risk register risk scoring matrix - borough of scarborough · 2017-03-15 · appendix 1 risk...
TRANSCRIPT
Appendix 1
Risk Register - Risk Scoring Matrix
Likelihood:A = Very LowB = Not LikelyC = LikelyD = Very LikelyE = Almost Certain
Impact1 = Low2 = Minor3 = Medium4 = Major 5 = Disaster
5
4 EL1 G10HR1PM2PM3C1ICT3ICT5
G3ICT6
G2
3 HR3 G1 G5G8G9G11HR2EL3
G4G7C2ICT2IA1 IA2 IA3
G8 G6
PM1
2 EL2 ICT1ICT4
1
A B C D E
Impact
Likelihood
Scarborough Borough Council Service Risk Register – Chief Executive – March 2017
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
G1 Failure of Business Continuity Planning
Ineffective plans Reliance on Third
Parties Lack of resources
to implement the Plans
Lack of service provision in event of ‘major’ disaster
Failure to meet performance targets
Unable to deliver statutory services
Business Impact Analysis (BIA) undertaken
Annual review of Services BIA
Contract with NYCC to assist the production of plans.
IT system back-ups Continuous
investment in IT hardware to give flexibility to services
Emergency Planning suite to enable continuity of key systems.
B3
AMBER
B3 ALL Mock business continuity day/away day training
Need to prioritise services to recover
Links all BCPs together
G2 Continued financial pressure resulting in inability to deliver services.
Loss (reduction) in grants or external contract income
Changes in legislation
Conflicting priorities
Historical issues
Unable to progress environmental studies/works
Public criticism PI results worse
than planned. Low staff morale,
including
Deliver minimum strategic monitoring of cliffs etc
Performance Management Framework
Human Resources policies in place
Financial Strategy
D4
RED
C3 ALL/Directors Team
Prioritisation of services
Transformation agenda
Budgetary process – forward planning
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
(maintenance of infrastructure, assets, equipment)
increased staff turnover and sickness absence.
Civil action against Council
Cuts in service Reduction in
customer satisfaction
Mechanisms in place for effective communication with TUs, staff and stakeholders
Forge strong relationships with external clients
G3 Failure to manage and monitor project programmes effectively.
Failure to deliver capital schemes (on time and budget)
Conflicting priorities
Scheme creepage
Insufficient resources to budget monitor
Ineffective project management
Reliance on external contractors/consultants
Risk of officer overload
Poor service delivery
Increased costs and budgetary overspends
Failure to secure project outcomes
Poor public image Loss of staff
morale May lead to
failure to secure existing and future funding.
Strain on internal relations
Scale & content of specific schemes is manageable
Staff goodwill to ensure success.
Officers & Elected Members in Project Teams/Boards.
Project Management developed with specialist project managers (in some areas).
Prince 2 methodologies (in some areas)
Additional financial resources provided to procure
C4
RED
B4 Directors Team, ALL
Prioritise progression of projects. Forward planning to ensure effective/efficient project progression.(i.e. assess hours available per project in addition to cash funds ~ Strategic)
Focus on revenue tail of capital projects prior to commencing the schemes.
Establish a Project Sponsor protocol
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
specialist advice where necessary
G4 Loss of significant working time due to sickness (including stress)
Increased pressure on staff due to resource reductions
Working longer hours to meet service delivery
Loss of staff Increased work
load falls onto others which leads to sickness
Unable to improve the service provided
Reduction in Service performance.
Failure to deliver service –time/quality
Statutory deadlines are missed
Budget pressure to cover absences
Staff absence policy
Flexi time arrangements
Counselling service – readily available
Goodwill and commitment from the majority of staff
Staff Development Plans
Regular Team meetings
1-2-1s
B3(short term)
AMBER
C3 (medium
term)
AMBER
B2 Directors Team/ALL
Continuity planning Return to work
guidance Councillors and
public expectations need to be managed more effectively (DT)
Training to prioritise workloads
G5 Liability occurring as a result of non-compliance of health and safety
Failure to correctly or adequately supervise
Lack of induction and/or training
Risk assessments out
Personal and Service (corporate) liability
Claims against the Council
Poor safety culture
Corporate Health and Safety officer advice
Safety Co-ordinators group
SUMS Health and Safety Action Plans
Staff training
B2/3
AMBER
B2 ALL Ensure health and safety is standard agenda on all team meetings.
