Description
The Risk Management Assessment Framework (RMAF) is a tool for assessing the standard of risk management in an organisation. It is offered as an optional tool to help collect and assess evidence.
Risk Management assessment
framework:
a tool for departments
July 2009
July 2009
Risk Management assessment
framework:
a tool for departments
Of?cial versions of this document are printed on
100% recycled paper. When you have ?nished
with it please recycle it again.
If using an electronic version of the document, please
consider the environment and only print the pages which
you need and recycle them when you have ?nished.
© Crown copyright 2009
The text in this document (excluding the Royal Coat
of Arms and departmental logos) may be reproduced
free of charge in any format or medium providing that
it is reproduced accurately and not used in a misleading
context. The material must be acknowledged as Crown
copyright and the title of the document speci?ed.
Where we have identi?ed any third party copyright
material you will need to obtain permission from the
copyright holders concerned.
For any other use of this material please write to Of?ce
of Public Sector Information, Information Policy Team,
Kew, Richmond, Surrey TW9 4DU or e-mail:
[email protected]
ISBN 978-1-84532-625-8
PU829
100%
Risk Management assessment framework: a tool for departments 1
Contents
Page
Introduction 3
Summary 5
Risk Management assessment tool 7
Chapter 1 Leadership 9
Chapter 2 Risk strategy and policies 11
Chapter 3 People 15
Chapter 4 Partnerships 19
Chapter 5 Process 21
Chapter 6 Risk handling 27
Chapter 7 Outcomes 31
Risk Management assessment framework: a tool for departments 3
Introduction
The Risk Management Assessment Framework (RMAF) is a tool for assessing the standard of risk
management in an organisation. It is offered as an optional tool to help collect and assess
evidence. It will support the production of a Statement on Internal Control, and is consistent
with the criteria set out in Government Accounting (Chapter 21).
The Framework has its genesis in the EFQM excellence model but is simplified and targeted to
provide a flexible tool to assist in evaluating performance and progress in developing and
maintaining effective risk management capability and assessing the impact on delivering
effective risk handling and required/planned outcomes. It should also assist with identifying
areas of particularly good or poor performance and in establishing priorities for improvement
action.
It is intended that it can be used flexibly to replace or augment existing evaluation arrangements
as appropriate. The top-level framework and the seven key questions can be used with or
without the supporting question sets and/or the quantified ‘levels’ scale. The Framework can
also be used centrally or devolved for self-assessment by business units or used cooperatively
with partner organisations. Where business units deliver a discrete activity or where agencies,
NDPBs etc responsible for their own SIC are involved then self-assessment using the Framework
should be useful to all parties in evaluating risk management performance and areas for
improvement.
The question sets under each of the seven main questions are intended as indicative of the
range of issues and extent of evidence needed to come to a decision in respect of the key
questions. All the questions may not be relevant to all Departments and existing arrangements
in a Department (or agency, NDPB etc) may cover some or all the question areas.
The tool should enable any ‘gaps’ in existing evaluation arrangements to be identified and
provide a means to identify actions to rectify them. It will also assist in indicating the evidence
that will need to be provided by any alternative evaluation tool in order to effectively judge
performance and progress.
The performance levels scale provides a means of quantifying performance and should assist in
benchmarking performance, both in terms of type of activity (leadership, strategy, people etc)
and business units, divisions, projects etc within an organisation. This should help with planning
and priority setting for future work plans and in identifying and setting targets for improvement
and in monitoring progress towards those targets. It should also provide a basis for peer review
and/or benchmarking between organisations (bilaterally or multilaterally).
Risk Support Team
29 October 2004
Risk Management assessment framework: a tool for departments 5
Summary
1. Assessment Framework
The top-level framework is adapted from the EFQM Excellence Model but is simplified and
targeted to provide a flexible tool to assist in monitoring and evaluating performance in a
systematic and structured way. It can be used to identify areas of particularly good or poor
practice and in establishing priorities for improvement action.
At the most summarised level there are seven questions to address:
Capabilities
1 Leadership: do senior management and Ministers support and promote risk
management?
2 Are people equipped and supported to manage risk well?
3 Is there a clear risk strategy and risk policies?
4 Are there effective arrangements for managing risks with partners
5 Do the organisation’s processes incorporate effective risk management?
Risk Handling
6 Are risks handled well?
Outcomes
7 Does risk management contribute to achieving outcomes?
These seven ‘key’ questions at the top-level are each underpinned by a lower level, non-
exhaustive, set of questions which are intended as indicative of the range of issues and extent of
evidence needed to come to a decision in respect of the key questions and hence to help guide
evidence gathering.
2. Assessment Scale
The levels scale provides a means of quantifying performance and should assist in monitoring
existing performance, in identifying and setting targets for improvement and in judging progress
towards those targets. It should also be useful in establishing a basis for planning and priority
setting for future work plans and for peer review and/or benchmarking, both within and
between organisations (bilaterally or multilaterally).
The assessment scales have five levels to gauge progress in developing the necessary risk
management capabilities and to assess the effectiveness of Risk Handling and impact on
delivering successful Outcomes. In summary these levels are:
Capability (Leadership; Policy & Strategy; People; Partnerships & Resources; and
Processes):
1 Awareness and understanding
2 Implementation planned & in progress
3 Implemented in all key areas
4 Embedded and improving
6 Risk Management assessment framework: a tool for departments
5 Excellent capability established
Risk Handling and Outcome performance:
1 No evidence
2 Satisfactory
3 Good
4 Very good
5 Excellent
3. Using the Assessment Tool
This can be used either to give a broad/impressionistic overview, using just the summary
framework. Alternatively, by using the top-level questions informed by systematically collected
evidence (such as that indicated by the supporting indicative questions) it can give a more
detailed assessment. This would be suitable for monitoring and reviewing the effectiveness of
internal control processes and supporting a Statement on Internal Control (SIC). In this latter
respect it is consistent with the criteria set out in Government Accounting (Chapter 21). It can
also be used in reviewing and reporting on performance and progress in improving risk
management capability and assessing impact on improved risk handling and performance
outcomes. Used in this latter way it can also assist with identifying areas of particularly good or
poor performance and in establishing priorities for improvement action. The framework can also
be used as a tool to assist peer-review and benchmarking, both internally and between
organisations (bilaterally or multilaterally).
Risk Management assessment framework: a tool for departments 7
Risk Management assessment tool
Risk Management assessment framework: a tool for departments 9
1 Leadership
Do senior managers and Ministers promote risk management?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Top management
are aware of need
to manage
uncertainty & risk
and have made
resources available
to improve
Senior Managers &
Ministers take the
lead to ensure that
approaches for
addressing risk are
being developed
and implemented
Senior Managers
act as role models
to apply risk
management
consistently and
thoroughly across
the organisation
Senior
management are
proactive in driving
and maintaining
the embedding and
integration of risk
management; in
setting criteria and
arrangements for
risk management
and in providing
top down
commitment to
well managed risk
taking to support
and encourage
innovation and the
seizing of
opportunities.
Senior Managers
re-enforce and
sustain risk
capability,
organisational &
business resilience
and commitment
to excellence.
Leaders regarded as
exemplars.
Evidence
Are senior management and Ministers:
1.1 Taking key risk judgements and providing clear direction?
• Are they routinely in a position to be aware of the key risks and have systems in
place to ensure that this is up to date?
• Do they have a good understanding of the key risks facing the organisation and
their likely implications for service delivery to the public and the achievement of
programme outcomes?
• Are the risks that could result in key objectives or service delivery responsibilities not
being met identified and the likelihood of them maturing regularly assessed?
• Are key risks prioritised for action and mitigation actions identified and
monitored?
10 Risk Management assessment framework: a tool for departments
1.2 Setting the criteria/arrangements for the department’s appetite/tolerance for taking on risk?
• Are they setting the criteria for acceptable and/or unacceptable risk?
• Are they setting the criteria for reference for Board consideration?
• Are they establishing the criteria/arrangements for escalation of consideration of
risks at various levels in the department etc)?
(See also section 5.5.3)
1.3 Supporting innovation?
• Is well-managed risk taking encouraged to help seize opportunities and support
effective innovation?
• Is there support and reward for innovation and seizing opportunities to better
deliver the organisations aims and objectives?
• Is individual success rewarded and support given by management when things go
wrong despite risks being well managed, ie avoiding a blame culture?
1.4 Ensuring clear accountability for managing risk?
• Are appropriate staff members clearly assigned responsibilities for assessing,
reporting and managing identified risk and are these responsibilities regularly
reviewed?
• Do those responsible have the necessary authority and support to discharge their
responsibilities effectively?
• Do managers understand and take responsibility for the management of risk in their
area?
• Are matters actively reported through the management arrangements and to the
audit/risk committee or Board as appropriate?
1.5 Driving implementation of improvements in risk management?
• Are they proactive in supporting and encouraging effective risk management?
• Are they proactive in supporting and driving a culture embracing well-managed risk
taking?
• Are they proactive in supporting and driving the embedding of effective risk
management in the departments core activities (ie policy making, planning and
delivery)?
• Are they ensuring effective management of risks to the public?
• Are they ensuring effective communication about risks and risk issues?
• Are they ensuring that managers and staff are equipped with necessary skills,
guidance and other tools?
