Risk Management Policy

of the

Department of Arts, Heritage and the Gaeltacht

November 2011

2

Table of Contents 1. Introduction 2. What is risk and how does it impact on Government Departments? 3. Risk Mission Statement of the Department of Arts, Heritage and the

Gaeltacht 4. What is Risk Management? 5. Risk Assessment and Risk Control 6. Benefits of Risk Management 7. Departmental Risk Management Cycle 8. Departmental Risk Management Structures 9. Departmental Risk Monitoring and Reporting Arrangements 10. Risk Management and Bodies under the aegis of this Department 11. Risk Management and Freedom of Information Act 12. Departmental Risk Review Arrangements Appendix 1: Central Guidance Provided by the Department of Finance, March

2004 Appendix 2: Glossary of Risk Terms Abbreviations used in this document Abbreviation Meaning D/AHG Department of Arts, Heritage and the Gaeltacht MAC Management Advisory Committee MINMAC Ministers + MAC IAU Internal Audit Unit C&AG Comptroller & Auditor General PO Principal Officer FOI Freedom of Information Act

3

Risk Management Policy of the

Department of Arts, Heritage and the Gaeltacht

1. Introduction The Department of Arts, Heritage and the Gaeltacht was established on the 1st of June 2011 on foot of the reorganisation of Government Departments announced by the Taoiseach in March 2011, bringing together functions from the former Department of Tourism, Culture and Sport, the Department of Environment, Heritage and Local Government and the Department of Community, Equality and Gaeltacht Affairs. The Department oversees the conservation, preservation, protection and presentation of Ireland’s heritage and cultural assets. The Department also seeks to promote the Irish language and to support the Gaeltacht. The key functions under its remit include:

Arts, Culture, Film and Music, as well as oversight of Ireland’s cultural institutions;

Ireland’s Built and Natural Heritage; the Irish Language, the Gaeltacht and the Islands; and North/South Co-operation insofar as it relates to Waterways Ireland, An

Foras Teanga and the wider functions of the Department. The efficient and effective management of these key functions within the organisational framework of the new Department must take account of risk factors, having regard to the potential impact on the business operation of the Department, in order to ensure that the strategic objectives of the Department are achieved.

2. What is risk and how does it impact on Government Departments? The term "risk" is defined in the glossary section of the Standards for the Professional Practice of Internal Auditing as: "The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood." The Report of the Working Group on the Accountability of Secretaries General and Accounting Officers (“the Mullarkey Report”), endorsed by the Government and published in January 2003, recommended, inter alia, that risk assessment

4

and management should be integrated into the management processes of Government Departments within two years of the publication of the Report. The Report also recommended that central guidance on the development of a risk strategy appropriate to Government Departments should be prepared by the Department of Finance. In March 2004, the Department of Finance produced a document entitled Risk Management Guidance for Government Departments and Offices, and this policy document reflects the guidance and recommendations contained therein. Typical risks, which Government Departments face, include:

Anything that poses a threat to the achievement of a Department’s objectives, programmes, or service delivery for citizens;

Anything that could damage or injure the reputation of a Department and undermine the public’s confidence in it;

An occurrence of impropriety, malpractice, waste or poor value for money; A breach of regulations such as those covering health and safety and the

environment; An inability to respond to or manage changed circumstances in a way that

prevents or minimises adverse effects on the delivery of public services. 3. Risk Mission Statement of the Department of Arts, Heritage and the

Gaeltacht The purpose of this Department’s Risk Management Policy is to provide a framework for management to identify, assess, rate and develop strategies to deal with risks in order to provide reasonable assurance that the strategic objectives of the Department will be achieved. The Risk Management Policy of the Department is to adopt good practice in the identification, assessment and control of risks to ensure that they are eliminated or reduced to an acceptable level. The risk management objectives of the Department include:

Integration of risk management within the culture and business processes of the Department;

Management of risk in accordance with good practice; Raising awareness of the need for risk management; and Delivery of risk management in an effective manner without creating

excessive administrative demands. 4. What is risk management? Risk management means having in place a corporate and systematic process for evaluating and addressing the impact of risks to the organisation in a cost

5

effective way and having staff with the appropriate skills to identify and assess the potential for risks to arise. Training can be arranged by Corporate Governance Division as required. Risk management is a process of clearly defined steps, which support better decision-making by contributing a greater insight into risks and their impacts. Within the context of good practice, it is integrated into existing corporate frameworks. Risk management can also be defined as the process of measuring or assessing risk and developing strategies to manage the risk. Ideally, the risks with the greatest loss and the greatest probability of occurring are given highest priority, while risks with lower probability of occurrence and lower loss are given lower priority. The Mullarkey Report identified four main categories of risk, and these are reflected in the table below. Table 1: Categories of Risk (adapted from Mullarkey Report) Category Type of risk involved Possible examples

Operational Difficulties with procedures/technologies

etc. ICT problems; loss of key expertise

Strategic External but effecting objectives Sharp rise in need for services

Financial Impropriety, malpractice, waste or poor value for money

Funds not correctly used

Reputation Public perception becoming negative Failing to deal adequately with perceived difficulties

Other risks/factors that may be considered include the following:

commercial; litigation; economic/market; legal and regulatory; organisational management/human factor; political/societal factors; environmental factors/force majeure; and technical/operational/infrastructural issues.