Ensure equipment inventory and inspections are up to date
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
of date Failure to meet
statutory inspections/tests
HSE prosecutions Injury or death of
an employee or member of public.
Formal risk assessments
Safe working practice
Internal Audit Appointment of
suitable specialists (CDM etc).
Review Risk Assessments and Action Plans
Health and Safety Briefings on legislation changes.
G6 Difficulty to recruit and retain appropriate staff.
No succession planning
Geographic remoteness of the Borough
Overall salary package is not competitive
Limited people with specialist skills
General skills shortage in the area
Skills shortage – not enough qualified staff.
High turnover of staff will result in reduced knowledge and expertise
Low staff morale. Failure to meet
statutory obligations or corporate objectives.
Increased sickness levels
Better staff will leave and get employment elsewhere
Resources wasted on
Benefit packages Training and
improving/widening skills.
Apprenticeships and structured career paths
Flexible policies including the promotion of work/life balance.
Appraisals and staff development plans
B3AMBER
D3 (Projects)
RED
B2 ALL Training and development
Job shadowing Encourage career
paths/goals. Consider graduate
schemes Apprenticeship
schemes. Effective
succession planning to be implemented
Job Evaluation/market forces value
Consider short term options to address resource shortfall
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
training staff that do not stay.
G7 External influences negatively impact on Service delivery
Economic climate Changes in
legislation impose greater obligations on the Council or divert funds from elsewhere
Reduction in funding grants
Contract risk transferred to the Council.
Environmental challenges
Directed abuse of staff
Apparent budget overspend
SBC budget difficulties
May lead to reduced service provision
Lack of service development
Downward spiral of reducing income – fewer staff to recover monies
Write offs charged back to service
If no write offs increases in outstanding debt
Potential claims
SUMS meet with their Finance officer
Executive Board (report to)
External advice and support
Performance measures
Corporate Transformation Board
Robust contract management
C3 (short term)
AMBER
B2/3 (medium
term)
AMBER
B2 Directors Team/ALL
Performance measurement
Staff support protocol/policy
G8 Failure to comply with current or new Regulation and Legislation.
Officers not aware of new rules or legislation
Inability to implement the
Risk of sanction, censure by external auditors.
Legal claims Actions may be
‘ultra vires’
Monitoring Officer Section 151 Officer Workshops Training Relevant
magazines and
B3
AMBER
B2 ALL Ensure training and resources are available for key staff
Develop good customer
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
changes Failure to achieve maximum funding levels
Government sanctions
Risk of injury to the public
Adverse publicity Ombudsman
enquiries Customer
satisfaction levels will fall
publications External
Contracts/agencies Shared User
Groups meet regularly.
Performance Review and Strategy
CPD for professional staff.
Constitution reviewed annually.
Governance Group. Member training &
development Report financial
consequences to members
Relevant training and awareness are made available to staff
relationships Constitution
awareness
G9 Failure to meet income targets
Change in economic climate
Insufficient marketing
Staff resource not sufficient to drive
In-year budget problems
Lead to staff reductions
Service provision reductions
SUMS set the income targets in conjunction with Finance
Budget performance of
B3
AMBER
B3 ALL Review/challenge problem areas as a priority
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
demand Not commercially
managed Lack of
infrastructure/facilities to attract visitors
SUMS Mitigation
measures can be implemented
Contingency budget
G10 Loss of key staff
Increased pressure on staff due to resource reductions
Working longer hours to meet service delivery
New employment opportunity
Changes to employee contract conditions
Increased sickness
Knowledge is lost to the Council
Work is not delivered or not on time
Cost to recruit Cost to cover the
absence Interrupts other
services delivery
Benefit packages Training and
improving/widening skills.
