Appendix 1

Risk Register - Risk Scoring Matrix

Likelihood:A = Very LowB = Not LikelyC = LikelyD = Very LikelyE = Almost Certain

Impact1 = Low2 = Minor3 = Medium4 = Major 5 = Disaster

5

4 EL1 G10HR1PM2PM3C1ICT3ICT5

G3ICT6

G2

3 HR3 G1 G5G8G9G11HR2EL3

G4G7C2ICT2IA1 IA2 IA3

G8 G6

PM1

2 EL2 ICT1ICT4

1

A B C D E

Impact

Likelihood

Scarborough Borough Council Service Risk Register – Chief Executive – March 2017

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

G1 Failure of Business Continuity Planning

Ineffective plans Reliance on Third

Parties Lack of resources

to implement the Plans

Lack of service provision in event of ‘major’ disaster

Failure to meet performance targets

Unable to deliver statutory services

Business Impact Analysis (BIA) undertaken

Annual review of Services BIA

Contract with NYCC to assist the production of plans.

IT system back-ups Continuous

investment in IT hardware to give flexibility to services

Emergency Planning suite to enable continuity of key systems.

B3

AMBER

B3 ALL Mock business continuity day/away day training

Need to prioritise services to recover

Links all BCPs together

G2 Continued financial pressure resulting in inability to deliver services.

Loss (reduction) in grants or external contract income

Changes in legislation

Conflicting priorities

Historical issues

Unable to progress environmental studies/works

Public criticism PI results worse

than planned. Low staff morale,

including

Deliver minimum strategic monitoring of cliffs etc

Performance Management Framework

Human Resources policies in place

Financial Strategy

D4

RED

C3 ALL/Directors Team

Prioritisation of services

Transformation agenda

Budgetary process – forward planning

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

(maintenance of infrastructure, assets, equipment)

increased staff turnover and sickness absence.

Civil action against Council

Cuts in service Reduction in

customer satisfaction

Mechanisms in place for effective communication with TUs, staff and stakeholders

Forge strong relationships with external clients

G3 Failure to manage and monitor project programmes effectively.

Failure to deliver capital schemes (on time and budget)

Conflicting priorities

Scheme creepage

Insufficient resources to budget monitor

Ineffective project management

Reliance on external contractors/consultants

Risk of officer overload

Poor service delivery

Increased costs and budgetary overspends

Failure to secure project outcomes

Poor public image Loss of staff

morale May lead to

failure to secure existing and future funding.

Strain on internal relations

Scale & content of specific schemes is manageable

Staff goodwill to ensure success.

Officers & Elected Members in Project Teams/Boards.

Project Management developed with specialist project managers (in some areas).

Prince 2 methodologies (in some areas)

Additional financial resources provided to procure

C4

RED

B4 Directors Team, ALL

Prioritise progression of projects. Forward planning to ensure effective/efficient project progression.(i.e. assess hours available per project in addition to cash funds ~ Strategic)

Focus on revenue tail of capital projects prior to commencing the schemes.

Establish a Project Sponsor protocol

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

specialist advice where necessary

G4 Loss of significant working time due to sickness (including stress)

Increased pressure on staff due to resource reductions

Working longer hours to meet service delivery

Loss of staff Increased work

load falls onto others which leads to sickness

Unable to improve the service provided

Reduction in Service performance.

Failure to deliver service –time/quality

Statutory deadlines are missed

Budget pressure to cover absences

Staff absence policy

Flexi time arrangements

Counselling service – readily available

Goodwill and commitment from the majority of staff

Staff Development Plans

Regular Team meetings

1-2-1s

B3(short term)

AMBER

C3 (medium

term)

AMBER

B2 Directors Team/ALL

Continuity planning Return to work

guidance Councillors and

public expectations need to be managed more effectively (DT)

Training to prioritise workloads

G5 Liability occurring as a result of non-compliance of health and safety

Failure to correctly or adequately supervise

Lack of induction and/or training

Risk assessments out

Personal and Service (corporate) liability

Claims against the Council

Poor safety culture

Corporate Health and Safety officer advice

Safety Co-ordinators group

SUMS Health and Safety Action Plans

Staff training

B2/3

AMBER

B2 ALL Ensure health and safety is standard agenda on all team meetings.

