Risk Summary
The Orange Book 2004 draft



4. Risk identification:

  • 4.3 A statement of a risk should encompass the cause of the impact, and the impact to the objective which might arise.
  • 4.4 … risks will not all be independent of each other; rather they will typically form natural groupings.
  • 4.4 All risks, once identified, should be assigned to an owner.
  • 2 methods: 4.5 Commissioning a risk review & Risk self-assessment, 4.6 These approaches are not mutually exclusive, and a combination of approaches to the risk assessment process is desirable – this sometimes exposes significant differences in risk perception within the organisation.
  • 4.7 Horizon scanning activities are increasing both in public and private sectors as the importance of early warning of risk developments.

4.8 Risk categories:

1. External (arising from the external environment, not wholly within the organisation’s control, but where action can be taken to mitigate the risk) – PESTLE model

  • 1.1 Political: Change of government, cross cutting policy decisions (Eg – the Euro); machinery of government changes
  • 1.2 Economic: Ability to attract and retain staff in the labour market; exchange rates affect costs of international transactions; effect of global economy on UK economy
  • 1.3 Socio cultural: Demographic change affects demand for services; stakeholder expectations change
  • 1.4 Technological: Obsolescence of current systems; cost of procuring best technology available
  • 1.5 Legal: EU requirements
  • 1.6 Environmental: Buildings need to comply with changing standards; disposal of rubbish and surplus equipment needs to comply with changing standards

2. Operational (relating to existing operations – both current delivery and building and maintaining capacity and capability)

- Delivery:

  • 2.1.1 Service / product failure: Fail to deliver the service to the user within agreed / set terms
  • 2.1.2 Project delivery: Fail to deliver on time/budget/specification

- Capacity and capability:

  • 2.1.4 Resources: Financial (insufficient funding, poor budget management, fraud); HR (staff capacity/skills/recruitment and retention); Information (adequacy for decision making; protection of privacy); Physical assets (loss/damage/theft)
  • 2.1.5 Relationships: Delivery partners (threats to commitment to relationship/clarity of roles); Customers/Service users (satisfaction with delivery); Accountability (particularly to Parliament)
  • 2.1.6 Operations: Overall capacity and capability to deliver
  • 2.1.7 Reputation: Confidence and trust which stakeholders have in the organisation

- Risk management performance and capability:

  • 2.2.1 Governance: Regularity and propriety/compliance with relevant requirements/ethical considerations
  • 2.2.2 Scanning: Failure to identify threats and opportunities
  • 2.2.3 Resilience: Capacity of systems/accommodation/IT to withstand adverse impacts and crises (including war and terrorist attack). Disaster recovery/contingency planning
  • 2.2.4 Security: Of physical assets and of information

3. Change (risks created by decisions to pursue new endeavours beyond current capability)

  • 3.1 PSA targets: New PSA targets challenge the organisation’s capacity to deliver/ability to equip the organisation to deliver
  • 3.2 Change programmes: Programmes for organisational or cultural change threaten current capacity to deliver as well as providing opportunity to enhance capacity
  • 3.3 New projects: Making optimal investment decisions/prioritising between projects which are competing for resources
  • 3.4 New policies: Policy decisions create expectations where the organisation has uncertainty about delivery


5. Risk assessment

5.2 The assessment should draw as much as possible on unbiased independent evidence, consider the perspectives of the whole range of stakeholders affected by the risk, and avoid confusing objective assessment of the risk with judgement about the acceptability of the risk.

5.3 This assessment needs to be done in respect of both likelihood of the risk being realised, and of the impact if the risk is realised. A categorization of high / medium / low in respect of each may be sufficient, and should be the minimum level of categorisation – this results in a "3x3" risk matrix.

5.3 It is not the absolute value of an assessed risk which is important; rather it is whether or not the residual risk is regarded as tolerable, or how far the exposure is away from tolerability which is important.

5.4 Tolerability may be informed by the value of assets lost or wasted in the event of an adverse impact, stakeholder perception of an impact, the balance of the cost of control and the extent of exposure, and the balance of potential benefit to be gained or losses to be withstood.