Flexible policies Appraisals and staff
development plans Staff absence
policy Flexi time
arrangements Counselling service
– readily available Goodwill and
commitment from the majority of staff
1-2-1s
B4
AMBER
B4 ALL Succession planning to be implemented
Sharing knowledge mechanism
G11 Failure to complete statutory returns in accordance
Limited staffing resource
System failure Conflicting
priorities
Reputation Additional
Inspections/conditions
Loss of grant
Some returns can be amended after submission without penalty
Experienced staff
B3
AMBER
B3 ALL Key staff support
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
with regulations and timetable(including: elections, payroll, grant returns, medium term plans, PSN)
funding and future opportunities
Internal controls in place
Documented process
Responsibility assigned
Cascading knowledge through training
Adequate lead time Pressure on
software suppliers to be up to date
Efficient processes Robust year end
timetable ICT1 Lack of support
and continuity from external software providers.
Late delivery of upgrades can increase data security risks to the councils ICT network/electronic data and hinder service delivery
Software may fail Suppliers do not
have the resource to implement enhancements
Cannot undertake scheduled work
Staff downtime Reduced staff
motivation Reduced ability to
deliver service to proper standards
Increased manual checking of outputs
Loss of faith in software
Increased
IT specialist knowledge
Adequate funding Active membership
of ‘user groups’. Training Weekly internal
training sessions Manually check
outputs (reconciliations)
Disaster recovery plans
Meetings with
B3
AMBER
C2 (late
delivery)AMBER
B3
B2 ITM Identify an owner of the systems
Improved contracts management
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
number of corporate complaints
Backlog of unprocessed items created
External access to network creates vulnerability.
Service provision will change
software personnel Helpdesk facilities IT support
arrangements in place
Reputable suppliers of software
Testing release before installation and ongoing systems testing once systems are operational
ICT2 Inadequate data governance arrangements
Ineffective processes for sharing data leading to safeguarding failure
Theft or loss of data
Theft or loss of equipment
Failure to maintain Public Sector Network accreditation and being denied access to PSN data
Major reputational damage
Loss of public confidence in the organisation
Inability to operate key business processes
Policies are in place for interagency referrals and data sharing in safeguarding matters
Annual IT Health Checks including penetration tests
Data Protection guidance and training for staff
IT Security Policies are in place and been reviewed
C3AMBER
B3 ITM Management review of data governance arrangements
Information owners to be identified
Information assets to be recorded and maintained
On-going workforce education
Policy and procedures review
IT processes and systems to control external file transfer
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
Cyber Attacks, including viruses, phishing, malware, ransomware
Improper disclosure of confidential information
Disposal of IT equipment
Receipt of PSN accreditation during July 2017
Staff and Member training on information security policies and sign up to policies
Training of key staff with designated information security responsibilities
ICT3 Failure to ensure the continuous availability of critical IT systems
Cyber attacks Inadequate
disaster recovery processes
Inadequately supported systems
Loss of staff Infrastructure
issues from third party suppliers
Interrupted service delivery
Reputational damage
Loss of confidence
Failure to receive income or pay expenditure
Robust security controls
Strong DR processes
B3/4AMBER
A3 ITM Introduction of new Incident Management Policy
Improved contracts
ICT4 Failure of ICT to support business development with regards to delivery of projects.
Lack of corporate Project Management approach
Lack of accountability to
Projects could be delivered late, over budget
Projects not adequately resourced
Project Management skills in place within ICT team based on PRINCE2 methodologies
C2AMBER
B2 ITM Support corporate discussions to agree structured approach to projects which improves
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
project deadlines by client Services
Negative impact on staff morale and/or productivity
Roadmap approach provides structure to ICT team programme
acceptance, accountability and governance
ICT5 Corporate IT Disaster Recovery solution is inadequate for current Business Continuity requirements
BC requirement now greater corporate objective
Reliance on technology and electronic data ever increasing
Service delivery delays and/or failures
Data/IT services recovery delays
Reputational impact
Financial impact
Investment made in Falsgrave Community Centre as a fit for purpose DR/BC suite
Technology investments in more resilient solutions with greater capacity and performance
B4AMBER
B3 ITM Ensure permanence of DR/BC venue
Regular trials/reviews
Education of ICT team and stakeholders
Clear, prioritised strategy/tactical delivery plan from corporate leads beyond ICT
ICT6 Failure of organisation to comply with General Data Protection Regulations (GDPR) from May 2018
Inadequate awareness of GDPR
Inadequate planning for impact of GDPR
Inadequate training of Members and Officers
Inadequate Policies and Procedures
Significant fines (up to 4% of turnover) for the council
Reputational impact
Loss of personal data could cause significant personal distress and/or safeguarding concerns to our customers
Data Protection Officer and information management resource from within ICT working with SIRO to prepare for GDPR
C4RED
B3 ITM DPO and ICT information management officer to become certified GDPR practitioners during April 2017
Information to be made available to Members and Officers as a priority
Training plan to be developed and
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
Inadequate corporate accountability to GDPR
delivered Policies/procedures
to be reviewed/created
Information asset ownership and accountability ensured and reinforced at Service level across organisation
Management teams to provide consistent leadership to compliance
HR1 Loss of paper records
Fire within the Town Hall
Loss of historic information
Fire alarmed building
B4
AMBER
A4 HRM Move fully to an electronic filing system
Consideration of fire protected storage in the short term.