Further guidance on risk management is available from our website, which can be found at:http://www.hm-treasury.gov.uk/psr_governancerisk_index.htm
Risk Management assessment framework: a tool for departments 11
2 Risk strategy and policies
Is there a clear risk strategy and risk policies?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
The need for a risk
strategy and related
policies has been
identified and
accepted
A risk management
strategy & policies
have been drawn
up and
communicated and
are being acted
upon
Risk strategy &
policies are
communicated
effectively and
made to work
through a
framework of
processes
An effective risk
strategy and
policies are an
inherent feature of
department policies
and processes
Risk management
aspects of strategy
and policymaking
help to drive the
risk agenda and are
reviewed and
improved.
Role model status
Evidence
Is there a clear:
2.1 Risk Management Strategy?
(The Risk Management Strategy may be a contained in a separate document but this is not
essential and as embedding progresses more of the information would be expected to be part of
the organisations general policies and processes)
• Is there a risk management strategy which:
o Is endorsed by the Head of the organisation/ Board / Audit Committee / Risk
Committee?
o Sets out the organisation’s attitudes to risk?
o Defines the structures for the management and ownership of risk and for the
management of situations in which control failure leads to material realisation of
risks?
o Specifies the way in which risk issues are to be considered at each level of
business planning and delivery ranging from the corporate process to operational
action and the setting of individual staff’s objectives?
o Includes risk as an opportunity (if it can be managed effectively) as well as a
threat?
o Allows for peer review and the benchmarking of risks where appropriate?
12 Risk Management assessment framework: a tool for departments
o Specifies how new activities will be assessed for risk and incorporated into risk
management structures?
o Ensures common understanding of terminology used in relation to risk issues?
o Defines the structures for monitoring, review and gaining assurance about the
management of risk?
o Defines the criteria that will inform assessment of risk and the definition of
specific risks as “key”?
o Defines the way in which the risk register(s) and risk evaluation criteria will be
regularly reviewed?
• Is it easily available to all staff and reviewed at least annually to ensure it remains
appropriate and current?
• Does if allow for balancing the portfolio of risk?
• Does it support effective innovation and encourage well-managed risk taking to
generate improved delivery of aims and objectives?
• Does it encourage and promote the integration of risk management into
established procedures and arrangements for departmental business, ie policy
making, planning (eg business plans, delivery plans, spending plans etc), delivery
etc and does this include effective management of risks to the public (information
on ‘Principles of Managing Risks to the Public’ can be found at:http://www.hm-
treasury.gov.uk/managing_risks_public.htm
• Does it include effective communication about risk with staff and all stakeholders,
inside and outside the organisation and including management of risks to the
public? (A tool-kit on risk communications providing more detailed guidance can be
found on:http://www.ukresilience.info/risk/index.htm)
2.2 Risk Management Policy?
(The Risk Management Policy may be a contained in a separate document but this is not
essential and as embedding progresses more of the information would be expected to be part of
the organisations general policies and processes)
• Does a formal risk policy (policies) exist and is this documented, endorsed by the
head of the organisation, clearly communicated, readily available to all staff and
subject to regular review?
• Were views from in-house stakeholders (eg employees, internal experts, auditors
etc) taken into account?
• Is the risk management policy (policies) integrated with established policies for
departmental business activities (ie policy, planning, delivery etc)
• Are there clear statements that set out a proactive approach to innovation, and are
staff encouraged to read them?
• Is there an explicit policy to encourage well-managed risk taking where it has good
potential to realise sustainable improvements in service delivery and value for
money, and is this policy actively communicated to all staff?
• Is a common definition of risks and how they should be managed, clearly
communicated and adopted by all staff throughout the organisation with detailed
guidance for staff drawing up or implementing programmes, policies, plans etc?
Risk Management assessment framework: a tool for departments 13
• Is there a policy on balancing the portfolio of risk within the overall risk
appetite/tolerance and does this include seizing opportunities as well as dealing
with threats?
Risk Management assessment framework: a tool for departments 15
3 People
Are people equipped and supported to manage risk well?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Key people are
aware of the need
to assess and
manage risks and
they understand
risk concepts and
principles
Suitable guidance is
available and a
training
programme has
been implemented
to develop risk
capability
A core group of
people have the
skills & knowledge
to manage risk
effectively
People are
encouraged and
supported to be
innovative and are
generally
empowered to take
well-managed risks.
Most people have
relevant skills &
knowledge to
manage risks
effectively and
Regular training etc
is available for
people to enhance
their risk skills and
fill any ‘gaps’
All staff are
empowered to be
responsible for risk
management and
see it as an
inherent part of the
Departments
business. They have
a good record of
innovation and well
managed risk
taking
Evidence
Are people equipped and supported by:
3.1 The Culture of the organisation?
• Is there a general culture of risk management at all levels?
• Do managers and staff feel able to raise risk related issues?
• Do staff have clear reporting chains and mechanisms to raise risk issues?
• Do managers and staff feel able to raise risk issues even where this may be seen as
‘bad news’?
• Are they encouraged and empowered to identify and take opportunities that will
better deliver aims and objectives?
• Are they confident that their concerns/ideas will be heard and acted on?
16 Risk Management assessment framework: a tool for departments
• Do staff feel empowered to take well-managed risks?
• Are staff rewarded for taking well-managed risks?
• Are staff confident that they will not be blamed for failure when risks have been
well managed?
• Are staff encouraged to challenge practices, to identify new ways of doing things
and to be innovative?
• Do the monitoring and reporting systems generate an expectation that action will
be taken on issues raised?
• Is risk management encouraged as part of the established way of planning and
delivering the departments business?
• Is risk management performance embedded in recruitment and performance
appraisal?
• Is risk management incorporated into quality measures, eg Investors in people?
3.2 Arrangements for allocation of Responsibility?
• Do staff have properly delegated clear and appropriate responsibility for managing
risks and seizing opportunities?
• Is this reflected in their personal objectives and annual assessment?
• Are they clear when matters should be referred elsewhere (eg line management,
audit committee, risk committee, board etc) for consideration?
3.3 Arrangements to ensure staff Awareness?
• Are staff aware of the importance of handling risks well, of being innovative and
identifying and seizing opportunities to improve outcome performance?
• Are staff aware of the risk management strategy and policy(ies)?
• Are they aware of the key objectives, priorities and main risks facing the
organisation as a whole?
• Are staff aware of the key objectives, priorities and main risks facing their part of
the organisation?
3.4 Provisions to ensure appropriate risk management knowledge, experience and skills?
• Are staff adequately trained and experienced in risk management relative to the
needs of the organisation and the particular job being done?
• Do staff receive appropriate guidance and training on the typical risks that the
organisation faces in relation to their role/job, and the action to take in managing
these risks?
• Do staff use guidance effectively?
• Do they have good access to advice and expertise?
• Does the personal performance review include assessment of relevant risk
management skills and establish development objectives to fill any gaps?
Risk Management assessment framework: a tool for departments 17
• Are arrangements in place to ensure new staff receive early assessment of their
development needs and appropriate guidance, training etc to rapidly address these
needs.
• Does skills transfer place take place when consultants or risk management
professionals work within local teams?
Risk Management assessment framework: a tool for departments 19
4 Partnerships
Are there effective arrangements for managing risk with partners?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Key people are
aware of areas of
potential risk with
partnerships and
understand the
need to agree
approaches to
manage these risks
Approaches for
addressing risk with
partners are being
developed and
implemented
Risk with partners is
managed
consistently for key
areas and across
organisational
boundaries
Sound risk
management
arrangements have
been established.
The most suitable:
partnership
arrangement (PFI,
‘arms length’ etc);
partners; suppliers
etc are selected in
full knowledge of
the risks, risk
management
capability &
compatibility
Excellent
arrangements in
place to identify
and manage risks
with all partners
and to monitor and
improve
performance.
Organisation
regarded as a role
model
Evidence
Are there appropriate mechanisms for:
4.1 Identifying, assessing and managing risk in Partnerships:
• Are the risks associated with working with other organisations assessed and
managed?
o Are there arrangements to ensure a common understanding of the risks and how
they can be managed (eg a joint/shared risk register, sharing of risk register
information, agreed risk assessments etc)?
o Are there arrangements for agreed standards for assessing risks?
o Has the risk terminology/language been agreed?
o Is there clarity about who is carrying which risks and what the requirements are
for providing information?
o Are those responsible for managing the risks empowered to do so?
20 Risk Management assessment framework: a tool for departments
• Are arrangements scaled to match the risks, size/importance of the project etc?
• Are all those organisations, which are likely to have some influence over the success
of a programme or service to the public identified (e.g. through landscape reviews)?
• Are there arrangements to ensure, where possible, selection of the most
appropriate partnership approach (eg ‘arms length', partnering, PFI etc)?
• Is consideration being given to the need for a consistent and common approach to
managing risks that cut across organisation boundaries, for example cross-
departmental projects?
• Do organisations understand and have confidence in the risk management
arrangements of all those involved in the joint working or who could influence the
success of the programme?
• Are there incentives for partners to manage risks effectively (ie is the risk reward
balance right for each partner)?
• Is there clear responsibility and accountability for risks where delivery of results is
through partners, eg some risks (eg reputational) may remain even though
responsibility for delivery is with a partner?
