoccuratsomestageduringthelifespanofthepolicy/programme/project/operation.
3.Possible(medium)
31-59%chanceofoccurrence.Couldoccuratsometime.HasoccurredrecentlywithintheremitofanotherDepartment.Mightoccuratsomestageduringthelifespanofthepolicy/programme/project/operation.
4.Probable(medium-high)
60-84%chanceofoccurrence.Willprobablyoccurinmostcircumstances.Morelikelytooccurthannottooccur.HasoccurredrecentlywithintheremitofDEoranotherDepartment.Likelytooccurwithinthenext1-2yearsorduringthelifespanofthepolicy/programme/project/operation.
5.AlmostCertain(high)
85%chanceofoccurrence.Isexpectedtooccurinmostcircumstances.Thisisknowntooccurinsimilarprojectsandprogrammes.HappensfrequentlywithintheremitofDEorotherDepartments.Highlylikelytooccurwithinthefinancialyearorlifespanofthepolicy/programme/project/operation–probablyearlyonandpossiblymorethanonce.
Risk Evaluation - Likelihood
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
![Page 61: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/61.jpg)
Goodpracticeinriskmanagement53
Escalation Triggers Inordertoensurethatrisksarebeingmanagedatanappropriatelevel,thereareanumberoftriggerpointswhererisksshouldbeescalatedtospecifiedlevelsofmanagementastheyapproachorexceedtheiragreedriskappetite.Thesearesetoutbelow.However, in all cases where a risk is assessed as ‘Orange’, it should be brought to the attention of the DE Board. In all cases where a risk is assessed as ‘Red’, it should be brought to the attention of the DE Board and Minister.
Impa
ct
Critical 55 10 15 20 25
Major 4 4 8 12 16 20
Significant 3 3 6 9 12 15
Moderate 2 2 4 6 8 10
Minor 1 1 2 3 4 5
Unlikely (>10%)
Remote (11-30%)
Possible (31-59%)
Probable (60-84%)
Almost Certain (85%+)
1 2 3 4 5
Likelihood
Risk Assessment Matrix
![Page 62: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/62.jpg)
54Goodpracticeinriskmanagement
Escalation Triggers
Risk Category Risk Appetite Acceptable Range
(Up to and including)
Escalation
Health and Well-being
Averse Green RisksshouldbeelevatedtoDirectorlevelforconsiderationifassessedasAmberorhigher.
Financial/VFM Risks
Compliance/ Legal/
Regulatory Risks
Information and Security
Modest / Cautious
Amber RisksshouldbeelevatedtoDirectorlevelassessedasAmberorhigher.
Operational and Policy Delivery
Risks
Reputation and Credibility
Open/Hungry Orange Regardlessoftheriskappetite,DEBoardshouldbemadeawareofanyDirectorateRisksassessedasOrangeandcontingencyplansshouldbedeveloped.
Red Regardlessoftheriskappetite,DEBoardandMinistershouldbemadeawareofanyDirectorateRisksassessedasredandadvisedimmediatelyofanyearlywarningsignalsthattheriskmayberealised.
Contingencyplansshouldalsobedevelopedandtested.
Appendix 7Department of Education - Assessment categories for impact and likelihood(paragraph 3.13)
![Page 63: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/63.jpg)
Goodpracticeinriskmanagement55
Example
• TeamAidentifiesarisktohealthandwell-beingthatisassessedashavingaresidualriskscoreof12.Ontheriskassessmentmatrix,12=Orange.
• TheDepartment’sriskappetiteforriskstoHealthandWell-beingisdescribedas‘Averse’.RiskstoHealthandWell-beingarethereforeonlyatanacceptablelevelwhentheyareassessedas‘Green’.AnyrisksinanareaforwhichtheDepartment’sriskappetiteis‘Averse’andwhichareassessedashigherthan‘Green’shouldthereforebereferredtotheDirectorforconsideration.
• Inaddition,anyrisksontheDirectorateRiskRegisterwhichareassessedas‘Orange’shouldbedrawntotheattentionoftheDEBoard.
![Page 64: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/64.jpg)
56Goodpracticeinriskmanagement
Riskappetitecanbefurtheranalysedintothefollowingcategories:
Corporate risk appetiteistheoverallamountofriskjudgedappropriateforanorganisationtotolerate(pointA).Thismaynotbejustonestatement:TheOfficeofGovernmentCommerce(OGC),forexample,lookat5keyriskareas(policy/guidancerisk;peopleandinternalsystemsrisk;propriety,regularity,financeandaccountabilityrisk;reputationrisk;externalrisk)andmakeastatementonriskappetiteforeach.TheBoardandseniormanagersshouldjudgethetolerablerangeofexposurefortheorganisationandidentifygeneralboundariesforunacceptablerisk(oratleastforrisksthatshouldalwaysbereferredto/escalateduptotheBoardfordiscussionanddecisionwhentheyarise).IndoingthistheBoardmaywanttotakeMinisterialviewsonrisk-takingintoaccount.