6

5. Risk Assessment and Risk Control When the important risks facing a Department have been identified, the next step is to assess them. This assessment is carried out on the basis of three criteria, which include:

Impact on the Department; Likelihood of occurrence; and Effectiveness of existing controls.

The most important way of responding to risk is reduction, where the objective is not necessarily to prevent the risk totally, but to contain it to an acceptable level. Risk reduction strategies aim to minimise the frequency or severity of the negative impacts of a risk. An example is the preparation of contingency plans to expedite recovery from losses. The civil service culture has been traditionally risk-averse with a low-risk appetite, tending to associate risk-taking with increasing the possibility of something going wrong, of project failure or financial loss, which could lead to political and public censure. This Department seeks to encourage the adoption of well-managed and controlled risk-taking where it is likely to lead to sustainable improvements in service delivery and opportunities for the Department. 6. Benefits of Risk Management There are clearly many benefits to implementing risk management strategies in Government Departments and the risk process can help Departments improve their performance in numerous ways. It can lead to:

Better service delivery; More efficient use of resources; Better project management; Minimisation of waste, fraud and poor value for money; and Promotion of innovation.

7

7. Risk Management Cycle

The Risk Management Cycle in this Department involves:

Confirming Goals/Strategies for the Department and for individual line divisions;

Identifying and assessing risks;

Challenging and evaluating existing controls;

Taking action and enhancing controls where required;

Monitoring and reporting risk through the various Departmental Risk Structures.

8

8. Departmental Risk Management Structures The following are Risk Management Structures are in place in the Department: MAC MAC has responsibility for the oversight of risk management in the Department and will keep the Minister and Minister of State appraised of risk issues as required, through the MINMAC structure. It is committed to ensuring that risk management is an integral and ongoing part of the management processes and day-to-day business of the Department and will continue to facilitate and embed formal risk management strategies into the management processes of the Department. Risk Management Steering Committee The Management Steering Committee will be chaired by the Assistant Secretary responsible for Corporate Governance. Membership of the Committee shall comprise of representatives from Corporate Governance, IT, Finance and Internal Audit (observer status). It will also comprise of a representative at PO level from each functional area of the Department. In this context, Assistant Secretaries will be required to nominate a representative to the Committee. The Committee reports directly to MAC on a quarterly basis (or more frequently if necessary) and is responsible for:

Overseeing implementation of the Department’s Risk Management Policy; Defining and reviewing, on a regular basis, the Department’s risk policy,

methodology and standards; Creating awareness across the Department of effective risk management; Monitoring the management of risk throughout the Department and

reporting on a regular basis to the Department’s MAC and Audit Committee.

Corporate Governance Division The Head of Corporate Governance Division has responsibility for maintaining the Corporate Risk Register and, following appropriate consultation on corporate risks with other relevant POs, reporting to the Risk Management Steering Committee on Departmental Corporate Risks. Principal Officers In consultation with their respective Assistant Secretaries, Principal Officers are responsible for:

9

Implementing the Department’s risk management process in their Divisions;

Identifying, evaluating and signing off on risks at Divisional level; Ensuring that control measures for the purposes of risk mitigation are

operating satisfactorily in their areas and that an appropriate proportion of those measures is reviewed by them on a regular basis;

Formally updating Risk Registers and ensuring that arrangements are in place within their Divisions to ensure that the risks reflected in the Risk Register reflect the actual risks and challenges that face the Division;

Owning and managing the risk within the Division’s organisational or functional remit on a day to day basis;

Ensuring clear roles and responsibilities for risk identification, management and reporting are defined within their areas using PMDS and business planning;

Ensuring that relevant bodies within the ambit of the Department have robust risk arrangements in place; Ensuring compliance with the formal risk reporting requirements on an ongoing basis;

Ensuring risk management awareness throughout the Division. Staff Individual members of staff are responsible for:

Operating and monitoring the system of internal control; Proactively identifying risk issues and bringing these to the attention of

management; Ensuring that all risks are identified and reported in a timely and effective

manner. Internal Audit Unit Internal Audit Unit has a central role in advising the Accounting Officer on the state of the Department’s risk management processes. The review of risk arrangements to ensure that they are robust forms an integral element of the work carried out by the Internal Audit Unit, which reports directly to the Accounting Officer on such matters. It should also be noted that risk is a standing item on the agenda of each of the meetings held by the Department’s Audit Committee.