HR2 Non-compliance with employment legislation corporately
Loss of key staff – stress/dismissal
Reduced resources
Adverse publicity Increased
number of complaints/claims
Financial outlay
Training for managers in people management issues
Ensure policies and procedures in place and adhered to
Provide support to
B3
AMBER
B3 HRM Leadership training for managers
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
managers
HR3 Unavailability of iTrent payroll system
Out of contract with the supplier.
Loss of Town Hall System not
updated with new legislation in time.
Staff not paid on time
Industrial action Backlog of data
inputting. Payroll and HR
have difficulty in delivering their services.
Business continuity plan in place and reviewed.
Disaster recovery support from ERYC as system owner.
ERYC have the resource to ensure the system is up to date with legislation.
Accessible from other locations as system is internet based.
ERYC could run the Payroll as an ultimate backup.
Effective working relationship with ERYC.
A3GREEN
A3 HRM Keep the disaster recovery and business plans up to date.
IA1 Increase in Fraud and Corruption (or the opportunity of such)
Poor economic climate
Lack of financial controls due to reduced resources.
Less staffing
Reputation damaged
Loss of income Theft of
stock/assets Low staff morale
Budget monitoring NFI data matching Procurement
regulations Constitution –
Financial Regulations
C3AMBER
C3 ALL Increase vigilance Fraud Awareness
training
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
resource Internal Control Framework
Certification/Authorisation control
Door access in main Town Hall
Systems password protected
Asset marking/Verification of assets
Internal Audit Whistleblowing
Policy Money Laundering
OfficerIA2 The Audit Plan
is not sufficiently robust
Services do not engage with Audit when setting the audit plan.
Scope of the audit plan is not correctly established.
New service functions are not audited.
No assurance that internal controls are sufficient.
Risk based approach to setting the audit plan
Audit meet with SUMS to agree the services to be audited
Audit has the autonomy to set the audit plan without undue influence from managers.
C3AMBER
B3 AM Continue to engage with services to demonstrate the benefit audit can deliver.
IA3 Failure to complete the
Audit staff absence
External audit cannot rely on the
Structured audit plan with allocated
C3AMBER
B3 AM Continual monitoring of audit
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
annual Audit Plan
Additional ad-hoc work that impacts on the audit programme.
Audits take longer than the time allocated.
normal work internal audit undertake.
Accounts may not be signed off
Inadequate controls in services may not be identified if audits not conducted
resources. Fundamentals
audits are prioritised.
Experienced staff.
plan progress.
PM1 The Council’s infrastructure assets are not adequately maintained (sea walls, promenades etc).
Insufficient financial resource.
Historical problems are coming to the fore.
Climate change
Gradual decline of assets results in increased costs.
Potential health and safety issues.