5.5 Thinking about risk frequently focuses on residual risk. However care should also be taken to capture information about the inherent risk. If this is not done the organisation will not know what its exposure will be if control should fail. Knowledge about the inherent risk also allows better consideration of whether there is over-control in place - if the inherent risk is within the risk appetite, resources may not need to be expended on controlling that risk. This need to have knowledge about both inherent and residual risk means that the assessment of risk is a stage in the risk management process which cannot be separated from addressing risk.

5.5 … the extent to which the risk needs to be addressed is informed by the inherent risk whereas the adequacy of the means chosen to address the risk can only be considered when the residual risk has been assessed.

5.6 Risk assessment should be documented in a way which records the stages of the process. Documenting risk assessment creates a risk profile for the organisation which:

• facilitates identification of risk priorities (in particular to identify the most significant risk issues with which senior management should concern themselves),

• captures the reasons for decisions made about what is and is not tolerable exposure

• facilitates recording of the way in which it is decided to address risk

• allows all those concerned with risk management to see the overall risk profile and how their areas of particular responsibility fit into it

• facilitates review and monitoring of risks.

5.7 Once risks have been assessed, the risk priorities for the organisation will emerge. The less acceptable the exposure in respect of a risk, the higher the priority which should be given to addressing it.


6. Risk addressing/management:

6.1 There are five key aspects of addressing risk:

TOLERATE: The exposure may be tolerable without any further action being taken. Even if it is not tolerable, ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained".

TRANSFER: For some risks the best response may be to transfer them. The transfer of risks may be considered to either reduce the exposure of the organisation or because another organisation (which may be another government organisation) is more capable of effectively managing the risk.

TERMINATE: Some risks will only be treatable, or containable to acceptable levels, by terminating the activity. It should be noted that the option of termination of activities may be severely limited in government when compared to the private sector; a number of activities are conducted in the government sector because the associated risks are so great that there is no other way in which the output or outcome, which is required for the public benefit, can be achieved.

TREAT: By far the greater number of risks will be addressed in this way. The purpose of treatment is that whilst continuing within the organisation with the activity giving rise to the risk, action (control) is taken to constrain the risk to an acceptable level. Such controls can be further subdivided according to their particular purpose (see 6.2 below)

TAKE THE OPPORTUNITY: This option is not an alternative to those above; rather it is an option which should be considered whenever tolerating, transferring or treating a risk. There are two aspects to this. The first is whether or not at the same time as mitigating threats, an opportunity arises to exploit positive impact. The second is whether or not circumstances arise which, whilst not generating threats, offer positive opportunities.

6.2 The option of "treat" in addressing risk can be further analysed into four different types of controls:

DETECTIVE CONTROLS: These controls are designed to identify occasions of undesirable outcomes having been realised. Their effect is, by definition, "after the event" so they are only appropriate when it is possible to accept the loss or damage incurred.

DIRECTIVE CONTROLS : These controls are designed to ensure that a particular outcome is achieved. They are particularly important when it is critical that an undesirable event is avoided - typically associated with Health and Safety or with security. Examples of this type of control would be include a requirement that protective clothing be worn during the performance of dangerous duties, or that staff be trained with required skills before being allowed to work unsupervised.

PREVENTIVE CONTROLS : These controls are designed to limit the possibility of an undesirable outcome being realised. The more important it is that an undesirable outcome should not arise, the more important it becomes to implement appropriate preventive controls. The majority of controls implemented in organisations tend to belong to this category. Examples of preventive controls include separation of duty, whereby no one person has authority to act without the consent of another (such as the person who authorises payment of an invoice being separate from the person who ordered goods prevents one person securing goods at public expense for their own benefit), or limitation of action to authorised persons (such as only those suitably trained and authorised being permitted to handle media enquiries prevents inappropriate comment being made to the press).

CORRECTIVE CONTROLS : These controls are designed to correct undesirable outcomes which have been realised. They provide a route of recourse to achieve some recovery against loss or damage. An example of this would be design of contract terms to allow recovery of overpayment. Insurance can also be regarded as a form of corrective control as it facilitates financial recovery against the realisation of a risk. Contingency planning is an important element of corrective control as it is the means by which organisations plan for business continuity / recovery after events which they could not control.