4.2 Monitoring and reviewing performance?
• Is there reliable and regular information (eg Key issues, risks to be monitored, scale
of risks, how they will be managed) to monitor the risk management performance
of all those organisations involved?
• Is it clear who will provide what monitoring information and are rights of access
sufficient to obtain the necessary information?
• Are there arrangements for joint review of risks and how differences of judgement
and/or perception will be resolved?
4.3 Provision and testing of contingency arrangements?
• Are there adequate contingency arrangements (including prioritisation of mitigation
action) to minimise the adverse effects on public service delivery of one or more
party failing to deliver?
• Have the contingency arrangements been tested?
4.4 Identifying and addressing the implications of risk transfer?
• Has the extent to which risks can be transferred to organisations – both public and
private – best placed to manage them been considered and acted upon?
• Are staff encouraged to take responsibility for risks when they are best placed to do
so rather than transferring them to other organisations?
• Where risks are transferred to a partner organization are accountabilities clearly
established and capacity maintained to manage and monitor performance and take
early action in the event of difficulty?
(See also guidance - Managing Risks with Delivery Partners at:http://www.hm-
treasury.gov.uk/managing_risk_delivery_partners.htm )
Risk Management assessment framework: a tool for departments 21
5 Processes
Do the organisation’s processes incorporate effective risk
management?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Some stand-alone
risk processes have
been identified
Recommended risk
management
processes are being
developed
Risk management
processes
implemented in key
areas. Risk
capability self
assessment tools
used in some areas
Risk management is
an integral part of
the organisation’s
core processes
(policy, planning,
delivery etc) and
data are collected
to monitor and
improve risk
management
performance
Management of
risk & uncertainty is
an integrated part
of all business
processes. Best
practice approaches
are used and
developed.
Selected as a
benchmark site by
other organisations
Evidence
5.1 Is Risk Management being fully embedded in the organisation’s business processes?
• Is risk management embedded in key processes, eg:
o Policymaking (see also guidance and tool ‘Early Management of Risks to Delivery’
at:http://www.hm-treasury.gov.uk/early_management_of_risks.htm
o Project and programme management?
o Operational management?
o Performance management?
o Business planning?
o Delivery planning?
o Spending Review?
• Are there well-established approaches for (i) identifying risk and (ii) assessing and
reporting risks that are effectively communicated, followed and fully understood by
relevant staff?
22 Risk Management assessment framework: a tool for departments
• Is risk management ongoing and integrated with other procedures so that staff
accept it as a standard requirement of good management and not a one-off or
annual activity?
• Are arrangements in place to ensure risks to the public are well managed,
including:
o Ensuring openness and transparency;
o Promoting wide involvement and engagement;
o Taking steps to promote proportionate and consistent action;
o Ensure clarity in the validity and use of all relevant evidence;
o Ensure those best placed to manage the risk are given the responsibility for so
doing? (ie implementation of the ‘principles of managing risks to the public’ –http://www.hm-treasury.gov.uk/managing_risks_public.htm)
• Are arrangements in place to ensure sufficiently early and effective communication
on risks and risk issues with staff, internal and external stakeholders, including
members of the public etc (eg application of cabinet office guidance to be found
at:http://www.ukresilience.info/risk/index.htm)?
5.2 Do the processes support innovation and the identification and seizing of opportunities?
• Are arrangements in place to identify opportunities that might be available if risks
are well managed, (eg reduced need for elaborate systems of oversight and control
of service delivery and hence greater cost effectiveness and efficiency)?
• When practicable is a monetary or other numerical value put on risk to emphasise
to staff the potential loss or missed opportunity which could occur if risks are not
well managed?
5.3 Do the procedures ensure risk management arrangements are effective and reflect good
practice?
• Are arrangements in place, such as reviews by internal audit, consideration by audit
and/or risk committee, involvement of non-executive Director(s), peer review,
benchmarking with other organisations etc, to ensure that risk management
approaches are effective, efficient and reflect good practice?
• Are the arrangements for monitoring and review subject to review to ensure they
remain appropriate, proportionate and cost-effective?
• Has management sought advice from internal and external audit on good practice
in the development, implementation and maintenance of robust risk management
processes and systems?
• Has professional advice been taken to ensure that the most appropriate tools and
techniques are used to assess risk and the likelihood of it maturing?
• Are both internal and external experiences used to inform risk management
processes and procedures?
5.4 Do the processes ensure appropriate resilience?
• Does the organisation have a well-developed business/service continuity plan?
• Does the organisation have an IT recovery plan?
Risk Management assessment framework: a tool for departments 23
• Is the action (ie contingency plans, business continuity plans) planned to deal with
consequences of risks maturing (such as the impact on the delivery of services to
the public) regularly reviewed (tested as appropriate) to ensure that it remains
appropriate, sufficient and cost effective?
5.5 Do the Risk Management Processes contain:
5.5.1 Context for risk management?
• Is the context in which risk is managed identified by considering the issues of:
o Stakeholders, including:
Ministerial interests?
Public interests?
Service user interests?
Wider societal interests (eg environment)?
o Risk aspects of relationships inside and outside of government (including key
suppliers of goods and services), including:
Ways in which the behaviour of “partners” affects the organisation?
Ways in which the behaviour of the organisation affects the “partners”?
The risk priorities of “partners”?
(See also Section 4. Partners)
5.5.2 Risk identification and evaluation?
• Is there documentation which:
o Records identified risks and opportunities in a structured way to:
record dependencies between risks?
record linkages between lower level risks and higher-level risks?
identify key risks?
facilitate assignment of ownership at a level that has authority to assign
resources to the management of the relevant risk?
o Evaluates risks using defined criteria that are applied consistently?
o Provides evaluation of inherent risk (before any control implemented) and
residual risk (risk remaining after planned controls are implemented)?
o Evaluates risk-taking account of both:
the likelihood of the realisation of the risk, and
the impact of the realisation of the risk?
o Identifies assigned ownership of the risk?
o Records, in as far as it can be defined:
the acceptable level of exposure in relation to each risk?
24 Risk Management assessment framework: a tool for departments
why it is considered that the defined acceptable level of exposure can be
justified?
• In assessing risks are the potential implications for key stakeholders – citizens as
both taxpayers and consumers of government services and specific client groups
such as business – taken account of?
• Is a risk assessment carried out before commencing major projects and reviewed at
intervals to determine its continued validity and identify any new and emerging
risks?
• Is use made of feedback from the public (eg citizens’ forum) to identify the public’s
perception and attitude to risk(s) and to help with identification of any unforeseen
risks?
• Are early warning indicators in place – covering for example, quality of service or
seasonal increase in customer demand not being met – to alert senior management
of potential problems in service delivery or that the risk of planned outcomes not
being met is increasing?
• Is horizon scanning used to spot emerging threats and opportunities?
5.5.3 Criteria for evaluation of risk?
• Do specific criteria for evaluating risk encompass a range of factors, including:
o Financial / value-for-money issues?
o Service delivery / quality of service issues?
o Public concern/public trust /confidence issues?
o Degree and nature of risks to the public?
o Reversibility or otherwise of realisation of the risk?
o The quality or reliability of evidence surrounding the risk?
o The impact of the risk on the organisation (including its reputation) /
stakeholders (including the public) / partners / others?
o Defensibility of realisation of the risk?
• Are these criteria applied consistently and methodically across the whole range of
risks?
5.5.4 Risk control mechanisms?
• Are controls in place in relation to each risk which are:
o Based on active consideration of the options for controlling that risk to an
acceptable level of residual exposure?
o Promulgated to all those who need to know about the controls?
o Regularly reviewed to consider whether they continue to be effective?
o The best value for money response to the risk?
o Documented by the relevant managers?
Risk Management assessment framework: a tool for departments 25
• In respect of key risks, including those which lie outside the control of the
organisation, are plans developed and documented contingent against the risk
being materially realised despite the controls that are in place (ie to address the
residual risk after control action)?
• Are there adequate Business Continuity arrangements?
• Are reliable contingency arrangements in place so that if problems arise services to
the public will be maintained and the adverse impact on key programme outcomes
such as late delivery or reduced quality will be minimised?
5.5.5 Arrangements for appropriate Communications?
(See also cabinet office guidance to be found at:http://www.ukresilience.info/risk/index.htm)
• Are there adequate means of communicating with staff about risk issues?
• Is there adequate communication with external stakeholders?
• Are the principles of communicating on risk to public being implemented fully?
• Are trusted sources used to communicate on risk to the public? (e.g. best use of
arms-length bodies?)
• Is there a reliable communications strategy in place so that if risks mature those
most affected by the potential adverse consequences fully understand and have
confidence in the remedial action that the organisation may need to take?
• Are communication issues considered at a sufficiently early stage to ensure
implications can fully inform policy, programme etc development and
implementation?
• Are there effective arrangements to meet the requirements of the Freedom of
Information (FOI) Act?
5.5.6 Review and assurance mechanisms?
• Are review and assurance mechanisms in place to ensure that each level of
management, including the Board, regularly reviews the risks and controls for
which it is responsible?
o Are these reviews monitored by / reported to the next level of management?
o Is any need to change priorities or controls clearly recorded and either actioned
or reported to those with authority to take action?