Ensure equipment inventory and inspections are up to date

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

of date Failure to meet

statutory inspections/tests

HSE prosecutions Injury or death of

an employee or member of public.

Formal risk assessments

Safe working practice

Internal Audit Appointment of

suitable specialists (CDM etc).

Review Risk Assessments and Action Plans

Health and Safety Briefings on legislation changes.

G6 Difficulty to recruit and retain appropriate staff.

No succession planning

Geographic remoteness of the Borough

Overall salary package is not competitive

Limited people with specialist skills

General skills shortage in the area

Skills shortage – not enough qualified staff.

High turnover of staff will result in reduced knowledge and expertise

Low staff morale. Failure to meet

statutory obligations or corporate objectives.

Increased sickness levels

Better staff will leave and get employment elsewhere

Resources wasted on

Benefit packages Training and

improving/widening skills.

Apprenticeships and structured career paths

Flexible policies including the promotion of work/life balance.

Appraisals and staff development plans

B3AMBER

D3 (Projects)

RED

B2 ALL Training and development

Job shadowing Encourage career

paths/goals. Consider graduate

schemes Apprenticeship

schemes. Effective

succession planning to be implemented

Job Evaluation/market forces value

Consider short term options to address resource shortfall

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

training staff that do not stay.

G7 External influences negatively impact on Service delivery

Economic climate Changes in

legislation impose greater obligations on the Council or divert funds from elsewhere

Reduction in funding grants

Contract risk transferred to the Council.

Environmental challenges

Directed abuse of staff

Apparent budget overspend

SBC budget difficulties

May lead to reduced service provision

Lack of service development

Downward spiral of reducing income – fewer staff to recover monies

Write offs charged back to service

If no write offs increases in outstanding debt

Potential claims

SUMS meet with their Finance officer

Executive Board (report to)

External advice and support

Performance measures

Corporate Transformation Board

Robust contract management

C3 (short term)

AMBER

B2/3 (medium

term)

AMBER

B2 Directors Team/ALL

Performance measurement

Staff support protocol/policy

G8 Failure to comply with current or new Regulation and Legislation.

Officers not aware of new rules or legislation

Inability to implement the

Risk of sanction, censure by external auditors.

Legal claims Actions may be

‘ultra vires’

Monitoring Officer Section 151 Officer Workshops Training Relevant

magazines and

B3

AMBER

B2 ALL Ensure training and resources are available for key staff

Develop good customer

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

changes Failure to achieve maximum funding levels

Government sanctions

Risk of injury to the public

Adverse publicity Ombudsman

enquiries Customer

satisfaction levels will fall

publications External

Contracts/agencies Shared User

Groups meet regularly.

Performance Review and Strategy

CPD for professional staff.

Constitution reviewed annually.

Governance Group. Member training &

development Report financial

consequences to members

Relevant training and awareness are made available to staff

relationships Constitution

awareness

G9 Failure to meet income targets

Change in economic climate

Insufficient marketing

Staff resource not sufficient to drive

In-year budget problems

Lead to staff reductions

Service provision reductions

SUMS set the income targets in conjunction with Finance

Budget performance of

B3

AMBER

B3 ALL Review/challenge problem areas as a priority

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

demand Not commercially

managed Lack of

infrastructure/facilities to attract visitors

SUMS Mitigation

measures can be implemented

Contingency budget

G10 Loss of key staff

Increased pressure on staff due to resource reductions

Working longer hours to meet service delivery

New employment opportunity

Changes to employee contract conditions

Increased sickness

Knowledge is lost to the Council

Work is not delivered or not on time

Cost to recruit Cost to cover the

absence Interrupts other

services delivery

Benefit packages Training and

improving/widening skills.

