Introduction
This Risk Management Framework sets out our approach to risk management and outlines the key objectives, strategies and responsibilities for the management of risk across Revenue Scotland. It pertains to all staff and should be applied consistently across the organisation.
Purpose
Revenue Scotland has a responsibility to manage risks and to implement a systematic approach to risk management including the promotion of a ‘risk aware’ culture, in order to support the effective delivery of its objectives. This requires risks to be regularly identified, reviewed, addressed and updated. The application of this Framework, supported by appropriate training for all staff, enables Revenue Scotland to effectively respond to the varied and changing risks it faces.
Benefits
Revenue Scotland is committed to ensuring that the management of risk underpins all business activities and that proportionate risk management tools and procedures are in place across the organisation as appropriate. This Framework, supported by appropriate training for staff, enables more effective risk management to take place, which in turn promotes:
- better informed decision-making
- more effective use of public resources
- enhanced strategic and business planning
- strengthened contingency planning
Risk Management Approach
Risk is defined within Revenue Scotland as:
"The effect of uncertainty on objectives; an effect is a positive or negative deviation from what is expected." (ISO 31000)
Revenue Scotland faces a variety of risks to the achievement of its objectives, as set out in its Corporate and Business Plans. Effective risk management allows the organisation to respond to risks to maximise the likelihood of achieving its objectives and ensuring the best use of resources.
We employ a straightforward methodology for the management of risk. This reflects the principles outlined in the Orange Book, the Scottish Government Risk Management Guide and Audit Scotland's Risk Management Framework.
- Identify risks: Risk identification is an ongoing activity to determine what risks might prevent the delivery of our objectives.
- Analyse and assess: Once a risk is identified the risk is assessed and scored considering the likelihood of it occurring and, if it were to occur, the impact (consequence) on the organisation.
- Respond to risks: Based on the risk scores there are four options for responding to risks.
- Monitor risks: Risks are monitored on a regular basis to ensure that the assessment of likelihood and impacts remains correct and that planned mitigations remain appropriate.
- Report risks: Reporting ensures that the key risks and their owners are clearly identified and that mitigation and specified actions are appropriate and that actions are being carried out.
We recognise the importance of fostering a risk management culture to ensure that values and behaviours are communicated and embedded at all levels to support effective risk management. Consequently, we will:
- review our Business Plan on an annual basis and consider associated risks
- review our Corporate Risk Register on a quarterly basis
- implement and monitor risk management arrangements across the organisation
- ensure that designated individuals are identified and receive the necessary training in connection with risk management
- ensure that staff understand our approach to risk and their role in risk management
- welcome independent review of our arrangements, including internal and external audit
Risk Management Structure
To ensure that Revenue Scotland has a full understanding of the risks being faced and the implications for the organisation, risks will be identified and assessed at two levels:
- Corporate: Those risks that, if realised, could have a significant detrimental effect on Revenue Scotland's key business processes, objectives and activities, including reputational and financial risks.
- Operational: Those risks that, if realised, could have a significant detrimental effect on the key operational objectives and activities. These include project/programme level risks.
Risk registers
The corporate risk register records the most significant risks that have the potential to prevent Revenue Scotland as a corporate body delivering its objectives as set out in the Corporate Plan.
Where it is proportionate, programme, project and operational risk registers will be maintained by the appropriate team leader or the Senior Responsible Officer (SRO).
Risk response and mitigation
A risk is assessed on the combination of the consequences of an event (impact) and its probability (likelihood). Revenue Scotland use the same template and methodology found in the Scottish Government’s guide detailed on page 14 of that document.
Based on the risk score there are four responses:
- Terminate: the risk is terminated by deciding not to proceed with an activity. For example, if a particular project is very high risk and the risk cannot be mitigated the decision may be taken not to continue with the project. Alternatively, the decision may be made to carry out the activity in a different way.
- Transfer: the risk is moved to another party who bears all, or shares part, of the risk. For example, this could include outsourcing an area of work to a third party or transferring risk through the use of insurance.
- Treat: mitigating actions or controls are identified and implemented to reduce the risk. These controls should be monitored on a regular basis to ensure that they are effective.
- Tolerate: it may not always may be necessary (or appropriate) to take action to treat risks, for example, where the cost of treating the risk is considered to outweigh the potential benefits. If the risk is shown as 'green' after mitigating actions then it can likely be tolerated.
Risk appetite
Risk Appetite is an expression of how much risk Revenue Scotland is prepared to take. Those involved in risk evaluation and prioritisation should consider, discuss and express risk appetite as they see it. This in turn informs which of the above responses is adopted to manage individual risks.
Defining and establishing risk appetite is a critical step in effectively managing risk within Revenue Scotland. By clearly understanding and articulating risk appetite informed decisions can be made that align with our strategic objectives while ensuring an acceptable level of risk exposure. The following factors contribute to the determination risk appetite:
- Organisational objectives: Risk appetite should be closely aligned with overall business objectives and long-term strategic goals. Risks associated with achieving these objectives must be evaluated to determine the level of risk tolerance that allows Revenue Scotland to pursue growth and innovation while safeguarding its reputation and financial stability.