Delegated risk appetite Theagreedcorporateriskappetitecanthenbeusedasastartingpointforcascadinglevelsoftolerancedowntheorganisation,agreeingriskappetiteindifferentlevelsoftheorganisation(pointB).Theanticipatedeffectisthatwhatisconsideredahighlevelofriskwillbecomealowerlevelofrisktoahigherlevelofmanagement.Thisfacilitatesbothariskescalationprocessforthetakingofrisk
Appendix 8HM Treasury Orange BookModel of risk appetite(paragraph 3.17)
Strategic
Programme
Operational
A. Define risk appetite
B. Identify responses to manage risks
C. Report risks (outside tolerance level)
D. Agree responses potentially including reviewing risk appetiteSet and communicate
general tolerances forrisks
decisionswhendelegatedboundariesaremetandempowerspeopletoinnovatewithintheirdelegations.
Project Risk AppetiteProjectsthatfalloutsideofday-to-daybusinessofanorganisationmayneedtheirownstatementofriskappetite.Differenttypesofprojectsmayrequiredifferentlevelsofriskappetite,forexampleanorganisationmaybepreparedtoacceptahigherlevelofriskforaprojectthatwouldbringsubstantialreward.
Differenttypesofprojectcouldbe:
• Speculative(akintoventurecapitalisminthecorporatesector):withhighrisksbutpotentiallyhighrewards,e.g.InvesttoSaveBudgetprojects;Pilotprojects.Itmaybethatthebulkoftheseprojectsareunsuccessfulbutimportantlessonsarelearnt;
• Standarddevelopmentprojects:forexampleIT,procurement,construction,etc;and
• Missioncriticalprojects:whereorganisationsneedtobesureofsuccess.
Thelevelofriskappetitewillobviouslyvary,withaspeculativeprojectpreparedtotakeonhigherlevelsofriskthana“MissionCritical”project.
![Page 65: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/65.jpg)
Goodpracticeinriskmanagement57
Effectivemanagementandapplicationofdelegatedriskappetiterequiresescalationprocesses.Itispossibletoset‘triggerpoints’whereriskscanbeescalatedtothenextlevelofmanagementastheyapproachorexceedtheiragreedriskappetitelevels(pointC).Thenextlevelupinthehierarchywouldthentakeappropriateaction,whichmaymeanmanagingtheriskdirectly,orcouldmeanadjustingthelevelofriskthattheyarehappyforthelevelbelowtomanage(pointD).Itisalsooftenthecasethatahigherlevelofmanagement,withawiderportfolioofrisktomanage,hasmorescopetoaccepthigherrisksinparticularareasastheycanoffsetthemagainstotherlowerrisksintheirportfolio.
![Page 66: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/66.jpg)
58Goodpracticeinriskmanagement
ID Risk Impact Countermeasures Notes
1 Suppliersmaysubmitfraudulentinvoices.
HIGH Requirementforpaymentauthorisationbyresponsibleadviser/manager.Requirementforapprovedbusinesscasestosupportallexpenditure.
Paymentsauditedannually.SystemsubjecttointernalauditinSept2008.
2 Financestaffmayabusesystemsforpersonalgain.
HIGH Dualauthorisationsofallpayments.Separationofduties.Rotationofstaff.InsistenceonFinanceStafftakingfullleaveentitlement,includingatleastonebreakofmorethanoneweek’sduration.
Systemsauditedannually.
3 Temporaryworkerssubmitimproperlycompletedtimesheets.
LOW ChecksmadeagainstMyHoursandITSystemlog-inandlog-outrecords.Timesheetsauthorisedbysupervisor.RatescheckedbyHRManager.InvoicescheckedbyFinancestaff.
4 Improperclaimsfortravelandsubsistence.
LOW Allclaimsrequireauthorisation. Claimsauditedannually.InternalAuditReport2008
5 Improperovertimeclaims.
LOW Requirementforpriorapprovalfromlinemanager.Allclaimsrequirelinemanagementapproval.ChecksmadebyHRManageragainstMyHoursandITSystemlog-inandlog-outrecords.
Onlyadministrativestaffcanclaimforpaidovertime.
6 Staffmayabusecorporatecreditcards.
LOW Fullyitemisedexpenseclaimsrequiredforallexpenditureusingcorporatecreditcards.Lowexpenditurelimits.
InternalAuditReport2008
Appendix 9Strategic Investment Board – Fraud risk assessment(paragraph 3.28)
![Page 67: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/67.jpg)
Goodpracticeinriskmanagement59
Business area:
Report period:
Scope of responsibility
Asthe[SeniorOfficer]responsiblefor[ ]Directorate/Division,IhaveresponsibilityformaintainingarobustsystemofinternalcontrolthatsupportstheachievementofOFMDFM’spolicies,aimsandobjectives,whilstsafeguardingthepublicfundsandDepartmentalassetsforwhichIamresponsible.
TheOFMDFMsystemofinternalcontrolhasbeeninplaceandadheredtofortheperiodofthisreportinthebusinessareaforwhichIamresponsibleandaccordswithDepartmentofFinanceandPersonnelguidance.
Capacity to handle risk
MyDirectorate/Divisioniscarryingoutappropriateprocedurestoensurethatitidentifiesitsobjectivesandrisksandacontrolstrategyhasbeendevisedforeachofthesignificantrisks.Asaresult,riskownershiphasbeenallocatedtoappropriatestaff.