Flexible policies Appraisals and staff

development plans Staff absence

policy Flexi time

arrangements Counselling service

– readily available Goodwill and

commitment from the majority of staff

1-2-1s

B4

AMBER

B4 ALL Succession planning to be implemented

Sharing knowledge mechanism

G11 Failure to complete statutory returns in accordance

Limited staffing resource

System failure Conflicting

priorities

Reputation Additional

Inspections/conditions

Loss of grant

Some returns can be amended after submission without penalty

Experienced staff

B3

AMBER

B3 ALL Key staff support

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

with regulations and timetable(including: elections, payroll, grant returns, medium term plans, PSN)

funding and future opportunities

Internal controls in place

Documented process

Responsibility assigned

Cascading knowledge through training

Adequate lead time Pressure on

software suppliers to be up to date

Efficient processes Robust year end

timetable ICT1 Lack of support

and continuity from external software providers.

Late delivery of upgrades can increase data security risks to the councils ICT network/electronic data and hinder service delivery

Software may fail Suppliers do not

have the resource to implement enhancements

Cannot undertake scheduled work

Staff downtime Reduced staff

motivation Reduced ability to

deliver service to proper standards

Increased manual checking of outputs

Loss of faith in software

Increased

IT specialist knowledge

Adequate funding Active membership

of ‘user groups’. Training Weekly internal

training sessions Manually check

outputs (reconciliations)

Disaster recovery plans

Meetings with

B3

AMBER

C2 (late

delivery)AMBER

B3

B2 ITM Identify an owner of the systems

Improved contracts management

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

number of corporate complaints

Backlog of unprocessed items created

External access to network creates vulnerability.

Service provision will change

software personnel Helpdesk facilities IT support

arrangements in place

Reputable suppliers of software

Testing release before installation and ongoing systems testing once systems are operational

ICT2 Inadequate data governance arrangements

Ineffective processes for sharing data leading to safeguarding failure

Theft or loss of data

Theft or loss of equipment

Failure to maintain Public Sector Network accreditation and being denied access to PSN data

Major reputational damage

Loss of public confidence in the organisation

Inability to operate key business processes

Policies are in place for interagency referrals and data sharing in safeguarding matters

Annual IT Health Checks including penetration tests

Data Protection guidance and training for staff

IT Security Policies are in place and been reviewed

C3AMBER

B3 ITM Management review of data governance arrangements

Information owners to be identified

Information assets to be recorded and maintained

On-going workforce education

Policy and procedures review

IT processes and systems to control external file transfer

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

Cyber Attacks, including viruses, phishing, malware, ransomware

Improper disclosure of confidential information

Disposal of IT equipment

Receipt of PSN accreditation during July 2017

Staff and Member training on information security policies and sign up to policies

Training of key staff with designated information security responsibilities

ICT3 Failure to ensure the continuous availability of critical IT systems

Cyber attacks Inadequate

disaster recovery processes

Inadequately supported systems

Loss of staff Infrastructure

issues from third party suppliers

Interrupted service delivery

Reputational damage

Loss of confidence

Failure to receive income or pay expenditure

Robust security controls

Strong DR processes

B3/4AMBER

A3 ITM Introduction of new Incident Management Policy

Improved contracts

ICT4 Failure of ICT to support business development with regards to delivery of projects.

Lack of corporate Project Management approach

Lack of accountability to

Projects could be delivered late, over budget

Projects not adequately resourced

Project Management skills in place within ICT team based on PRINCE2 methodologies

C2AMBER

B2 ITM Support corporate discussions to agree structured approach to projects which improves

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

project deadlines by client Services

Negative impact on staff morale and/or productivity

Roadmap approach provides structure to ICT team programme

acceptance, accountability and governance

ICT5 Corporate IT Disaster Recovery solution is inadequate for current Business Continuity requirements

BC requirement now greater corporate objective

Reliance on technology and electronic data ever increasing

Service delivery delays and/or failures

Data/IT services recovery delays

Reputational impact

Financial impact

Investment made in Falsgrave Community Centre as a fit for purpose DR/BC suite

Technology investments in more resilient solutions with greater capacity and performance

B4AMBER

B3 ITM Ensure permanence of DR/BC venue

Regular trials/reviews

Education of ICT team and stakeholders

Clear, prioritised strategy/tactical delivery plan from corporate leads beyond ICT

ICT6 Failure of organisation to comply with General Data Protection Regulations (GDPR) from May 2018