- Stakeholder expectations: Understanding the expectations of stakeholders, including customers, employees, and regulatory bodies, is crucial in defining risk appetite. Their risk tolerance levels and concerns must be considered to ensure that Revenue Scotland’s activities remain within acceptable risk taking boundaries and meet their expectations.
- Industry and regulatory environment: The nature of Revenue Scotland’s context as a public body and the regulatory landscape in which it operates plays a significant role in defining its risk appetite. Risks inherent to its context must be considered along with the need to comply with applicable laws, regulations, and standards. This evaluation helps set appropriate risk thresholds and align risk appetite with industry best practices.
- Risk analysis and risk tolerance: Conducting a comprehensive risk analysis allows the identification, assessment and prioritisation of potential risks. Quantifying and qualitatively evaluating these risks allows the determination of risk tolerance levels for different categories of risk, enabling the definition of clear boundaries and thresholds for risk-taking activities.
The table below describes the different levels of risk appetite and the approach Revenue Scotland will take to the management of risks as a result of that appetite. These definitions are aligned with those used by the Scottish Government and the UK Government’s Orange book.
| Appetite | Description |
|---|---|
| Very high / eager | Eager (or required) to be innovative and to choose options based on maximising opportunities and potential higher benefit even if those activities carry a very high residual risk. |
| High / open |
Willing to consider all options and choose one most likely to result in successful delivery while providing an acceptable level of benefit. Seek to achieve a balance between a high likelihood of successful delivery and a high degree of benefit and value for money. Activities themselves may potentially carry, or contribute to, a high degree of residual risk. |
| Medium / cautious |
Preference for safe options that have low degree of inherent risk and only limited potential for benefit. Willing to tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where we have identified scope to achieve significant benefit and/or realise an opportunity. Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent. |
| Low / minimalist |
Preference for very safe business delivery options that have a low degree of inherent risk with the potential for benefit/return not a key driver. Activities will only be undertaken where they have a low degree of inherent risk. |
| Very low / averse |
Avoidance of risk and uncertainty in achievement or key deliverables or initiatives is key objective. Activities undertaken will only be those considered to carry virtually no inherent risk. |
Risk mitigations
Risk mitigations are the controls and actions put in place to reduce the chance of the risk occurring, or to minimise the impact of the risk should it occur. These form part of our internal control system. This incorporates policies, processes, business continuity arrangements and other aspects of Revenue Scotland's operations which when taken together:
- enable the organisation to respond appropriately to business risks.
- help ensure effective internal and external reporting. Including the maintenance of proper records and processes that generate the flow of timely, relevant and reliable information.
- help ensure compliance with applicable laws and regulations. This includes, for example, having formal written procedures and policies applied consistently across the organisation supported by training for staff.
The risk that remains after taking account of mitigations is the ‘net’ or ‘residual’ risk. It is also good practice to define a ‘target risk’, informed by the organisation’s risk appetite, which is the tolerable level of risk that the organisation should be aiming for.
Risk tolerance
Risk Tolerance is the maximum amount of risk we are willing to tolerate. Controls and actions are put in place to manage the risk down to our target level. If all identified actions have been taken and controls implemented but we are still unable to reduce the risk to the target level then consideration will be given to escalating to the next level.
Risk controls and control effectiveness
There are four control types that can be used to manage our risks down to our target levels. These are:
- Preventative: Aims to minimise a root cause, preventing a breach i.e. controls reduce the likelihood
- Corrective: Controls implemented in advance to minimise the impact of a breach
- Detective: Aims to identify a breach after it has happened and before it crystallises
- Directive: Controls giving direction on expected behaviour
The controls listed above are ordered by their effectiveness, preventative controls being the most effective and directive controls the least effective.
We use these controls to mitigate our risks and review the effectiveness of them on a regular basis.
Controls confidence assesses the level of assurance that the controls we have in place and the actions planned will manage our risks sufficiently to meet our target score.
With regards to the effectiveness of our controls confidences, consideration is given to:
- What are our controls and actions doing?
- Are the controls working?
- What are our expectations around our actions?
Responsibilities
The Revenue Scotland Board has ultimate responsibility for the management of the organisation’s risks. The Audit and Risk Committee, on behalf of the Board, provide assurance that an effective risk management framework and approach is in place. The Accountable Officer, supported by the Senior Leadership Team, is responsible for putting in place that framework and ensuring that effective risk management processes are in place across the organisation and operating appropriately. This includes ensuring mechanisms are in place for assessing, monitoring and responding to risks.
All staff have a role to play in managing risk effectively and are expected to have an understanding of the nature of risk within Revenue Scotland and of the organisation’s risk appetite. Our structure and governance framework supports this by providing both internal and external assurance.