• Are risk identification, assessment and control lessons that can be learned from
both successes and failures identified and promulgated to those who can gain from
them?
• Is an appropriate level of independent assurance provided on the whole process of
risk identification, evaluation and control?
o Is the methodology for gaining independent assurance defined with particular
reference to the role of internal audit and the audit committee (or assurance, risk
committee etc), and to the role of non- executive directors and any other review
bodies working within the organisation?
• Has any system of peer review and/or benchmarking been used to provide
independent assurance of the approach used and the results
Risk Management assessment framework: a tool for departments 27
6 Risk handling
Are risks handled well?
Summary of progress
Level 1:
No evidence
Level 2:
Satisfactory
Level 3:
Good
Level 4:
Very Good
Level 5:
Excellent
No clear evidence
that risk
management is
being effective
Limited evidence
that risk
management is
being effective in at
least most relevant
areas
Clear evidence that
risk management is
being effective in
all relevant areas
Clear evidence that
risks are being
handled very
effectively in all
areas
Very clear evidence
of excellent risk
handling in all
areas and that
improvement is
being pursued
Evidence
Has risk management action contributed to:
6.1 Effective anticipation and management of strategic risks?
• Reduction in levels of threat?
• Higher risk ‘opportunities’ being identified and successfully pursued?
• Successful anticipation of shocks or other risk events?
• Reduced adverse impact of unexpected/low likelihood events?
• Crises being avoided/mitigated (eg analysis of near misses, avoiding issues
escalating into crises)?
• Successful application of contingency or business continuity plans?
• Contingency and business continuity plans being drawn up and successfully tested?
6.2 Effective decision and policymaking?
• A robust evidence base for decisions?
• Proactive procedures and approaches to maximise identification of opportunities in
line with the organisations risk appetite/tolerance?
• Stakeholder involvement and understanding of stakeholder issues and perceptions?
• Allowance for delivery issues in policy development?
• Proactive promotion of Innovation occurring knowing that risks can be managed
effectively?
28 Risk Management assessment framework: a tool for departments
• Allocation of resources (including skills/capabilities) and prioritisation in line with
aims and objectives?
• Assessment of resources allows time/resources for staff to learn any new working
methods
• High quality risk assessments and risk management proposals in Delivery plans,
policy formulation, business plans etc?
• Evaluation of intended and unintended outcomes occurring?
• Few significant and unanticipated weaknesses arising?
• Few policy failures (e.g. few legal challenges) consistent with the risk
appetite/tolerance?
• Good identification and management of reputational risks?
• Few issues resulting in reputational damage?
• High level of customer/stakeholder satisfaction?
6.3 Effective handling of cross cutting issues?
• Good coordination, understanding and management of risks with delivery
partners?
• Clear and effective coordination of policies and actions between Departments?
• Few surprises from other government Departments’ policies & activities?
6.4 Effective review and assurance?
• Regular and effective use of independent assurance of quality and effectiveness of
risk management?
o Internally (eg internal audit, Audit/Assurance/Risk committee, Non-Executive
Directors)
o Externally (eg interdepartmental exchanges, external experts etc)
• Clear accountability for key risk management decisions?
• Identification of indicators of effective risk management that are capable of
measurement and monitoring over time?
• and which can demonstrate contribution to
6.5 Effective planning and target setting?
• Objectives and targets that are relevant and stretching but achievable and capable
of monitoring and validation (eg are they SMARTer)?
• Clear setting of risk appetite/tolerance?
• Decisions are not taken in ignorance of the risk?
• Clear understanding & consideration of the overall level of risk taken on and the
approach being taken to manage it?
• High level of understanding of the capability to manage this level of risk?
Risk Management assessment framework: a tool for departments 29
• High quality of risk identification and proposals for risk management in business
and delivery plans?
6.6 Effective management of risk to the public?
• High level of openness and transparency in respect of risks to the public?
• High level of success in engagement with the public, media and representational
organisations on risk decisions?
• Clear explanation of risks and presentation of robust, validated evidence for
decisions wherever possible (eg unless there are issues such as confidentiality or
security)?
• Proportionality in decisions on risk management (ie take account of nature and level
of risks, costs, benefits and also aspects such as public/societal concerns)?
• Consistency in decision-making?
• Effective communication on risk with the public (greater public understanding of
risk)?
• Effective implementation of provisions of the Freedom of Information Act?
6.7 Effective risk allocation?
• Allocation of risk to those best able to handle it? (e.g. public, partner organisations,
staff within the organisation)?
• Consideration of the potential impact on the total portfolio of risks before a new
initiative, project etc is taken on?
6.8 Effective management of risks to delivery?
• Assessment and control of risks inherent and evident in day-to-day actions of staff?
• Learned lessons from elsewhere in department/outside department, notably for new
or untried aspects?
• Assessment of cost-effectiveness of potential new services, including improved
value for money?
• Flexibility and resilience to the way services are delivered (eg adapt to changes in
public expectations; regular appraisals of delivery mechanisms, careful planning and
effective continuity arrangements)?
6.9 Encouraging greater efficiency?
• Assessment of departmental procedures and processes against well managed risk
taking and the departments risk appetite/tolerability criteria to ensure they are fit
for purpose and cost effective (eg potential for improved service delivery, value for
money)?
Risk Management assessment framework: a tool for departments 31
7 Outcomes
Does risk management contribute to achieving outcomes?
Summary of progress
Level 1:
No evidence
Level 2:
Satisfactory
Level 3:
Good
Level 4:
Very Good
Level 5:
Excellent
No clear evidence
of improved
outcomes
Limited evidence of
improved outcome
performance
consistent with
improved risk
management
Clear evidence of
significant
improvements in
outcome
performance
demonstrated by
measures including,
where relevant,
stakeholders’
perceptions
Clear evidence of
very significantly
improved delivery
of outcomes and
showing positive
and sustained
improvement
Excellent evidence
of markedly
improved delivery
of outcomes which
compares
favourably with
other organisations
employing best
practice
Evidence
Has risk management action contributed to:
7.1 Successful delivery?
• Better public services (delivery to meet commitments eg to quality, coverage,
timeliness, with few errors etc; potential disruptions to delivery anticipated and
avoided/addressed/mitigated etc)?
• Sustained improvements in services (continuing improvement over time taking
account of stakeholder and public views, lessons learned, government priorities and
changing circumstances to ensure meet (and continue to meet) public
expectations)?
• Few negative, more positive press reports on delivery?
• Achievement of business objectives (including intermediate targets, milestones,
review criteria etc)?
• Project success?
o Programmes and projects deliver as intended (eg good, effective IT systems;
intermediate measures eg traffic lights at ‘Gateway’ review – may include
managing ‘red’ to ‘green’; meeting intermediate targets for delivery of project
elements or stages etc)?
32 Risk Management assessment framework: a tool for departments
o Programmes and projects delivered to time and budget (eg Effective IT systems
by due date and cost,; meeting intermediate milestones for cost and time on
profile for project progress; etc)?
o Few significant failures consistent with risk appetite/tolerance?
• PSA target achievement (including interim measures, eg traffic light status,
milestones, trend analysis)?
• Few NAO reports citing failures of risk management?
• Few press reports commenting on failures that relate to failures of risk
management?
7.2 Meeting planned financial outcomes?
• Improved value for money?
• Delivery within budget (e.g. fewer calls on reserves arising from inadequate risk
management)?
• Effective control of fraud (eg evidence of less fraud or trend towards less fraud –
both fewer instances and reduced size of loss; may involve more fraud identified as
an initial phase of better control)?
• Effective cash management?
7.3 Effective management of risks to the public?
• Improved public understanding of risks and risk management (eg as assessed by
survey results; fewer demands for ‘zero’ risk; understanding of need for considered
and proportionate action in response to risk issues; fewer demands for ‘instant’
action to increase controls in response to accidents/incidents etc)?
• Increased public confidence that risks are well managed?
• Increased trust in Government/Department risk based decisions?
• Better achievement of targets for risks to the public?
• Improved responsibility by the public in risk matters (eg more willingness to act
proactively in response to risk issues; fewer demands for risk averse action by
government; more willingness to accept responsibility where public can control the
risk)?
• Greater satisfaction from the public with the way risks are handled (eg results of
surveys; few complaints, protests etc, more positive comments, support for actions
etc)?
7.4 Maintenance of high reputation for the organisation?
• Attract positive 3
rd
party comments (eg press)?
• Attract positive public comments (eg surveys, communications on departmental
issues, comments to the press etc)?
• Attract positive comment from staff, partners, stakeholders, professional and other
bodies of repute (eg stakeholder surveys, staff surveys, project/programme reviews,
publications in magazines etc)?
HM Treasury contacts
This document can be found in full on our
website at:
hm-treasury.gov.uk
If you require this information in another
language, format or have general enquiries
about HM Treasury and its work, contact:
Correspondence and Enquiry Unit
HM Treasury
1 Horse Guards Road
London
SW1A 2HQ
Tel: 020 7270 4558
Fax: 020 7270 4861
E-mail: [email protected]
9 7 8 1 8 4 5 3 2 6 2 5 8
ISBN 978-1-84532-625-8
doc_228062992.pdf
The Risk Management Assessment Framework (RMAF) is a tool for assessing the standard of risk management in an organisation. It is offered as an optional tool to help collect and assess evidence.