Inadequate awareness of GDPR

Inadequate planning for impact of GDPR

Inadequate training of Members and Officers

Inadequate Policies and Procedures

Significant fines (up to 4% of turnover) for the council

Reputational impact

Loss of personal data could cause significant personal distress and/or safeguarding concerns to our customers

Data Protection Officer and information management resource from within ICT working with SIRO to prepare for GDPR

C4RED

B3 ITM DPO and ICT information management officer to become certified GDPR practitioners during April 2017

Information to be made available to Members and Officers as a priority

Training plan to be developed and

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

Inadequate corporate accountability to GDPR

delivered Policies/procedures

to be reviewed/created

Information asset ownership and accountability ensured and reinforced at Service level across organisation

Management teams to provide consistent leadership to compliance

HR1 Loss of paper records

Fire within the Town Hall

Loss of historic information

Fire alarmed building

B4

AMBER

A4 HRM Move fully to an electronic filing system

Consideration of fire protected storage in the short term.

HR2 Non-compliance with employment legislation corporately

Loss of key staff – stress/dismissal

Reduced resources

Adverse publicity Increased

number of complaints/claims

Financial outlay

Training for managers in people management issues

Ensure policies and procedures in place and adhered to

Provide support to

B3

AMBER

B3 HRM Leadership training for managers

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

managers

HR3 Unavailability of iTrent payroll system

Out of contract with the supplier.

Loss of Town Hall System not

updated with new legislation in time.

Staff not paid on time

Industrial action Backlog of data

inputting. Payroll and HR

have difficulty in delivering their services.

Business continuity plan in place and reviewed.

Disaster recovery support from ERYC as system owner.

ERYC have the resource to ensure the system is up to date with legislation.

Accessible from other locations as system is internet based.

ERYC could run the Payroll as an ultimate backup.

Effective working relationship with ERYC.

A3GREEN

A3 HRM Keep the disaster recovery and business plans up to date.

IA1 Increase in Fraud and Corruption (or the opportunity of such)

Poor economic climate

Lack of financial controls due to reduced resources.

Less staffing

Reputation damaged

Loss of income Theft of

stock/assets Low staff morale

Budget monitoring NFI data matching Procurement

regulations Constitution –

Financial Regulations

C3AMBER

C3 ALL Increase vigilance Fraud Awareness

training

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

resource Internal Control Framework

Certification/Authorisation control

Door access in main Town Hall

Systems password protected

Asset marking/Verification of assets

Internal Audit Whistleblowing

Policy Money Laundering

OfficerIA2 The Audit Plan

is not sufficiently robust

Services do not engage with Audit when setting the audit plan.

Scope of the audit plan is not correctly established.

New service functions are not audited.

No assurance that internal controls are sufficient.

Risk based approach to setting the audit plan

Audit meet with SUMS to agree the services to be audited

Audit has the autonomy to set the audit plan without undue influence from managers.

C3AMBER

B3 AM Continue to engage with services to demonstrate the benefit audit can deliver.

IA3 Failure to complete the

Audit staff absence

External audit cannot rely on the

Structured audit plan with allocated

C3AMBER

B3 AM Continual monitoring of audit

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

annual Audit Plan

Additional ad-hoc work that impacts on the audit programme.

Audits take longer than the time allocated.

normal work internal audit undertake.

Accounts may not be signed off

Inadequate controls in services may not be identified if audits not conducted

resources. Fundamentals

audits are prioritised.

Experienced staff.

plan progress.

PM1 The Council’s infrastructure assets are not adequately maintained (sea walls, promenades etc).

Insufficient financial resource.

Historical problems are coming to the fore.

Climate change

Gradual decline of assets results in increased costs.

Potential health and safety issues.

