|
|||
| Joint Astronomy Centre |
|
|
|
| Show document only |
|
||||||||||||||||||||||
|
____________________
|
||||||||||||||||||||||
|
|
FM206Date of issue: 31 July 2002 Update: May 2004 RISK MANAGEMENT CONTENTS PARAGRAPH Introduction 1 - Background 2-3 - Definitions 4-9 - Need to ‘Embed’ Risk Management 10-13 Throughout PPARC - Inclusion in DAASIC 14 Policy
15-16 - PPARC Mission Statement & Strategic Goals 17-18 Responsibilities
19 - Council
20 - Chief Executive
21 - Audit Committee
22 - PPARC Risk Policy Group 23-24 - Directors’ monthly meeting 25 - Executive
Finance Committee
26 - Establishment Directors/ Director Administration 27-28 - Budget Holders / Project Managers/Group Leaders 29 - Individual Members of Staff 30 Risk Management Process - Good Practice
31-35 - Identification of Key Risks 36-39 -
Key Stakeholders for PPARC
40-41 - Risk Analysis - Likelihood vs Impact 42-44 - Risk Assessment 45-46 -
Risk Appetite
47-49 - Management of Risk
50-51 - Risk Management Options 52 - Reduction of Risks
53-54 - Reporting 55-58 - Contingency Planning
59 - Realisation of Risk 60-61 - Corporate timetable for review
62 - Transparency 63 - Training
64 Queries 65 Risk Identification Guide Words appendix 1 Risk Analysis – ‘Scoring’ Guidelines appendix 2 Risk Matrix appendix 3 Risk Assessment Output appendix 4 Risk Management Action Plan appendix 5 Local Contacts Annex A FM 206 Date of issue: 31 July 2002 Updated February 2004 RISK MANAGEMENT INTRODUCTION 1. The purpose of this FM is to provide details of PPARC’s policy with regard to Risk Management. It describes the risk management process adopted by PPARC including the need to follow good practice; the identification of key risks; risk analysis; the need for ownership of each risk; reporting mechanisms; the need for transparency in risk assessment; and the requirement for formal training in management of risk.
Background 2. The “Turnbull Report” addressed Corporate Governance issues and the internal control requirements of the Combined Code [paras 1-7 of the Turnbull Report] produced by the Hampel Committee and, together with reports from Cadbury, Rutteman and Greenbury, set new challenges for management of all public sector bodies. Guidance from Turnbull is based on the adoption of a risk based approach to establishing a sound system of internal control and the continuous monitoring and review of its effectiveness. 3. The Turnbull Report, as adopted by HM Treasury, has led to the requirement for all organisations to produce an Annual Statement of Internal Control, signed alongside the Accounts by the Chief Executive Officer (CEO) as Accounting Officer (see DAO13/00 and DAO09/03 and Revision 3 to Government Accounting 2000 (GA2000) Chapter 21]). The Accounting Officer is charged with maintaining a sound system of internal control that supports the achievement of the Council’s policies, aims and objectives, and regularly reviewing the effectiveness of that system. In order for the CEO to sign the Statement he must therefore have the necessary assurance that staff in all areas of PPARC have considered all risks to their areas of operation; that internal controls are adequate to ensure effective and efficient operation whilst minimising the risk of fraud and error; that good risk management practice has been both implemented and embedded across PPARC; and state that the results of his review of the effectiveness of internal control have been discussed with Council, Audit Committee and the Risk Policy Group. He must also acknowledge that PPARC will continue to maintain and develop risk management and associated review processes. Definitions 4. Risk is defined in GA2000 as referring to: ‘uncertainty of outcome whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance’. 5. Risk Management covers all the processes involved in identifying, assessing and judging risks, taking actions to mitigate or anticipate them, and monitoring and reviewing progress. Risk management requires:
6. Risk management includes identifying and assessing risks (the “inherent risk”) and then responding to them. The response can be one of the following: to decide to tolerate the risk, to transfer the risk, to terminate the activity giving rise to the risk, or to treat the risk in an appropriate way to constrain the risk to an acceptable level. The level of risk remaining after internal control has been exercised (the “residual risk”) should be acceptable and justifiable; the level of risk that is believed to be acceptable and justifiable is the “risk appetite”. 7. The “system of internal control” is designed to manage risk to a reasonable level, rather than to eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of PPARCS’s policies, aims and objectives, to evaluate the likelihood of these being realised and the impact should they be realised, and to manage them efficiently, effectively and economically. 8. In the context of the PPARC risk management framework ‘risk’ may be defined as: ‘the threat that an event or action will adversely
affect PPARC’s ability to achieve it’s overall objectives and execute it’s
strategies effectively in the short term or in the future.’ 9. The most important element of risk management is that PPARC should be in a position to explain why its processes are appropriate to its circumstances. Risk is as much concerned with good things not happening as bad things happening. Risk can therefore have a positive as well as a negative impact. Indeed, the very nature of PPARC’s work is risk based and, to some degree, taking informed risks should continue to be encouraged. However it is important to note that it is the responsibility of all managers to manage risk to an acceptable level and not to seek to eliminate or recklessly encourage it. 10. Stakeholders are, groups or organisations that have a vested interest or influence on the business outcome of PPARC activities. Stakeholders can have a keep role in providing assurance on risk management. Risk assessment within PPARC also takes into account the adequacy of stakeholders risk management processes. Need to ‘Embed’ Risk Management