6.3 In designing control, it is important that the control put in place is proportional to the risk. … it is normally sufficient to design control to give a reasonable assurance of confining likely loss within the risk appetite of the organisation. Every control action has an associated cost and it is important that the control action offers value for money in relation to the risk that it is controlling. Generally speaking the purpose of control is to constrain risk rather than to eliminate it.


7. Risk reviewing

7.1 The risk which an organisation is managing has to be reviewed and reported on for two reasons:

• To monitor whether or not the risk profile is changing

• To gain assurance that risk management is effective, and to identify when further action is necessary.

7.2 Processes should be put in place to review whether risks still exist, whether new risks have arisen, whether the likelihood and impact of risks has changed, report significant changes which adjust risk priorities, and deliver assurance on the effectiveness of control. In addition, the overall process for risk management should be subjected to regular review to deliver assurance that it remains appropriate and effective. The review process should

• ensure that all aspects of risk management are reviewed at least once a year

• make provision for alerting the appropriate level of management to new risks or to changes in already identified risks

7.3 A number of tools and techniques are available to help with achieving the review process

• Risk Self Assessment (RSA)

• "Stewardship Reporting"

• The Risk Management Assessment Framework, produced by the Treasury, provides a tool for evaluating the maturity of an organisation’s risk management.

7.4 Every central government organisation is required to make provision for Internal Audit. Internal Audit’s work provides an important independent assurance about the adequacy of risk management.

7.6 Except in rare circumstances, every government organisation will have an Audit Committee (established as a Committee of the Board, ideally with nonexecutive membership and Chaired by a non-executive) which will be charged with supporting the Accounting Officer in their responsibilities for issues of risk, control and governance and associated assurance (See the "Audit Committee Handbook, HM Treasury, October 2003 for more detail). The Audit Committee should be asked by the Accounting Officer / Board to:

• gain assurance that risk, and change in risk, is being monitored

• receive the various assurances which are available about risk management and consequently delivering an overall opinion about risk management

• comment on appropriateness of the risk management and assurance processes which are in place


8. Risk learning & communication

8.1 Communication and learning is not a distinct stage in the management of risk; rather it is something which runs through the whole risk management process.

8.2 The identification of new risks or changes in risk is itself dependant on communication. "Horizon scanning" in particular depends on maintaining a good network of communications with relevant contacts and sources of information to facilitate identification of changes which will affect the organisation’s risk profile.

8.3 Communication within the organisation about risk issues is important:

• It is important to ensure that everybody understands, in a way appropriate to their role, what the organisation’s risk strategy is, what the risk priorities are, and how their particular responsibilities in the organisation fit into that framework.

• There is a need to ensure that transferable lessons are learned and communicated to those who can benefit from them.

• There is a need to ensure that each level of management, including the Board, receives appropriate and regular assurance about the management of risk within their span of control.

8.4 Communication with partner organisations about risk issues is also important especially if the organisation is dependent on the other organisation not just for a particular contract but for direct delivery of a service on behalf of the organisation. Misunderstanding of respective risk priorities can cause serious problems – in particular leading to inappropriate levels of control being applied to specific risks, and failure to gain assurance about whether or not a partner organisation has implemented adequate risk management for itself can lead to dependence on a third party which may fail to deliver in an acceptable way.

8.5 It is important to communicate with stakeholders about the way in which the organisation is managing risk to give them assurance that the organisation will deliver in the way which they expect, and to manage stakeholder expectation of what the organisation can actually deliver. This is especially important in relation to risks which affect the public and where the public depend on government to respond to the risk for them.


9. Risk partnerships

9.1 No organisation is entirely self-contained – it will have a number of interdependencies with other organisations. These inter-dependencies are sometimes called the "extended enterprise" and will impact on the organisation’s risk management, giving rise to certain additional risks which need to be managed. These considerations should include the impact of the organisation’s actions on other organisations.

9.2 Many organisations will have inter-dependencies with other Government organisations with which they do not have a direct control relationship – the delivery of their objectives will depend upon / impact upon the delivery of the other organisations objectives. In these circumstances what one organisation does will have a direct impact on the risks which another organisation faces, and effective liaison between the two organisations is essential to facilitate an agreed risk management approach which will allow both to achieve their objectives.