Condition of the assets deteriorates

Value of the assets reduces

Loss of revenue (if assets unavailable)

Adverse publicity Insurance claims

from third parties. Risk of

enforcement

Coast Protection Strategy

Financial Strategy Capital bids

submitted Identifying other

means of funding

E3RED

E2 Director (NE), PM

Continue to source other funding

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

action

PM2 Risk of landslide, landslip, rock falls and other natural hazards on coastal cliffs and those inland

Climate change Prevailing

geology

Loss of life/serious injury

Damage to property

Loss of access/amenity

Significant financial impact (repair/legal costs)

Compensation claims

Reputation undermined

Ground monitoring Bi annual

programme of inspections and remedial action

Reporting system in place with other relevant stakeholders

Specific risk management plans

C2(localised)AMBER

B3/4(significant)AMBER

C2(localised)

B3/4(significant

)

PM

PM3 Significant failure of coastal defences

Severe storms Lack of funding Ineffective repairs

Health and safety implications

Threat to life and property

Loss of revenue (if assets unavailable)

Loss of access/amenity

Financial exposure to the Council if emergency works are not recovered

Term maintenance contract in place

Revenue budget available but not sufficient to deal with significant failure

C2(localised)AMBER

B3/4(significant)AMBER

C2(localised)

B3/4(significant

)

PM Continue with the inspection and maintenance regime

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

(Bellwin)

C1 Failure to communicate effectively (externally)

Lack of streamlined communication

Untrained individuals doing press interviews/media releases

Communication staff absence

Non-engagement with the media

Damage to reputation

Poor public perception of Council and staff

Reduced Regeneration of the area

Distorted stories reported

Exaggeration of negative actions

Residents may be ill-informed of the facts

Council loses control of its stories.

Communication strategy

Positive action to promote the Council - “Good news” stories/articles

Good relationship with press

Crisis management Professional and

experienced staff Communication

representative at Emergency Planning

Media management training

Communication plan for specific projects

B3/4AMBER

B3 COM Renew the overarching Communication Strategy

Ensure all major projects has a communication plan

C2 Failure to communicate effectively (internally)

Selective approach to communication of information

Lack of coherent

Low staff morale Increased

turnover of staff Displays Lack of

trust in

Chief Executive attends staff meetings

E-mails Porthole

C3AMBER

C3 COM Increase usage of Porthole/technology

Renew overarching communication

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

mechanism for dissemination of information

employees Staff maybe

unaware of issues affecting the Council

Inconsistent message delivery

Corporate process of cascading information through the hierarchy to team meetings

Communications Officer

Communication Strategy

strategy.

EL1 Failure to deliver elections in accordance with statutory requirements

Missed statutory deadlines

Loss of key staff External printing

suppliers do not deliver

Adverse publicity Reputational

damage Legal challenge Financial impact

to re-run election Loss of faith in

the election process

Potential ‘Failed Service’ designation from the Electoral Commission.

Intense scrutiny on future elections

Experienced staff Up to date training Feedback sought

after each election Insurance cover in

place Election

Preparation Plan Project

management documents from Election Commission

Oversee the actual election process

Robust processes and procedures in place

Securely store all election equipment

A4AMBER

A4 CE/ELM Ensure service development and training plan is current and complied with.

Have contingency arrangements for external service providers

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

Deputies appointed for key roles (Returning Officers etc)

Contingency plans in place for polling station provision

EL2 Statutory timetable and requirements not met when compiling and maintaining the Electoral Register

Failure of specialist software

Non delivery of canvas forms

Residents not able to vote – legal challenge to the election result.

Financial cost of the legal challenge and re-running the election

Reputational damage

Adverse publicity

Experienced staff Contracts in place

with printers and software suppliers

Good network of support and advice

Regular training sessions for staff

Contingency plans around software provision

Poll card delivery Local and national

publicity plans to encourage residents to register

A2GREEN

A2 ELM

EL3 Failure to deliver Transformation efficiencies

Lack of engagement from internal services

Resistance to change

Business case assumptions

Efficiencies and savings not delivered (at all or in time)

Channel shift not achieved

Trained Business Analysts

Programme of reviews/projects

Allocated resources to each project as appropriate

B3AMBER

B3 ELM Continual training for the team members

Analytical skills training

Risk Ref

Risk Cause Consequences Mitigation CurrentRisk Score

Target Score

Responsible Officer

Action Plan

incorrect Lack of internal

resource to deliver projects

Project Boards Project teams Building strong

relationships with services

CE = Chief ExecutiveDirector (NE) = Director Nick EdwardsHRM = Human Resources ManagerAM = Audit ManagerPM = Projects ManagerITM = IT ManagerCOM = Communications ManagerELM = Elections Manager