Risk Management assessment
framework:
a tool for departments
July 2009
July 2009
Risk Management assessment
framework:
a tool for departments
Of?cial versions of this document are printed on
100% recycled paper. When you have ?nished
with it please recycle it again.
If using an electronic version of the document, please
consider the environment and only print the pages which
you need and recycle them when you have ?nished.
© Crown copyright 2009
The text in this document (excluding the Royal Coat
of Arms and departmental logos) may be reproduced
free of charge in any format or medium providing that
it is reproduced accurately and not used in a misleading
context. The material must be acknowledged as Crown
copyright and the title of the document speci?ed.
Where we have identi?ed any third party copyright
material you will need to obtain permission from the
copyright holders concerned.
For any other use of this material please write to Of?ce
of Public Sector Information, Information Policy Team,
Kew, Richmond, Surrey TW9 4DU or e-mail:
[email protected]
ISBN 978-1-84532-625-8
PU829
100%
Risk Management assessment framework: a tool for departments 1
Contents
Page
Introduction 3
Summary 5
Risk Management assessment tool 7
Chapter 1 Leadership 9
Chapter 2 Risk strategy and policies 11
Chapter 3 People 15
Chapter 4 Partnerships 19
Chapter 5 Process 21
Chapter 6 Risk handling 27
Chapter 7 Outcomes 31
Risk Management assessment framework: a tool for departments 3
Introduction
The Risk Management Assessment Framework (RMAF) is a tool for assessing the standard of risk
management in an organisation. It is offered as an optional tool to help collect and assess
evidence. It will support the production of a Statement on Internal Control, and is consistent
with the criteria set out in Government Accounting (Chapter 21).
The Framework has its genesis in the EFQM excellence model but is simplified and targeted to
provide a flexible tool to assist in evaluating performance and progress in developing and
maintaining effective risk management capability and assessing the impact on delivering
effective risk handling and required/planned outcomes. It should also assist with identifying
areas of particularly good or poor performance and in establishing priorities for improvement
action.
It is intended that it can be used flexibly to replace or augment existing evaluation arrangements
as appropriate. The top-level framework and the seven key questions can be used with or
without the supporting question sets and/or the quantified ‘levels’ scale. The Framework can
also be used centrally or devolved for self-assessment by business units or used cooperatively
with partner organisations. Where business units deliver a discrete activity or where agencies,
NDPBs etc responsible for their own SIC are involved then self-assessment using the Framework
should be useful to all parties in evaluating risk management performance and areas for
improvement.
The question sets under each of the seven main questions are intended as indicative of the
range of issues and extent of evidence needed to come to a decision in respect of the key
questions. All the questions may not be relevant to all Departments and existing arrangements
in a Department (or agency, NDPB etc) may cover some or all the question areas.
The tool should enable any ‘gaps’ in existing evaluation arrangements to be identified and
provide a means to identify actions to rectify them. It will also assist in indicating the evidence
that will need to be provided by any alternative evaluation tool in order to effectively judge
performance and progress.
The performance levels scale provides a means of quantifying performance and should assist in
benchmarking performance, both in terms of type of activity (leadership, strategy, people etc)
and business units, divisions, projects etc within an organisation. This should help with planning
and priority setting for future work plans and in identifying and setting targets for improvement
and in monitoring progress towards those targets. It should also provide a basis for peer review
and/or benchmarking between organisations (bilaterally or multilaterally).
Risk Support Team
29 October 2004
Risk Management assessment framework: a tool for departments 5
Summary
1. Assessment Framework
The top-level framework is adapted from the EFQM Excellence Model but is simplified and
targeted to provide a flexible tool to assist in monitoring and evaluating performance in a
systematic and structured way. It can be used to identify areas of particularly good or poor
practice and in establishing priorities for improvement action.
At the most summarised level there are seven questions to address:
Capabilities
1 Leadership: do senior management and Ministers support and promote risk
management?
2 Are people equipped and supported to manage risk well?
3 Is there a clear risk strategy and risk policies?
4 Are there effective arrangements for managing risks with partners
5 Do the organisation’s processes incorporate effective risk management?
Risk Handling
6 Are risks handled well?
Outcomes
7 Does risk management contribute to achieving outcomes?
These seven ‘key’ questions at the top-level are each underpinned by a lower level, non-
exhaustive, set of questions which are intended as indicative of the range of issues and extent of
evidence needed to come to a decision in respect of the key questions and hence to help guide
evidence gathering.
2. Assessment Scale
The levels scale provides a means of quantifying performance and should assist in monitoring
existing performance, in identifying and setting targets for improvement and in judging progress
towards those targets. It should also be useful in establishing a basis for planning and priority
setting for future work plans and for peer review and/or benchmarking, both within and
between organisations (bilaterally or multilaterally).
The assessment scales have five levels to gauge progress in developing the necessary risk
management capabilities and to assess the effectiveness of Risk Handling and impact on
delivering successful Outcomes. In summary these levels are:
Capability (Leadership; Policy & Strategy; People; Partnerships & Resources; and
Processes):
1 Awareness and understanding
2 Implementation planned & in progress
3 Implemented in all key areas
4 Embedded and improving
6 Risk Management assessment framework: a tool for departments
5 Excellent capability established
Risk Handling and Outcome performance:
1 No evidence
2 Satisfactory
3 Good
4 Very good
5 Excellent
3. Using the Assessment Tool
This can be used either to give a broad/impressionistic overview, using just the summary
framework. Alternatively, by using the top-level questions informed by systematically collected
evidence (such as that indicated by the supporting indicative questions) it can give a more
detailed assessment. This would be suitable for monitoring and reviewing the effectiveness of
internal control processes and supporting a Statement on Internal Control (SIC). In this latter
respect it is consistent with the criteria set out in Government Accounting (Chapter 21). It can
also be used in reviewing and reporting on performance and progress in improving risk
management capability and assessing impact on improved risk handling and performance
outcomes. Used in this latter way it can also assist with identifying areas of particularly good or
poor performance and in establishing priorities for improvement action. The framework can also
be used as a tool to assist peer-review and benchmarking, both internally and between
organisations (bilaterally or multilaterally).
Risk Management assessment framework: a tool for departments 7
Risk Management assessment tool
Risk Management assessment framework: a tool for departments 9
1 Leadership
Do senior managers and Ministers promote risk management?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Top management
are aware of need
to manage
uncertainty & risk
and have made
resources available
to improve
Senior Managers &
Ministers take the
lead to ensure that
approaches for
addressing risk are
being developed
and implemented
Senior Managers
act as role models
to apply risk
management
consistently and
thoroughly across
the organisation
Senior
management are
proactive in driving
and maintaining
the embedding and
integration of risk
management; in
setting criteria and
arrangements for
risk management
and in providing
top down
commitment to
well managed risk
taking to support
and encourage
innovation and the
seizing of
opportunities.
Senior Managers
re-enforce and
sustain risk
capability,
organisational &
business resilience
and commitment
to excellence.
Leaders regarded as
exemplars.
Evidence
Are senior management and Ministers:
1.1 Taking key risk judgements and providing clear direction?
• Are they routinely in a position to be aware of the key risks and have systems in
place to ensure that this is up to date?
• Do they have a good understanding of the key risks facing the organisation and
their likely implications for service delivery to the public and the achievement of
programme outcomes?
• Are the risks that could result in key objectives or service delivery responsibilities not
being met identified and the likelihood of them maturing regularly assessed?
• Are key risks prioritised for action and mitigation actions identified and
monitored?
10 Risk Management assessment framework: a tool for departments
1.2 Setting the criteria/arrangements for the department’s appetite/tolerance for taking on risk?
• Are they setting the criteria for acceptable and/or unacceptable risk?
• Are they setting the criteria for reference for Board consideration?
• Are they establishing the criteria/arrangements for escalation of consideration of
risks at various levels in the department etc)?
(See also section 5.5.3)
1.3 Supporting innovation?
• Is well-managed risk taking encouraged to help seize opportunities and support
effective innovation?
• Is there support and reward for innovation and seizing opportunities to better
deliver the organisations aims and objectives?
• Is individual success rewarded and support given by management when things go
wrong despite risks being well managed, ie avoiding a blame culture?
1.4 Ensuring clear accountability for managing risk?
• Are appropriate staff members clearly assigned responsibilities for assessing,
reporting and managing identified risk and are these responsibilities regularly
reviewed?
• Do those responsible have the necessary authority and support to discharge their
responsibilities effectively?
• Do managers understand and take responsibility for the management of risk in their
area?
• Are matters actively reported through the management arrangements and to the
audit/risk committee or Board as appropriate?
1.5 Driving implementation of improvements in risk management?
• Are they proactive in supporting and encouraging effective risk management?
• Are they proactive in supporting and driving a culture embracing well-managed risk
taking?
• Are they proactive in supporting and driving the embedding of effective risk
management in the departments core activities (ie policy making, planning and
delivery)?
• Are they ensuring effective management of risks to the public?
• Are they ensuring effective communication about risks and risk issues?
• Are they ensuring that managers and staff are equipped with necessary skills,
guidance and other tools?