9.3 Many government organisations will have a relationship with bodies which they either "parent" or which have a "parent" role over them. In particular many policy departments are dependant on Executive Agencies or Non- Departmental Public Bodies (NDPBs) for delivery of their policy, and many Executive Agencies and NDPBs are constrained in policy by their parent department. In these circumstances the risk priorities of a parent department will impact on the priorities of the organisations which they sponsor, and the sponsored organisations’ experience of managing risk in delivery of the policy needs to be considered by the parent organisation in the further development of policy. Regular and open discussion of risk issues between parent organisations and sponsored organisations is critical to the overall effective delivery of public service.

9.4 Probably all government organisations will have dependencies on contractors, although the extent of these dependencies will vary. These relationships may range from straightforward supply of goods which the organisation requires in order to function, through to delivery of major services to, or on behalf of, the organisation.


10. Risk environment

10.1 Beyond the boundary of the "extended enterprise", other factors contribute to the environment in which risk has to be managed. These factors may either generate risks which cannot be directly controlled, or they may constrain the way in which the organisation is permitted to take or address risk. Often the only response which an organisation can make in relation to the risk environment is to prepare contingency plans. It is important that an organisation should consider its wider risk environment and identify the way in which it impacts on its risk management strategy.

10.2 In particular, laws and regulations, can have an effect on the risk environment. It is important for an organisation to identify the ways in which laws and regulations make demands on it, either by requiring the organisation to do certain things or by constraining the actions which the organisation is permitted to take.

10.3 The economy, both domestically and internationally, is another important element of the risk environment. Whilst for most organisations the general economy is a given, it does affect the markets in which they have to function in obtaining or providing of goods and services.

10.4 A particular aspect of the risk environment which is important for government organisations is Government itself. In principle, government organisations exist to deliver the policies which the Government and its Ministers have decided upon. There is a particular strand of risk management which is important in providing Ministers with risk based policy advice. Nevertheless, officials in government organisations may be constrained in the risks which they do or do not take by policy decisions.

10.5 Every organisation is also constrained by stakeholder expectation. Risk management actions, which appear good value and effective in the abstract, may not be acceptable to stakeholders. For government organisations this is especially important in respect of relationships with the public; actions that would be effective at dealing with a specific risk may have other effects that the public are unwilling to accept.


11. Risk appetite

1) Corporate risk appetite is the overall amount of risk judged appropriate for an organisation to tolerate, agreed at board level. The Board and senior managers should judge the tolerable range of exposure for the organisation and identify general boundaries for unacceptable risk. In doing this the Board may want to take Ministerial views on risk-taking into account.

2) Delegated Risk Appetite: The agreed corporate risk appetite can then be used as a starting point for cascading levels of tolerance down the organisation, agreeing risk appetite in different levels of the organisation. This then means that different levels of the organisation are clear on the boundaries in which they are operating, and feel confident about the amount of risk they are exposed to.

3) Project Risk Appetite: Projects that fall outside of day-to-day business of an organisation might need their own statement of risk appetite.


1) Escalation: When different levels of the organisation have a hierarchy of tolerance levels, it is possible to set ‘trigger points’ where risks can be escalated to the next level as they approach or exceed their agreed risk appetite levels.

2) Resource allocation: Once the risk appetite level is set, it is possible to review if resources are targeted appropriately. If a risk does not correspond to the agreed risk appetite, resources could be focused on bringing it to within the tolerance level. Risks which are already within the agreed tolerance level could be reviewed to see if resources could be moved to more risky areas without negative effects.

3) Project initiation: When taking the decision whether to initiate a new project, and when undertaking subsequent OGC Gateway reviews, risk appetite can be used as a guide on whether to proceed with the project and also to help identify and manage risks which may impede the success of the project.