Condition of the assets deteriorates
Value of the assets reduces
Loss of revenue (if assets unavailable)
Adverse publicity Insurance claims
from third parties. Risk of
enforcement
Coast Protection Strategy
Financial Strategy Capital bids
submitted Identifying other
means of funding
E3RED
E2 Director (NE), PM
Continue to source other funding
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
action
PM2 Risk of landslide, landslip, rock falls and other natural hazards on coastal cliffs and those inland
Climate change Prevailing
geology
Loss of life/serious injury
Damage to property
Loss of access/amenity
Significant financial impact (repair/legal costs)
Compensation claims
Reputation undermined
Ground monitoring Bi annual
programme of inspections and remedial action
Reporting system in place with other relevant stakeholders
Specific risk management plans
C2(localised)AMBER
B3/4(significant)AMBER
C2(localised)
B3/4(significant
)
PM
PM3 Significant failure of coastal defences
Severe storms Lack of funding Ineffective repairs
Health and safety implications
Threat to life and property
Loss of revenue (if assets unavailable)
Loss of access/amenity
Financial exposure to the Council if emergency works are not recovered
Term maintenance contract in place
Revenue budget available but not sufficient to deal with significant failure
C2(localised)AMBER
B3/4(significant)AMBER
C2(localised)
B3/4(significant
)
PM Continue with the inspection and maintenance regime
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
(Bellwin)
C1 Failure to communicate effectively (externally)
Lack of streamlined communication
Untrained individuals doing press interviews/media releases
Communication staff absence
Non-engagement with the media
Damage to reputation
Poor public perception of Council and staff
Reduced Regeneration of the area
Distorted stories reported
Exaggeration of negative actions
Residents may be ill-informed of the facts
Council loses control of its stories.
Communication strategy
Positive action to promote the Council - “Good news” stories/articles
Good relationship with press
Crisis management Professional and
experienced staff Communication
representative at Emergency Planning
Media management training
Communication plan for specific projects
B3/4AMBER
B3 COM Renew the overarching Communication Strategy
Ensure all major projects has a communication plan
C2 Failure to communicate effectively (internally)
Selective approach to communication of information
Lack of coherent
Low staff morale Increased
turnover of staff Displays Lack of
trust in
Chief Executive attends staff meetings
E-mails Porthole
C3AMBER
C3 COM Increase usage of Porthole/technology
Renew overarching communication
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
mechanism for dissemination of information
employees Staff maybe
unaware of issues affecting the Council
Inconsistent message delivery
Corporate process of cascading information through the hierarchy to team meetings
Communications Officer
Communication Strategy
strategy.
EL1 Failure to deliver elections in accordance with statutory requirements
Missed statutory deadlines
Loss of key staff External printing
suppliers do not deliver
Adverse publicity Reputational
damage Legal challenge Financial impact
to re-run election Loss of faith in
the election process
Potential ‘Failed Service’ designation from the Electoral Commission.
Intense scrutiny on future elections
Experienced staff Up to date training Feedback sought
after each election Insurance cover in
place Election
Preparation Plan Project
management documents from Election Commission
Oversee the actual election process
Robust processes and procedures in place
Securely store all election equipment
A4AMBER
A4 CE/ELM Ensure service development and training plan is current and complied with.
Have contingency arrangements for external service providers
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
Deputies appointed for key roles (Returning Officers etc)
Contingency plans in place for polling station provision
EL2 Statutory timetable and requirements not met when compiling and maintaining the Electoral Register
Failure of specialist software
Non delivery of canvas forms
Residents not able to vote – legal challenge to the election result.
Financial cost of the legal challenge and re-running the election
Reputational damage
Adverse publicity
Experienced staff Contracts in place
with printers and software suppliers
Good network of support and advice
Regular training sessions for staff
Contingency plans around software provision
Poll card delivery Local and national
publicity plans to encourage residents to register
A2GREEN
A2 ELM
EL3 Failure to deliver Transformation efficiencies
Lack of engagement from internal services
Resistance to change
Business case assumptions
Efficiencies and savings not delivered (at all or in time)
Channel shift not achieved
Trained Business Analysts
Programme of reviews/projects
Allocated resources to each project as appropriate
B3AMBER
B3 ELM Continual training for the team members
Analytical skills training
Risk Ref
Risk Cause Consequences Mitigation CurrentRisk Score
Target Score
Responsible Officer
Action Plan
incorrect Lack of internal
resource to deliver projects
Project Boards Project teams Building strong
relationships with services
CE = Chief ExecutiveDirector (NE) = Director Nick EdwardsHRM = Human Resources ManagerAM = Audit ManagerPM = Projects ManagerITM = IT ManagerCOM = Communications ManagerELM = Elections Manager