Throughout PPARC 10. The identification and analysis of risk is inherent in much of what PPARC does eg scientific programme, financial, project, personnel, IT and Health & Safety procedures. However, a formal framework has been introduced to allow clear and consistent identification, classification and assessment of all risk areas. PPARC has introduced a risk management policy so that risk is routinely addressed as part of all decision making processes eg policy papers addressing new issues or developments, new project proposals etc include a risk assessment. Decision papers for all major projects must contain a full risk assessment. Once any risk area and its impact has been determined, the activity receives continual monitoring and reporting. It is essential that risk management (business, scientific and operational) remains at the forefront and that it is embedded within regular business processes at all PPARC Establishments. All members of staff are responsible for embedding risk management in their activities and processes. 11 The formation of risk registers individually, locally and PPARC-wide enables constant review of risk priorities and provides transparent, auditable evidence that PPARC’s risk management processes are consistent with the statements made in the Chief Executive’s Annual Statement on Internal Control. 12. Aside from the risk registers mentioned above, auditable evidence is to be available as part of the embedded processes which individuals follow in the course of their day to day work. 13. Risk Management procedures are established within key systems and decision making processes. Examples include: i. Integrating risk management formally within business planning eg the development of Strategic and Operating Plans. ii. Integrating the management of individual risks and associated response plans within personal work plans of key staff. Monitoring is part of the staff management and appraisal process. iii. The format of decision papers of all types (eg policy, new issues, developments, projects, funding requests, complement changes) to decision making bodies include explicit consideration of risk. iv. Ensuring that responsibilities in respect of risk management are formally sub-delegated by Directors to management teams as part of the delegation and accountability framework. Directors Annual Assurance Statement of
Internal Control (DAASIC) 14. The top level risks identified by each Establishment are routinely reported to SO. All Directors sign the DAASIC annually to confirm, amongst other things: compliance with the PPARC risk policy and requirements of Appendix 2 to the DAASIC supplementary guidance for Directors; that due consideration is given to risk assessment and management when taking decisions; that risk management is embedded at their Establishment or in their Directorate; and that risk registers are maintained, reviewed, updated and reported to SO and are available for audit inspection. These statements provide the Chief Executive with the necessary assurance that PPARC operates a sound system of internal control to enable him to sign the Statement on Internal Control in the Annual Account. POLICY 15. PPARC’s policy on Risk Management, originally issued under cover of Council Circular 07/02, can be viewed on PPARC’s intranet. The policy may be summarised as follows: The PPARC systematically identifies, evaluates and manages its key risks to ensure that it achieves its overall objectives and strategies whilst also promoting future opportunities and protecting both internal and external stakeholders. 16. The policy is implemented through a range of actions including maintenance of up-to-date risk registers, routine monitoring and reporting of risk management performance and effectiveness of internal controls and assignment of risk ownership. PPARC Mission Statement and Strategic Goals17. The object of the risk management process is to identify the key risks to PPARC achieving our mission which, as given by the Royal Charter, can be expressed as: “To pursue a programme of high-quality basic research in astronomy, space science and particle physics which furthers our understanding of fundamental questions, trains high-quality scientists and engineers, increases UK industrial competitiveness, attracts future generations of scientists and engineers and stimulates the public interest.” 18. There are seven strategic goals identified by Council and Senior Managers which help PPARC achieve its mission and these must be considered during the risk assessment process (see Strategic Plan 2003-2008): i. Research Excellence · Improve the UK’s performance as a world-leader in particle physics, space science and astronomy through targeting investment in projects in which the UK can deliver distinctive and high-impact contributions. · Position the UK, through international partnerships, to win leadership roles in the construction and exploitation of the next generation of major facilities, for example, a Linear Collider, Extremely Large Telescopes, and ESA space missions. ii. People ·
Increase the output of highly trained scientists and engineers to
contribute to the nation’s needs ·
Motivate sufficient high-quality postdoctoral students to stay in
publicly funded research ·
Create opportunities for researchers to win leadership in international
projects ·
Provide better-defined career paths for researchers in partnership with
universities ·
Develop a motivated, skilled and flexible workforce in PPARC and its
institutes. iii. Innovative Technologies ·
Increase investment in blue-skies technology and in R&D programmes
that will underpin the next generation of research facilities. ·
Develop more effective partnerships with specific industrial sectors to
help deliver new technologies. iv. Knowledge Transfer ·
Foster greater awareness in industry of the opportunities to exploit
our innovative technologies. v. Science and Society ·
Increase public awareness and interest in our science through greater
input to the non-science media ·
Work with other agencies to improve the quality of science education in
schools and increase the output of scientifically literate school children ·
Engage more effectively with the public to improve the quality of
public debate on the social impact of science and better inform policy