Further guidance on risk management is available from our website, which can be found at:http://www.hm-treasury.gov.uk/psr_governancerisk_index.htm
Risk Management assessment framework: a tool for departments 11
2 Risk strategy and policies
Is there a clear risk strategy and risk policies?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
The need for a risk
strategy and related
policies has been
identified and
accepted
A risk management
strategy & policies
have been drawn
up and
communicated and
are being acted
upon
Risk strategy &
policies are
communicated
effectively and
made to work
through a
framework of
processes
An effective risk
strategy and
policies are an
inherent feature of
department policies
and processes
Risk management
aspects of strategy
and policymaking
help to drive the
risk agenda and are
reviewed and
improved.
Role model status
Evidence
Is there a clear:
2.1 Risk Management Strategy?
(The Risk Management Strategy may be a contained in a separate document but this is not
essential and as embedding progresses more of the information would be expected to be part of
the organisations general policies and processes)
• Is there a risk management strategy which:
o Is endorsed by the Head of the organisation/ Board / Audit Committee / Risk
Committee?
o Sets out the organisation’s attitudes to risk?
o Defines the structures for the management and ownership of risk and for the
management of situations in which control failure leads to material realisation of
risks?
o Specifies the way in which risk issues are to be considered at each level of
business planning and delivery ranging from the corporate process to operational
action and the setting of individual staff’s objectives?
o Includes risk as an opportunity (if it can be managed effectively) as well as a
threat?
o Allows for peer review and the benchmarking of risks where appropriate?
12 Risk Management assessment framework: a tool for departments
o Specifies how new activities will be assessed for risk and incorporated into risk
management structures?
o Ensures common understanding of terminology used in relation to risk issues?
o Defines the structures for monitoring, review and gaining assurance about the
management of risk?
o Defines the criteria that will inform assessment of risk and the definition of
specific risks as “key”?
o Defines the way in which the risk register(s) and risk evaluation criteria will be
regularly reviewed?
• Is it easily available to all staff and reviewed at least annually to ensure it remains
appropriate and current?
• Does if allow for balancing the portfolio of risk?
• Does it support effective innovation and encourage well-managed risk taking to
generate improved delivery of aims and objectives?
• Does it encourage and promote the integration of risk management into
established procedures and arrangements for departmental business, ie policy
making, planning (eg business plans, delivery plans, spending plans etc), delivery
etc and does this include effective management of risks to the public (information
on ‘Principles of Managing Risks to the Public’ can be found at:http://www.hm-
treasury.gov.uk/managing_risks_public.htm
• Does it include effective communication about risk with staff and all stakeholders,
inside and outside the organisation and including management of risks to the
public? (A tool-kit on risk communications providing more detailed guidance can be
found on:http://www.ukresilience.info/risk/index.htm)
2.2 Risk Management Policy?
(The Risk Management Policy may be a contained in a separate document but this is not
essential and as embedding progresses more of the information would be expected to be part of
the organisations general policies and processes)
• Does a formal risk policy (policies) exist and is this documented, endorsed by the
head of the organisation, clearly communicated, readily available to all staff and
subject to regular review?
• Were views from in-house stakeholders (eg employees, internal experts, auditors
etc) taken into account?
• Is the risk management policy (policies) integrated with established policies for
departmental business activities (ie policy, planning, delivery etc)
• Are there clear statements that set out a proactive approach to innovation, and are
staff encouraged to read them?
• Is there an explicit policy to encourage well-managed risk taking where it has good
potential to realise sustainable improvements in service delivery and value for
money, and is this policy actively communicated to all staff?
• Is a common definition of risks and how they should be managed, clearly
communicated and adopted by all staff throughout the organisation with detailed
guidance for staff drawing up or implementing programmes, policies, plans etc?
Risk Management assessment framework: a tool for departments 13
• Is there a policy on balancing the portfolio of risk within the overall risk
appetite/tolerance and does this include seizing opportunities as well as dealing
with threats?
Risk Management assessment framework: a tool for departments 15
3 People
Are people equipped and supported to manage risk well?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Key people are
aware of the need
to assess and
manage risks and
they understand
risk concepts and
principles
Suitable guidance is
available and a
training
programme has
been implemented
to develop risk
capability
A core group of
people have the
skills & knowledge
to manage risk
effectively
People are
encouraged and
supported to be
innovative and are
generally
empowered to take
well-managed risks.
Most people have
relevant skills &
knowledge to
manage risks
effectively and
Regular training etc
is available for
people to enhance
their risk skills and
fill any ‘gaps’
All staff are
empowered to be
responsible for risk
management and
see it as an
inherent part of the
Departments
business. They have
a good record of
innovation and well
managed risk
taking
Evidence
Are people equipped and supported by:
3.1 The Culture of the organisation?
• Is there a general culture of risk management at all levels?
• Do managers and staff feel able to raise risk related issues?
• Do staff have clear reporting chains and mechanisms to raise risk issues?
• Do managers and staff feel able to raise risk issues even where this may be seen as
‘bad news’?
• Are they encouraged and empowered to identify and take opportunities that will
better deliver aims and objectives?
• Are they confident that their concerns/ideas will be heard and acted on?
16 Risk Management assessment framework: a tool for departments
• Do staff feel empowered to take well-managed risks?
• Are staff rewarded for taking well-managed risks?
• Are staff confident that they will not be blamed for failure when risks have been
well managed?
• Are staff encouraged to challenge practices, to identify new ways of doing things
and to be innovative?
• Do the monitoring and reporting systems generate an expectation that action will
be taken on issues raised?
• Is risk management encouraged as part of the established way of planning and
delivering the departments business?
• Is risk management performance embedded in recruitment and performance
appraisal?
• Is risk management incorporated into quality measures, eg Investors in people?
3.2 Arrangements for allocation of Responsibility?
• Do staff have properly delegated clear and appropriate responsibility for managing
risks and seizing opportunities?
• Is this reflected in their personal objectives and annual assessment?
• Are they clear when matters should be referred elsewhere (eg line management,
audit committee, risk committee, board etc) for consideration?
3.3 Arrangements to ensure staff Awareness?
• Are staff aware of the importance of handling risks well, of being innovative and
identifying and seizing opportunities to improve outcome performance?
• Are staff aware of the risk management strategy and policy(ies)?
• Are they aware of the key objectives, priorities and main risks facing the
organisation as a whole?
• Are staff aware of the key objectives, priorities and main risks facing their part of
the organisation?
3.4 Provisions to ensure appropriate risk management knowledge, experience and skills?
• Are staff adequately trained and experienced in risk management relative to the
needs of the organisation and the particular job being done?
• Do staff receive appropriate guidance and training on the typical risks that the
organisation faces in relation to their role/job, and the action to take in managing
these risks?
• Do staff use guidance effectively?
• Do they have good access to advice and expertise?
• Does the personal performance review include assessment of relevant risk
management skills and establish development objectives to fill any gaps?
Risk Management assessment framework: a tool for departments 17
• Are arrangements in place to ensure new staff receive early assessment of their
development needs and appropriate guidance, training etc to rapidly address these
needs.
• Does skills transfer place take place when consultants or risk management
professionals work within local teams?
Risk Management assessment framework: a tool for departments 19
4 Partnerships
Are there effective arrangements for managing risk with partners?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Key people are
aware of areas of
potential risk with
partnerships and
understand the
need to agree
approaches to
manage these risks
Approaches for
addressing risk with
partners are being
developed and
implemented
Risk with partners is
managed
consistently for key
areas and across
organisational
boundaries
Sound risk
management
arrangements have
been established.
The most suitable:
partnership
arrangement (PFI,
‘arms length’ etc);
partners; suppliers
etc are selected in
full knowledge of
the risks, risk
management
capability &
compatibility
Excellent
arrangements in
place to identify
and manage risks
with all partners
and to monitor and
improve
performance.
Organisation
regarded as a role
model
Evidence
Are there appropriate mechanisms for:
4.1 Identifying, assessing and managing risk in Partnerships:
• Are the risks associated with working with other organisations assessed and
managed?
o Are there arrangements to ensure a common understanding of the risks and how
they can be managed (eg a joint/shared risk register, sharing of risk register
information, agreed risk assessments etc)?
o Are there arrangements for agreed standards for assessing risks?
o Has the risk terminology/language been agreed?
o Is there clarity about who is carrying which risks and what the requirements are
for providing information?
o Are those responsible for managing the risks empowered to do so?
20 Risk Management assessment framework: a tool for departments
• Are arrangements scaled to match the risks, size/importance of the project etc?
• Are all those organisations, which are likely to have some influence over the success
of a programme or service to the public identified (e.g. through landscape reviews)?
• Are there arrangements to ensure, where possible, selection of the most
appropriate partnership approach (eg ‘arms length', partnering, PFI etc)?
• Is consideration being given to the need for a consistent and common approach to
managing risks that cut across organisation boundaries, for example cross-
departmental projects?
• Do organisations understand and have confidence in the risk management
arrangements of all those involved in the joint working or who could influence the
success of the programme?
• Are there incentives for partners to manage risks effectively (ie is the risk reward
balance right for each partner)?
• Is there clear responsibility and accountability for risks where delivery of results is
through partners, eg some risks (eg reputational) may remain even though
responsibility for delivery is with a partner?