10

9. Departmental Risk Monitoring and Reporting Arrangements

The following is the Risk Reporting structure in this Department:

MINISTER/MINISTER OF STATE (as required)

MAC

RISK STEERING COMMITTTEE

Audit Committee

HEAD of CORPORATE GOVERNANCE

HEADS OF DIVISIONS (POs and A/Secs)

STAFF

The following are the Risk Reporting arrangements in the Department: Principal Officers Each Division is required on an ongoing basis to notify the relevant Assistant Secretary, through the PO, of any significant risk issues arising in its area, including new risks or issues in regard to risk control measures and in turn these are be reported to Corporate Governance Division.

11

Each Division should monitor risks and their controls on an ongoing basis and where issues arise these should be reported immediately to the line divisions Assistant Secretary, through the PO. As part of the reporting to MAC on a quarterly basis, POs are required to give an assurance, through the Risk Management Steering Committee, that control measures for the purposes of risk mitigation are operating satisfactorily in their areas and that an appropriate proportion of those measures have been reviewed by them since their last report was submitted. Head of Corporate Governance Corporate Governance Division will co-ordinate on a quarterly basis a report for the Risk Steering Committee on the high level risks in line divisions. Line divisions will be required to report any outstanding high risks or significant risks through the Corporate Governance Division to the Risk Management Steering Committee and MAC. The onus is on the line division PO to report these risks. Responsibility for maintaining the Corporate Risk Register rests with the Head of Corporate Governance Division who will, following appropriate consultation on corporate risks with other relevant POs, report to the Risk Management Steering Committee on Departmental Corporate Risks. Internal Audit Committee The Head of Internal Audit will have observer status at the Risk Management Committee. In addition, so as to ensure the adequacy, efficiency and effectiveness of the Risk Management processes in the Department, the Chair of the Risk Management Steering Committee will review progress made by that Committee each year. This will be submitted to MAC for approval and then on to the Chair of the Audit Committee on an annual basis. Risk Management Steering Committee The Risk Management Steering Committee will meet quarterly and it is the responsibility of the Corporate Governance Division to provide the Committee with a quarterly report on the high-level risks reported by the POs. So as to ensure that senior management, and the Minister and Minister of State, are aware of high level risks that may threaten the business of the Department, the Risk Steering Committee will provide a quarterly report to MAC and MINMAC on such risks, the mitigation strategies in place to control these and on other relevant risk issues in the Department. MAC The role of MAC is to monitor closely any high level risks that may threaten the business of the Department and the mitigation strategies in place to control these. The MAC is also required to support the risk management process in the

12

Department and provide feedback on risk issues through the Risk Steering Committee. The MAC will report high-level risks that may threaten the business of the Department and the mitigation strategies to MINMAC on a quarterly basis or as the need arises in the case of exceptional risks arising. 10. Risk Management and Bodies under the aegis of this Department The risks associated with working with other organisations and bodies under the aegis of the Department should be assessed and managed by all line divisions and reflected in Divisional Risk Registers. In this context, POs of line divisions should ensure that all such organisations have robust risk arrangements in place. Line divisions should obtain an assurance in this regard confirming that robust risk arrangements are in place. 12. Risk Management and Freedom of Information Act With few exceptions, any record held or under the control of a Government Department or Office is subject to the Freedom of Information (FOI) Act 1997. The long title of the FOI Act sets out its central purpose as ensuring access to information held by public bodies to the greatest extent possible, consistent with the public interest and the right to privacy. The Act contains a number of exemptions to the right of access to information, whereby information can be withheld if particular criteria apply. Many FOI exemptions, including those likely to be most relevant to risk management, require both harm and public interest tests to be applied. Records relating to Risk Management Systems Records held by Departments and Offices are likely to include:

Risks identified by individual business units; Risk Management Registers/Databases, including the risks identified, the

likelihood of occurrence and financial and other impacts; Reports on the implementation and performance of individual risk

management systems; Reports of Risk Management Audits and Inspections; Internal Audit Reports; and Internal memoranda, briefing notes, minutes of meetings of Risk and/or

Audit Committees, presentations, reports etc. to MAC. FOI requests may be made for such material and for statistics and other basic information used by public bodies to assist in identifying risks. Requests for all or part of the content of a Risk Register may be received.