Annex 2: Overall Assurance on Risk Management

2. Making explicit the scope of the assurance boundaries:

In order to arrive at an overall opinion the scope of the processes required for obtaining assurance need to encompass the whole of the organisation’s risk management lifecycle. This does not mean that every risk and every control has to be reviewed in order to obtain assurance. However, the review, which takes place, will need to provide:

  • 2.1 Assurance on the Risk Management Strategy - Ascertain the extent to which all line managers review the risks / controls within the ambit of their responsibility
  • 2.2 Assurance on management of risks/controls themselves - encompass all the key risks and encompass enough of the other risks to support confidence in the overall opinion reached
  • 2.3 Assurance on the adequacy of the review/assurance process - quality assured to engender confidence in the review process

3. Evidence:

The evidence supporting assurance should be sufficient in scope (2.2) and weight (4.2) to support the conclusion and be:

• relevant

• reliable

• understandable

• free from material misstatement

• neutral/free from bias

• such that another person would reasonably come to the same conclusion

4. Evaluation:

4.1 The objective is to:

• evaluate the adequacy of the risk management policy and strategy to achieve its objectives,

• evaluate the adequacy of the risk management processes designed to constrain residual risk to the risk appetite

• identify limitations in the evidence provided or in the depth or scope of the reviews undertaken

• identify gaps in control and/or over control, and provide the opportunity for continuous improvement, and

• support preparation of the SIC

4.2 In evaluating evidence to arrive at an overall judgment or opinion all of the evidence criteria at 3 need to be considered. However it is important to recognise that not all evidence is of the same weight in deriving assurance. Evidence should be weighted:

  • According to its independence – the more independent the evidence, the more reliance can be placed on it.
  • According to its relevance – in determining the overall assurance there is a need to ensure that the evidence relates to those elements of the risk management lifecycle considered to be significant - evidence relevant to the more significant risks is consequently of greater relevance to the overall assurance
  • Evidence may be flawed in terms of both quantity and quality where the evidence criteria are not met, leading to limitations in the assurance that can be provided. For example, merely obtaining more evidence will not compensate where the quality of evidence is low or where the source of evidence is not reliable.


Annex 3: Summary of Horizon Scanning Issues

• Periodicity / Regularity: horizon scanning may be continuous or periodic (e.g. weekly or annually).

• Timescale: Policy makers could well be interested in developments over the next twenty-five years whilst horizon scanning that supports operational decision making may be restricted to a six month timeframe.

• Scope: Some organisations may be fairly insular in their risk identification processes if they perceive that the major element of risk arises from within the organisation; others may need to consider a much wider scope if they consider that they may face risks from a wider environment.

• Opportunity/threat: Some horizon scanning is concerned mainly with spotting potential problems, but it can equally be used to scan for opportunities ("positive risks"), and many problems may be translatable into opportunities if spotted early enough.

• Rigour / technicality: Horizon scanning varies in the extent to which it is structured and supported by technology. Some organisations use sophisticated assessment schemes and information search technologies; other organisations will rely almost entirely on informal networks of contacts and good judgment.


Annex 4: Glossary of key terms

Assurance – an evaluated opinion, based on evidence gained from review, on the organisation’s governance, risk management and internal control framework.

Audit Committee – a Committee appointed to support the Accounting Officer (in NDPBs a Committee of the board to support the Board) in monitoring the corporate governance and control systems in the organisation.

Exposure – the consequences, as a combination of impact and likelihood, which may be experienced by the organisation if a specific risk is realised.

Inherent Risk – the exposure arising from a specific risk before any action has been taken to manage it.

Residual risk – the exposure arising from a specific risk after action has been taken to manage it and making the assumption that the action is effective.

Risk – uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.

Risk appetite – the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.

Risk assessment – the evaluation of risk with regard to the impact if the risk is realised and the likelihood of the risk being realised.

Risk Assurance Committee – a Committee established to undertake the role which the Audit Committee should otherwise undertake in respect of assurance on risk management.

Risk management – all the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.

Risk Management Committee - a Committee established with executive authority to take action to manage the risks which face the organisation.

Risk strategy – the overall organisational approach to risk management as defined by the Accounting Officer and / or Board. This should be documented and easily available throughout the organisation

Risk profile – the documented and prioritised overall assessment of the range of specific risks faced by the organisation

Internal control – any action, originating within the organisation, taken to manage risk. These actions may be taken to manage either the impact if the risk is realised, or the frequency of the realisation of the risk.