4.2 Monitoring and reviewing performance?
• Is there reliable and regular information (eg Key issues, risks to be monitored, scale
of risks, how they will be managed) to monitor the risk management performance
of all those organisations involved?
• Is it clear who will provide what monitoring information and are rights of access
sufficient to obtain the necessary information?
• Are there arrangements for joint review of risks and how differences of judgement
and/or perception will be resolved?
4.3 Provision and testing of contingency arrangements?
• Are there adequate contingency arrangements (including prioritisation of mitigation
action) to minimise the adverse effects on public service delivery of one or more
party failing to deliver?
• Have the contingency arrangements been tested?
4.4 Identifying and addressing the implications of risk transfer?
• Has the extent to which risks can be transferred to organisations – both public and
private – best placed to manage them been considered and acted upon?
• Are staff encouraged to take responsibility for risks when they are best placed to do
so rather than transferring them to other organisations?
• Where risks are transferred to a partner organization are accountabilities clearly
established and capacity maintained to manage and monitor performance and take
early action in the event of difficulty?
(See also guidance - Managing Risks with Delivery Partners at:http://www.hm-
treasury.gov.uk/managing_risk_delivery_partners.htm )
Risk Management assessment framework: a tool for departments 21
5 Processes
Do the organisation’s processes incorporate effective risk
management?
Summary of progress
Level 1:
Awareness &
understanding
Level 2:
Implementation
planned & in
progress
Level 3:
Implementation
in all key areas
Level 4:
Embedding and
improving
Level 5:
Excellent
capability
established
Some stand-alone
risk processes have
been identified
Recommended risk
management
processes are being
developed
Risk management
processes
implemented in key
areas. Risk
capability self
assessment tools
used in some areas
Risk management is
an integral part of
the organisation’s
core processes
(policy, planning,
delivery etc) and
data are collected
to monitor and
improve risk
management
performance
Management of
risk & uncertainty is
an integrated part
of all business
processes. Best
practice approaches
are used and
developed.
Selected as a
benchmark site by
other organisations
Evidence
5.1 Is Risk Management being fully embedded in the organisation’s business processes?
• Is risk management embedded in key processes, eg:
o Policymaking (see also guidance and tool ‘Early Management of Risks to Delivery’
at:http://www.hm-treasury.gov.uk/early_management_of_risks.htm
o Project and programme management?
o Operational management?
o Performance management?
o Business planning?
o Delivery planning?
o Spending Review?
• Are there well-established approaches for (i) identifying risk and (ii) assessing and
reporting risks that are effectively communicated, followed and fully understood by
relevant staff?
22 Risk Management assessment framework: a tool for departments
• Is risk management ongoing and integrated with other procedures so that staff
accept it as a standard requirement of good management and not a one-off or
annual activity?
• Are arrangements in place to ensure risks to the public are well managed,
including:
o Ensuring openness and transparency;
o Promoting wide involvement and engagement;
o Taking steps to promote proportionate and consistent action;
o Ensure clarity in the validity and use of all relevant evidence;
o Ensure those best placed to manage the risk are given the responsibility for so
doing? (ie implementation of the ‘principles of managing risks to the public’ –http://www.hm-treasury.gov.uk/managing_risks_public.htm)
• Are arrangements in place to ensure sufficiently early and effective communication
on risks and risk issues with staff, internal and external stakeholders, including
members of the public etc (eg application of cabinet office guidance to be found
at:http://www.ukresilience.info/risk/index.htm)?
5.2 Do the processes support innovation and the identification and seizing of opportunities?
• Are arrangements in place to identify opportunities that might be available if risks
are well managed, (eg reduced need for elaborate systems of oversight and control
of service delivery and hence greater cost effectiveness and efficiency)?
• When practicable is a monetary or other numerical value put on risk to emphasise
to staff the potential loss or missed opportunity which could occur if risks are not
well managed?
5.3 Do the procedures ensure risk management arrangements are effective and reflect good
practice?
• Are arrangements in place, such as reviews by internal audit, consideration by audit
and/or risk committee, involvement of non-executive Director(s), peer review,
benchmarking with other organisations etc, to ensure that risk management
approaches are effective, efficient and reflect good practice?
• Are the arrangements for monitoring and review subject to review to ensure they
remain appropriate, proportionate and cost-effective?
• Has management sought advice from internal and external audit on good practice
in the development, implementation and maintenance of robust risk management
processes and systems?
• Has professional advice been taken to ensure that the most appropriate tools and
techniques are used to assess risk and the likelihood of it maturing?
• Are both internal and external experiences used to inform risk management
processes and procedures?
5.4 Do the processes ensure appropriate resilience?
• Does the organisation have a well-developed business/service continuity plan?
• Does the organisation have an IT recovery plan?
Risk Management assessment framework: a tool for departments 23
• Is the action (ie contingency plans, business continuity plans) planned to deal with
consequences of risks maturing (such as the impact on the delivery of services to
the public) regularly reviewed (tested as appropriate) to ensure that it remains
appropriate, sufficient and cost effective?
5.5 Do the Risk Management Processes contain:
5.5.1 Context for risk management?
• Is the context in which risk is managed identified by considering the issues of:
o Stakeholders, including:
Ministerial interests?
Public interests?
Service user interests?
Wider societal interests (eg environment)?
o Risk aspects of relationships inside and outside of government (including key
suppliers of goods and services), including:
Ways in which the behaviour of “partners” affects the organisation?
Ways in which the behaviour of the organisation affects the “partners”?
The risk priorities of “partners”?
(See also Section 4. Partners)
5.5.2 Risk identification and evaluation?
• Is there documentation which:
o Records identified risks and opportunities in a structured way to:
record dependencies between risks?
record linkages between lower level risks and higher-level risks?
identify key risks?
facilitate assignment of ownership at a level that has authority to assign
resources to the management of the relevant risk?
o Evaluates risks using defined criteria that are applied consistently?
o Provides evaluation of inherent risk (before any control implemented) and
residual risk (risk remaining after planned controls are implemented)?
o Evaluates risk-taking account of both:
the likelihood of the realisation of the risk, and
the impact of the realisation of the risk?
o Identifies assigned ownership of the risk?
o Records, in as far as it can be defined:
the acceptable level of exposure in relation to each risk?
24 Risk Management assessment framework: a tool for departments
why it is considered that the defined acceptable level of exposure can be
justified?
• In assessing risks are the potential implications for key stakeholders – citizens as
both taxpayers and consumers of government services and specific client groups
such as business – taken account of?
• Is a risk assessment carried out before commencing major projects and reviewed at
intervals to determine its continued validity and identify any new and emerging
risks?
• Is use made of feedback from the public (eg citizens’ forum) to identify the public’s
perception and attitude to risk(s) and to help with identification of any unforeseen
risks?
• Are early warning indicators in place – covering for example, quality of service or
seasonal increase in customer demand not being met – to alert senior management
of potential problems in service delivery or that the risk of planned outcomes not
being met is increasing?
• Is horizon scanning used to spot emerging threats and opportunities?
5.5.3 Criteria for evaluation of risk?
• Do specific criteria for evaluating risk encompass a range of factors, including:
o Financial / value-for-money issues?
o Service delivery / quality of service issues?
o Public concern/public trust /confidence issues?
o Degree and nature of risks to the public?
o Reversibility or otherwise of realisation of the risk?
o The quality or reliability of evidence surrounding the risk?
o The impact of the risk on the organisation (including its reputation) /
stakeholders (including the public) / partners / others?
o Defensibility of realisation of the risk?
• Are these criteria applied consistently and methodically across the whole range of
risks?
5.5.4 Risk control mechanisms?
• Are controls in place in relation to each risk which are:
o Based on active consideration of the options for controlling that risk to an
acceptable level of residual exposure?
o Promulgated to all those who need to know about the controls?
o Regularly reviewed to consider whether they continue to be effective?
o The best value for money response to the risk?
o Documented by the relevant managers?
Risk Management assessment framework: a tool for departments 25
• In respect of key risks, including those which lie outside the control of the
organisation, are plans developed and documented contingent against the risk
being materially realised despite the controls that are in place (ie to address the
residual risk after control action)?
• Are there adequate Business Continuity arrangements?
• Are reliable contingency arrangements in place so that if problems arise services to
the public will be maintained and the adverse impact on key programme outcomes
such as late delivery or reduced quality will be minimised?
5.5.5 Arrangements for appropriate Communications?
(See also cabinet office guidance to be found at:http://www.ukresilience.info/risk/index.htm)
• Are there adequate means of communicating with staff about risk issues?
• Is there adequate communication with external stakeholders?
• Are the principles of communicating on risk to public being implemented fully?
• Are trusted sources used to communicate on risk to the public? (e.g. best use of
arms-length bodies?)
• Is there a reliable communications strategy in place so that if risks mature those
most affected by the potential adverse consequences fully understand and have
confidence in the remedial action that the organisation may need to take?
• Are communication issues considered at a sufficiently early stage to ensure
implications can fully inform policy, programme etc development and
implementation?
• Are there effective arrangements to meet the requirements of the Freedom of
Information (FOI) Act?
5.5.6 Review and assurance mechanisms?
• Are review and assurance mechanisms in place to ensure that each level of
management, including the Board, regularly reviews the risks and controls for
which it is responsible?
o Are these reviews monitored by / reported to the next level of management?
o Is any need to change priorities or controls clearly recorded and either actioned
or reported to those with authority to take action?