13

Risk Register Many risk management systems incorporate a centralised risk database or register. The Risk Register serves as a primary tool for risk tracking, containing the overall system of risks and the status of any risk mitigation actions. Entries in a Risk Register can contain a description of the risk, its location within the organisations, the likelihood of its occurrence, its impact rating should it occur and the effectiveness of the risk prevention controls in existence. The consequences column identifies the possible effect that the impact of an event which has been identified as a risk might have on a Department. The actions required to mitigate the risk are also identified. The “consequences” or impact information in the Risk Register will be a key reference point for decision makers when assessing the applicability of FOI exemptions and for consideration of the public interest. Particular consideration should be given by decision makers to the consequences, financial or otherwise, that could arise in the case of requests for details of the probability profile assigned by a Department/Office to a particular risk. FOI Exemptions The Oireachtas has identified a significant public interest in ensuring access to information held by public bodies. The FOI Act carries a presumption in favour of releasing records so that when claiming exemptions to the right of access to a record, the onus is firmly on the public body to justify the case for exemption by reference to the provisions in the Act. There is a significant public interest in identifying and mitigating financial and other risks in the public sector and in ensuring proper management of public services and finances. While the applicability of FOI exemptions will depend, to a large extent, on the nature of the information being requested, it will be appropriate, in each case, to consider the consequences of releasing particular information on the integrity and viability of the risk management system as a whole. It will also be appropriate to consider the consequences of releasing information for the performance of other functions. Given the links between risk management and internal audit, it is strongly recommended that internal auditors are consulted prior to a final decision being made on a request. FOI exemptions that may be particularly relevant to Risk Management are:

section 20(1) (deliberations of public bodies); section 21(1) (functions and negotiations of public bodies); section 23(1)(a) (law enforcement and public safety); section 26(1) (information obtained in confidence); and section 31(1) (financial and economic and financial interests of the State

and of public bodies).

14

13. Risk Review Arrangements The policy of the Department is to review its risk management systems and processes on an ongoing basis and, where required, to enhance and strengthen the risk identification, assessment and control arrangements in the Department. As outlined in this document, the internal risk management review structures in place in the Department include:

Risk Management Steering Committee; Senior Financial Management Group; Corporate Governance Division; Internal Audit Unit; MAC MINMAC

So as to ensure the adequacy, efficiency and effectiveness of the Risk Management processes in the Department, the Chair of the Risk Management Steering Committee will review progress made by that Committee each year. This will be submitted to MAC for approval and then on to the Chair of the Audit Committee on an annual basis.

15

Appendix 1

Central Guidance Provided by the Department of Finance, March 2004

Guidance Number

Guidance Provided by Department of Finance

1.

Each Department is to initiate risk management as an integral and ongoing part of its management process and it is the MAC that should put in place effective mechanisms to carry out risk management accordingly.

2.

The risk management process should be kept as simple and straightforward as possible and existing structures should be used, as far as possible.

3.

Each Department should have clearly defined risk management structures and responsibilities.

4.

Departments should repeat the process of risk identification at least once a year.

5.

Departments should assess identified risks at least once a year

6.

When risks have been identified and assessed, Departments should determine an appropriate method for addressing them

7.

Department’s risk management system should provide for monitoring and reporting at various levels of management.

16

Appendix 2

Glossary of Risk Terms Risk Management

‘Risk Management is the term applied to a logical and systematic method of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process, in a way that will enable organisations to minimise losses and maximise opportunities’ Australia/New Zealand Standard 1999

Risk The chance or possibility of loss or harm arising from a

failure in an organisation’s operations resulting in the failure to achieve the organisation’s defined objectives

Risk Policy Risk Policy is the organisation’s statement and guidance on Risk Management

Risk Appetite Risk Appetite is the level of risk an organisation unit/area is

willing to accept based on the expected benefit (achievement of organisational goals) of the particular activity in question

Strategic Risks The risk that the organisation would take a strategic

direction or engage in activity at variance with its mission statement or fundamental organisational objectives.

Reputational Risks

The risk that the organisation’s policies, procedures or activities would fail to make progress towards achieving its organisational objectives.

Financial Risks The risk of financial loss or impropriety.

Operational Risks

The failure to prevent a loss resulting from inadequate or failed internal processes, people and systems or from external events”. Basel Committee on Banking Supervision in September 2001

Risk Assessment

Determining the likelihood of occurrence and extent of impact of a risk materialising

Risk Likelihood The degree of possibility of an operational failure occurring

17

in an organisation taking into account:-

the inherent nature of the risk; the strengths and weaknesses in the organisation’s

controls.

Risk Impact A measure of the damage/harm arising from the adverse

consequence suffered by an organisation as a result of an operational failure.

Inherent Risk Assessment of the impact and likelihood of a risk materialising pre the implementation of existing controls to manage the risk

Residual Risk Assessment of the impact and likelihood of a risk materialising post the implementation of the current control environment

Risk Mitigation Establishment of controls to reduce the likelihood of occurrence of a risk (preventative controls) or limit the impact of a risk occurring (contingency controls)

Risk Control A control is a policy, procedure, or mechanism, which mitigates the scale of risk. Controls may be categorised as being those which are designed to:

prevent process failures from arising; detect situations where process failures have a occurred;

and recover from process failures.