Acknowledgement of ownership
IacknowledgemyresponsibilityformanagingcorporateandkeyDirectorate/Divisionalrisksandformonitoringthoserisksassignedtomembersofmymanagementteam.Thisstatementhasbeeninformedfollowingathorough
Appendix 10OFMDFM stewardship statements pro forma(paragraph 4.5)
assessmentofriskandcontrolinmybusinessareaundertakenbyeachHeadofDivision/Branchagainsteachofthefollowingriskfactorsasappropriate(outlinedinOFMDFMguidance):
• businessplanning;
• legislativeandotherauthorities;
• businesscases(includingeconomicappraisal,postprojectevaluationandconsultancy);
• consultancy;
• forecastingandmonitoringofexpenditure;
• procurement;
• informationassurance;
• staff(includingabsence,gifts&hospitality);
• ALBs,NDPBsandThirdPartyOrganisations;
• internal&externalauditreports;and
• othersignificantIssues.
Risk management status
IamsatisfiedthatthecontrolsinplacetomanagerisksforwhichIamresponsibleareappropriate.Theyprovidereasonableassurancethattheriskwillnotoccurorifitdoesoccurthatitwillbedetectedandcorrectedinsufficienttimetoreducetheimpactoftherisktotolerableornegligiblelevels.
![Page 68: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/68.jpg)
60Goodpracticeinriskmanagement
Significant internal control problems
[Insert details of significant internal control problems of which the signatory is aware and the action taken to rectify these]
Head of Directorate / Division
Date:
Appendix 10OFMDFM stewardship statements pro forma(paragraph 4.5)
![Page 69: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/69.jpg)
Goodpracticeinriskmanagement61
Title Date Published
2010
CampsieOfficeAccommodationandSynergye-BusinessIncubator(SeBI) 24March2010
OrganisedCrime:developmentssincetheNorthernIrelandAffairs 1April2010CommitteeReport2006
MemorandumtotheCommitteeofPublicAccountsfromtheComptrollerand 1April2010AuditorGeneralforNorthernIreland:Combatingorganisedcrime
Improvingpublicsectorefficiency-Goodpracticechecklistforpublicbodies 19May2010
TheManagementofSubstitutionCoverforTeachers:Follow-upReport 26May2010
MeasuringthePerformanceofNIWater 16June2010
Schools’ViewsoftheirEducationandLibraryBoard2009 28June2010
GeneralReportontheHealthandSocialCareSectorbytheComptroller 30June2010andAuditorGeneralforNorthernIreland–2009
FinancialAuditingandReporting-ReporttotheNorthernIrelandAssemblyby 7July2010theComptrollerandAuditorGeneral2009
SchoolDesignandDelivery 25August2010
ReportontheQualityofSchoolDesignforNIAuditOffice 6September2010
ReviewoftheHealthandSafetyExecutiveforNorthernIreland 8September2010
CreatingEffectivePartnershipsbetweenGovernmentandtheVoluntaryand 15September2010CommunitySector
CORE:Acasestudyinthemanagementandcontrolofalocaleconomic 27October2010developmentinitiative
ArrangementsforEnsuringtheQualityofCareinHomesforOlderPeople 8December2010
ExaminationofProcurementBreachesinNorthernIrelandWater 14December2010
GeneralReportbytheComptrollerandAuditorGeneralforNorthern 22December2010Ireland-2010
NIAO Reports 2010-2011
![Page 70: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/70.jpg)
62Goodpracticeinriskmanagement
Title Date Published
2011
CompensationRecoveryUnit–MaximisingtheRecoveryofSocial 26January2011SecurityBenefitsandHealthServiceCostsfromCompensators
NationalFraudInitiative2008-09 16February2011
UptakeofBenefitsbyPensioners 23February2011
SafeguardingNorthernIreland’sListedBuildings 2March2011
ReducingWaterPollutionfromAgriculturalSources: 9March2011TheFarmNutrientManagementScheme
PromotingGoodNutritionthroughHealthySchoolMeals 16March2011
ContinuousimprovementarrangementsintheNorthernIrelandPolicingBoard 25May2011
NIAO Reports 2010-2011
PrintedintheUKfortheStationeryOfficeonbehalfoftheNorthernIrelandAuditOfficePC296205/11
![Page 71: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/71.jpg)
![Page 72: Good practice in risk management - Northern Ireland Audit ...](https://reader031.fdocuments.us/reader031/viewer/2022012915/61c4de429952816a651a941c/html5/thumbnails/72.jpg)
Published by TSO (The Stationery Office) and available from: Onlinewww.tsoshop.co.uk
Mail, Telephone, Fax & E-mailTSOPO Box 29, Norwich, NR3 1GNTelephone orders/General enquiries: 0870 600 5522Fax orders: 0870 600 5533E-mail: [email protected] 0870 240 3701
TSO@Blackwell and other Accredited Agents
Customers can also order publications from: TSO Ireland16 Arthur Street, Belfast BT1 4GDTel 028 9023 8451 Fax 028 9023 5401