• Are risk identification, assessment and control lessons that can be learned from
both successes and failures identified and promulgated to those who can gain from
them?
• Is an appropriate level of independent assurance provided on the whole process of
risk identification, evaluation and control?
o Is the methodology for gaining independent assurance defined with particular
reference to the role of internal audit and the audit committee (or assurance, risk
committee etc), and to the role of non- executive directors and any other review
bodies working within the organisation?
• Has any system of peer review and/or benchmarking been used to provide
independent assurance of the approach used and the results
Risk Management assessment framework: a tool for departments 27
6 Risk handling
Are risks handled well?
Summary of progress
Level 1:
No evidence
Level 2:
Satisfactory
Level 3:
Good
Level 4:
Very Good
Level 5:
Excellent
No clear evidence
that risk
management is
being effective
Limited evidence
that risk
management is
being effective in at
least most relevant
areas
Clear evidence that
risk management is
being effective in
all relevant areas
Clear evidence that
risks are being
handled very
effectively in all
areas
Very clear evidence
of excellent risk
handling in all
areas and that
improvement is
being pursued
Evidence
Has risk management action contributed to:
6.1 Effective anticipation and management of strategic risks?
• Reduction in levels of threat?
• Higher risk ‘opportunities’ being identified and successfully pursued?
• Successful anticipation of shocks or other risk events?
• Reduced adverse impact of unexpected/low likelihood events?
• Crises being avoided/mitigated (eg analysis of near misses, avoiding issues
escalating into crises)?
• Successful application of contingency or business continuity plans?
• Contingency and business continuity plans being drawn up and successfully tested?
6.2 Effective decision and policymaking?
• A robust evidence base for decisions?
• Proactive procedures and approaches to maximise identification of opportunities in
line with the organisations risk appetite/tolerance?
• Stakeholder involvement and understanding of stakeholder issues and perceptions?
• Allowance for delivery issues in policy development?
• Proactive promotion of Innovation occurring knowing that risks can be managed
effectively?
28 Risk Management assessment framework: a tool for departments
• Allocation of resources (including skills/capabilities) and prioritisation in line with
aims and objectives?
• Assessment of resources allows time/resources for staff to learn any new working
methods
• High quality risk assessments and risk management proposals in Delivery plans,
policy formulation, business plans etc?
• Evaluation of intended and unintended outcomes occurring?
• Few significant and unanticipated weaknesses arising?
• Few policy failures (e.g. few legal challenges) consistent with the risk
appetite/tolerance?
• Good identification and management of reputational risks?
• Few issues resulting in reputational damage?
• High level of customer/stakeholder satisfaction?
6.3 Effective handling of cross cutting issues?
• Good coordination, understanding and management of risks with delivery
partners?
• Clear and effective coordination of policies and actions between Departments?
• Few surprises from other government Departments’ policies & activities?
6.4 Effective review and assurance?
• Regular and effective use of independent assurance of quality and effectiveness of
risk management?
o Internally (eg internal audit, Audit/Assurance/Risk committee, Non-Executive
Directors)
o Externally (eg interdepartmental exchanges, external experts etc)
• Clear accountability for key risk management decisions?
• Identification of indicators of effective risk management that are capable of
measurement and monitoring over time?
• and which can demonstrate contribution to
6.5 Effective planning and target setting?
• Objectives and targets that are relevant and stretching but achievable and capable
of monitoring and validation (eg are they SMARTer)?
• Clear setting of risk appetite/tolerance?
• Decisions are not taken in ignorance of the risk?
• Clear understanding & consideration of the overall level of risk taken on and the
approach being taken to manage it?
• High level of understanding of the capability to manage this level of risk?
Risk Management assessment framework: a tool for departments 29
• High quality of risk identification and proposals for risk management in business
and delivery plans?
6.6 Effective management of risk to the public?
• High level of openness and transparency in respect of risks to the public?
• High level of success in engagement with the public, media and representational
organisations on risk decisions?
• Clear explanation of risks and presentation of robust, validated evidence for
decisions wherever possible (eg unless there are issues such as confidentiality or
security)?
• Proportionality in decisions on risk management (ie take account of nature and level
of risks, costs, benefits and also aspects such as public/societal concerns)?
• Consistency in decision-making?
• Effective communication on risk with the public (greater public understanding of
risk)?
• Effective implementation of provisions of the Freedom of Information Act?
6.7 Effective risk allocation?
• Allocation of risk to those best able to handle it? (e.g. public, partner organisations,
staff within the organisation)?
• Consideration of the potential impact on the total portfolio of risks before a new
initiative, project etc is taken on?
6.8 Effective management of risks to delivery?
• Assessment and control of risks inherent and evident in day-to-day actions of staff?
• Learned lessons from elsewhere in department/outside department, notably for new
or untried aspects?
• Assessment of cost-effectiveness of potential new services, including improved
value for money?
• Flexibility and resilience to the way services are delivered (eg adapt to changes in
public expectations; regular appraisals of delivery mechanisms, careful planning and
effective continuity arrangements)?
6.9 Encouraging greater efficiency?
• Assessment of departmental procedures and processes against well managed risk
taking and the departments risk appetite/tolerability criteria to ensure they are fit
for purpose and cost effective (eg potential for improved service delivery, value for
money)?
Risk Management assessment framework: a tool for departments 31
7 Outcomes
Does risk management contribute to achieving outcomes?
Summary of progress
Level 1:
No evidence
Level 2:
Satisfactory
Level 3:
Good
Level 4:
Very Good
Level 5:
Excellent
No clear evidence
of improved
outcomes
Limited evidence of
improved outcome
performance
consistent with
improved risk
management
Clear evidence of
significant
improvements in
outcome
performance
demonstrated by
measures including,
where relevant,
stakeholders’
perceptions
Clear evidence of
very significantly
improved delivery
of outcomes and
showing positive
and sustained
improvement
Excellent evidence
of markedly
improved delivery
of outcomes which
compares
favourably with
other organisations
employing best
practice
Evidence
Has risk management action contributed to:
7.1 Successful delivery?
• Better public services (delivery to meet commitments eg to quality, coverage,
timeliness, with few errors etc; potential disruptions to delivery anticipated and
avoided/addressed/mitigated etc)?
• Sustained improvements in services (continuing improvement over time taking
account of stakeholder and public views, lessons learned, government priorities and
changing circumstances to ensure meet (and continue to meet) public
expectations)?
• Few negative, more positive press reports on delivery?
• Achievement of business objectives (including intermediate targets, milestones,
review criteria etc)?
• Project success?
o Programmes and projects deliver as intended (eg good, effective IT systems;
intermediate measures eg traffic lights at ‘Gateway’ review – may include
managing ‘red’ to ‘green’; meeting intermediate targets for delivery of project
elements or stages etc)?
32 Risk Management assessment framework: a tool for departments
o Programmes and projects delivered to time and budget (eg Effective IT systems
by due date and cost,; meeting intermediate milestones for cost and time on
profile for project progress; etc)?
o Few significant failures consistent with risk appetite/tolerance?
• PSA target achievement (including interim measures, eg traffic light status,
milestones, trend analysis)?
• Few NAO reports citing failures of risk management?
• Few press reports commenting on failures that relate to failures of risk
management?
7.2 Meeting planned financial outcomes?
• Improved value for money?
• Delivery within budget (e.g. fewer calls on reserves arising from inadequate risk
management)?
• Effective control of fraud (eg evidence of less fraud or trend towards less fraud –
both fewer instances and reduced size of loss; may involve more fraud identified as
an initial phase of better control)?
• Effective cash management?
7.3 Effective management of risks to the public?
• Improved public understanding of risks and risk management (eg as assessed by
survey results; fewer demands for ‘zero’ risk; understanding of need for considered
and proportionate action in response to risk issues; fewer demands for ‘instant’
action to increase controls in response to accidents/incidents etc)?
• Increased public confidence that risks are well managed?
• Increased trust in Government/Department risk based decisions?
• Better achievement of targets for risks to the public?
• Improved responsibility by the public in risk matters (eg more willingness to act
proactively in response to risk issues; fewer demands for risk averse action by
government; more willingness to accept responsibility where public can control the
risk)?
• Greater satisfaction from the public with the way risks are handled (eg results of
surveys; few complaints, protests etc, more positive comments, support for actions
etc)?
7.4 Maintenance of high reputation for the organisation?
• Attract positive 3
rd
party comments (eg press)?
• Attract positive public comments (eg surveys, communications on departmental
issues, comments to the press etc)?
• Attract positive comment from staff, partners, stakeholders, professional and other
bodies of repute (eg stakeholder surveys, staff surveys, project/programme reviews,
publications in magazines etc)?
HM Treasury contacts
This document can be found in full on our
website at:
hm-treasury.gov.uk
If you require this information in another
language, format or have general enquiries
about HM Treasury and its work, contact:
Correspondence and Enquiry Unit
HM Treasury
1 Horse Guards Road
London
SW1A 2HQ
Tel: 020 7270 4558
Fax: 020 7270 4861
E-mail: [email protected]
9 7 8 1 8 4 5 3 2 6 2 5 8
ISBN 978-1-84532-625-8
doc_228062992.pdf