formulation. vi. Working in Partnership · Develop stronger partnerships directly, or through the Research Councils UK partnership, with other funding agencies to ensure more joined-up strategic thinking on how the UK’s performance in science, knowledge transfer and public engagement can be improved. vii. Operational Effectiveness · Deliver continuous improvement in programme management and administration to ensure value for money. RESPONSIBILITIES 19. The following paragraphs set out the key responsibilities of each management level within PPARC. Responsibility for consideration of risk in all business processes and daily routines falls directly on all staff, this section aims to clarify at what level this occurs. Council 20. Council provide oversight of the progress PPARC has made on the implementation and embedding of risk management throughout the organisation. It has endorsed the risk management strategy. It is regularly informed of the steps taken to implement the documented risk policy designed to strengthen Corporate Governance and meet the requirements of the Turnbull report and GA2000. Council also discusses the results of the regular reviews of the effectiveness of internal control and provides high level guidance on the overall risk tolerance of PPARC ie the level of risk that it considers acceptable/tolerable before risk improvement measures are required. Chief Executive 21. As PPARC Accounting Officer, the Chief Executive bears overall responsibility for maintaining a sound system of internal control that supports the achievement of PPARC’s policies, aims and objectives whilst safeguarding the public funds and assets that he is personally responsible for. He is ultimately responsible for the implementation and maintenance of risk management processes and is liable to be called to account where failures of internal control occur. However, responsibility for consideration of risk in all business processes and daily routines falls directly on all staff. Audit Committee 22. The Audit Committee has oversight responsibility for governance issues in PPARC. It is kept fully informed of progress in further developing the risk management framework and provides advice and guidance when appropriate. The Committee has endorsed the risk management strategy and also discusses the results of the regular reviews of the effectiveness of internal control. On behalf of Council the Audit Committee also reviews both the reports of the reviews of PPARC’s risk environment prepared by the RCIAS and the Executives response to recommendations made. PPARC Risk Policy Group 23. The Risk Policy Group is responsible for co-ordinating PPARC’s continued response to the Risk Management initiative. The Group, chaired by Director, Administration, has overseen the implementation and development of processes and procedures, endorsed the risk management strategy and discusses the results of the regular reviews of the effectiveness of internal control. The Group ensures that policy guidance and instruction are issued as necessary, monitors establishments Risk Management action plans, monitors risk embedding, receives top level risk registers and compiles the PPARC Risk Register. Further, it directs the establishment of necessary action plans where required. 24. This group is authorised by the CEO to investigate any aspect of risk management within their terms of reference which are available on the intranet. It is authorised to seek any information that it requires from any employee and all employees are directed to co-operate with any request made by the group. Directors
Meeting 25. The PPARC Directors monthly meeting retains overall responsibility for reviewing the risk processes in PPARC. It ensures all proposals carry suitable assessments of risk and also considers changes to PPARC’s risk appetite/tolerance. Executive Finance Committee 26. This Executive Finance Committee, chaired by the Director Programmes, is a key tool in the management of the PPARC programme. It provides timely visibility of the status of PPARC’s finances by regularly considering changes or issues arising for each project/activity or budget line. Consideration is given particularly to those changes that significantly impact the overall PPARC position and, therefore, may impact on the risk registers. In general information considered by this Committee is provided by the Programme Managers / Budget Holders. Establishment Directors/Director Administration 27. Each establishment ensures its senior management team/ local Risk Management Group regularly reviews its local risk register and action plans and report these to SO as part of the routine internal control and annual DAASIC process (see para 14). The review process also considers the acceptable level of local risk tolerance. Directors ensure that internal processes in decision making fully evaluate the exposure to risk.
28. Each establishment also reviews its register’s links with the PPARC register as this aids discussion and oversight of how risks are changing at the local and federal level. Budget Holders/Project Managers/Group Leaders 29. Budget holders and project managers are
responsible for following sound project management principles; developing and
implementing action plans to manage risks appearing on the registers;
identifying and monitoring other risks to key objectives; identifying and
monitoring related risks to PPARC’s stakeholders; and ensuring senior
management are alerted to significant changes in risk and/or key controls
through feedback to risk managers and owners. Individual members of staff 30. All staff need to exercise judgement on the acceptable level of risk within their area of responsibility within the constraints of the overall PPARC-wide, local Establishment and group strategies and objectives. Feedback to appropriate budget holders, project managers and/or group leaders, through the line management chain, is an essential part of this process. An appropriate level of risk management should be reflected in individual Personal Work Plans (PWPs) particularly where an individual is responsible for management of a specific key risk (ie named owner on a register); and/or responsible for a control process that enables an inherent risk to be managed to an acceptable level; and/or where a person is responsible for developing risk manage |