Revenue Scotland Board
| Responsibilities | Frequency |
|---|---|
| Ultimate responsibility for the management of risk and for setting the ‘tone from the top’ throughout the organisation. | Ongoing |
| Considering reports on the operation of risk management arrangements from the Audit and Risk Committee, the Accountable Officer and through consideration of the annual assurances for the completion of the annual report and accounts. | As required – at least annually |
Audit and Risk Committee (ARC)
| Responsibilities | Frequency |
|---|---|
| Approving the overall risk management arrangements including the appetite for risk. | Annually |
| Scrutinising Revenue Scotland’s Risk Management Framework. | At least every three years |
| Reviewing the strategic processes for risk, control and governance (including the Accountable Officer's Governance Statement). | Annually |
| Monitoring the effectiveness of risk anagement arrangements. | Ongoing |
| Reviewing Revenue Scotland’s Corporate risk register. | Quarterly |
Staffing and Equalities Committee (SEC)
| Responsibilities | Frequency |
|---|---|
| Advise Audit and Risk Committee on key controls and future mitigating actions in relation to people risks. | Ongoing |
| Advise Board and assist CEO on any risks relating to people issues, equality, diversity and inclusion and health, safety and wellbeing. | Ongoing |
| Contribute to the any risk related to the Board’s corporate role and responsibilities. | Ongoing |
Accountable Officer
| Responsibilities | Frequency |
|---|---|
| The Accountable Officer, supported by SLT, is responsible on behalf of the Board for ensuring that effective risk management processes are in place across the organisation and operating appropriately. | Ongoing |
| They also have specific personal responsibility for signing the Annual Report and Accounts including the Accountable Officer's Governance Statement. | Annually |
Revenue Scotland Senior Leadership Team (SLT)
| Responsibilities | Frequency |
|---|---|
| Responsible for ensuring that the approach to risk management within the organisation is proportionate, fit-for-purpose and operating effectively across Revenue Scotland. | Ongoing |
| Owners of the Corporate Risk Register and responsible for ensuring its completeness and accuracy, reviewing and challenging ‘red’ (high) risks. | Quarterly |
| Ensuring that there is ownership for all significant risks by a member of The Senior Leadership Team or Leadership Group. | Ongoing as required |
| Approving and recommending to Audit and Risk Committee draft risk policies and strategies. | Ongoing as required in line with review schedules |
Risk owners (Senior staff nominated by SLT to own individual risks)
| Responsibilities | Frequency |
|---|---|
| Supporting Revenue Scotland’s risk management framework and undertaking relevant training. | Ongoing |
| Maintaining all aspects of risk assigned to them including the actions needed to mitigate risk and maintaining an action plan. | Ongoing |
| Obtaining senior management support where necessary (e.g. deciding on target risk). | As required |
| Liaising with colleagues to ensure that risk registers are kept up to date. | At least monthly |
Risk and Assurance Manager and the Governance Team
| Responsibilities | Frequency |
|---|---|
| Supporting and aiding staff in their risk reporting. | Ongoing |
| Providing guidance to staff on risk matters. | As required |
| Collating and producing summary reports to the senior leadership team, audit and risk committee and the Board. | Quarterly |
| Participate in change control processes and reviews. | As required |
Revenue Scotland staff
| Responsibilities | Frequency |
|---|---|
| Following Revenue Scotland’s Risk Management Framework. | Ongoing |
| Good understanding of risk, the role of risk owners and the part they personally play in delivering Revenue Scotland's risk management framework. | Ongoing |
| Being risk aware and reporting potential risks to line management for consideration. | Ongoing |
| Undertake regular risk management training. | Annually |
Where Revenue Scotland has delegated functions to other bodies, the risks associated with carrying out those functions will lie with the delegated body except where alternative arrangements have been agreed.
Risk escalation
This framework is designed to provide effective support and challenge in managing risks. Escalating a risk to the next level does not remove responsibility for managing the risk but ensures its effective communication, increasing awareness and highlights where more supportive action might be needed.
| Level | Role |
|---|---|
| Board / Audit and Risk Committee / Staffing and Equalities Committee | Considers risks escalated by the Senior Leadership Team which will impact the achievement of Revenue Scotland’s strategic objectives. |
| Senior Leadership Team | Considers risks to the achievement of strategic objectives and cross-cutting priorities and escalated operational risks affecting the achievement of organisational objectives and priorities. |
| Operational teams/programme(s) and project(s) | Considers risks affecting Team, Programme, or Project objectives. Escalates risks affecting the achievement of organisational objectives and priorities to the Senior Leadership Team. |
To highlight risks appropriate for more senior awareness or action there is a structure in place for upward reporting, depending on the level of risk. When considering whether to escalate a risk, consider appropriate ‘risk tolerances’ that may be in place. Risk tolerance is based on risk appetite and its assessment is not an exact science.
Escalation should be based on the judgement of the nature and scale of the specific risk e.g. the risk of a key member of a project leaving may be very high but not of sufficient scope to require escalation. When considering escalation the following questions should be considered:
- Scale: Will it significantly damage objectives?
- Scope: Does it cut across several areas of work?
- Resources: Can it be described as exceptional?
Escalation should not be decided by risk scoring alone, but through detailed discussion to enable effective action. Escalating a risk to this level can ensure increased visibility and enable more senior support and challenge ensuring a comprehensive perspective on the risk and facilitating more connections that can support delivery.
Review
This document is subject to review at least every three years.