Ofcom Risk Management Policy
About this policy
The principal objectives of Ofcom’s risk management policy are:
• To explain the principles of Risk Management at Ofcom;
• To promote a risk aware culture where accepting risk that falls within
Ofcom’s risk appetite, is encouraged; and
• To embed risk management within Ofcom’s other business processes as the
basis for a robust corporate governance framework to drive best practice and
ensure consistency and transparency across Ofcom.
Policy document
Version number: V1
Publication date: December 2019
Next revision date: November 2020
2
1. Scope & Purpose
1.1 Ofcom recognises that the need to effectively manage its risks underpins the successful delivery of its objectives.
1.2 This document outlines the principles for managing risk within Ofcom and defines the roles and responsibilities for colleagues.
1.3 Management of risk is an important part of Ofcom’s internal control framework and encompasses both strategic and operational risks. The principles of this policy also apply to project risk.
The purpose of Ofcom’s Risk Management Policy is to:
• Identify risks/opportunities to the achievement of Ofcom’s policies, aims and objectives;
• Evaluate (or assess) the likelihood of those risks occurring and their impact, should they occur;
• Embed a risk aware culture into Ofcom’s wider set of business processes and into the day to day activities of colleagues.
• Ensure adherence to the Risk Appetite Statements (RAS);
• Help define the roles and responsibilities of all Ofcom colleagues.
1.4 All organisations face uncertainty. Uncertainty presents both risk and opportunity. Effective risk management increases the probability of success and reduces both the probability of failure and the uncertainty of achieving objectives. It provides a rigorous and robust framework enabling Ofcom to focus on what it needs to measure, monitor and manage if it is to deliver its core objectives as defined in the Annual Plan. In summary, the successful implementation of a robust risk management process is vital to achieving Ofcom’s objectives.
3
2.
Policy Statement
Ofcom’s risk management policy will:
• support the achievement of Ofcom’s policies, aims and objectives by informing decision making;
• explain the principles of risk management at Ofcom;
• promote a risk aware culture where accepting risk that falls within Ofcom’s risk appetite, is encouraged; and
• embed risk management within Ofcom’s other business processes as the basis for a robust corporate governance framework to drive best practice and ensure
4
3.
Roles & Responsibilities
3.1
All Colleagues
Every colleague should:
• Comply with this policy and seek competent advice when needed. • Understand their part in relevant risk management discussions.
• Co-operate with a programme of training as appropriate to their role; and • Ensure that they take part in team risk discussions regularly, to inform their group
risk registers.
3.2
The Board
• The Board has overall responsibility for monitoring the effectiveness of Ofcom’s system of internal controls, which is delegated to the Risk & Audit Committee.
• The Board is responsible for defining the organisation’s risk appetite, which is formally reviewed once a year.
• The Board approves the Risk Management Policy after review by the Risk & Audit Committee.
• Following the quarterly Risk & Audit Committee meeting, a paper is produced for the Board showing the strategic risk register, and the Chair of the Audit Committee gives an oral update.
3.3
Risk & Audit Committee
• The Risk & Audit Committee advises the Board on the adequacy of Ofcom’s risk management policies and procedures and the extent to which they are applied and reviews the reliability and integrity of assurances.
• It does this through assurance statements from Policy and Management Board members and from regular reports provided to the Risk & Audit Committee on risks relating to litigation, finance, security, fraud and key projects, quarterly reviews provided by the Head of Risk Management, and internal and external audits.
5
3.4
Policy and Management Board members
• Members of the Policy and Management Board (PMB) are responsible for managing the risks in their areas and work with their teams to ensure that all Ofcom
colleagues can identify and highlight risks attached to their areas of activity and to take appropriate action to manage such risks.
• All requests for risk closures are submitted to the PMB with an appropriate rationale to ‘retire’ the risk. Once the PMB has approved the closure, the Head of Risk Management marks the risk ‘closed’ on the risk register, and it is removed.
• Additionally, Group Directors, as the owners of Group-level risks, provide reasonable assurance to the Chief Executive on the overall effectiveness of the internal control system in the areas for which they are responsible.
3.5
Head of Risk Management (HRM)
• The HRM is responsible for overseeing Ofcom’s risk management framework and the associated plan for continuous improvement. The HRM reports quarterly to the Risk & Audit Committee as a permanent member. Additionally, the HRM is
responsible for ensuring that this policy and procedure document reflects best practice and continues to meet Ofcom’s requirements.
• The HRM sits within the Finance Team and reports to the Finance Director.
Additionally, the HRM is required to report to the Policy & Management Board and the Risk & Audit Committee on risk issues quarterly. If an issue were to arise that the HRM felt unable to raise through the formal reporting line, then it should be raised directly with the Risk & Audit Committee Chair.
• Supporting the HRM is the Finance Business Partner and the Reporting Analyst for each Group. Additional support is provided by each Business Risk Champion, detailed in the Roles & Responsibilities section below.
• The Risk Register is updated quarterly and reported to the PMB and to the Risk & Audit Committee.
3.6
Steering Groups
• Steering Groups help project teams to determine the approach to risk that is appropriate for a project to take.
3.7
Group Directors & Managers
6
the more project specific knowledge of the project manager allows risk management to be both well-informed and consistent.
• Project managers play a key role in the successful management of risk through their input to project risk records, their regular update of this information and taking actions with their teams to manage risk.
3.8
Risk Champions
• The Risk Champion (RC) is a nominated person from the Group who champions risk management within that Group by helping to
(a) explain the risk management policy, and
(b) guide the team to articulate the management of the risks faced within the Group.
• The risk champion role is not a ‘full-time’ position, rather one that is performed alongside a colleague’s existing set of responsibilities. The role allows the RC to look across the wider group activities and understand the risk and opportunities that need to be evaluated in order to maximise delivery of outcomes.
• The RC is a senior member of the team who understands Ofcom’s governance framework (i.e. Committees involved) and nature of reporting and timelines, which need to be met on a regular basis. The role supports Ofcom to deliver successful outcomes in managing risks through delivering and developing the risk
management policy and risk appetite statements to ensure these are appropriately reported, communicated and managed across the business.
• Training and development to support colleagues in this role will be provided.
3.9
Roles & Responsibility Summary
3.9.1 Ofcom works with a ‘Top Down, Bottom Up’ approach to Risk Management. Figure 1 below shows the detail. Ofcom’s Risk & Audit Committee provides assurance to the Board that risk management is carried out appropriately through the business by analysing the Strategic Risk Register on a quarterly basis. PMB first reviews this register to ensure the senior management team are content with the risks shown and scores allocated.
3.9.2 From the bottom up level, Ofcom’s risk champions input their group’s risks, with the assistance of each Groups directors – the risk again being verified in management team meetings. These risks are sent to the Head of Risk Management to put into the risk register, and presented to PMB and R&AC.
7
of the Board, the Risk & Audit Committee, and the Policy Management Board, these strategic risk areas may change.
The Head of Risk Management is responsible for overseeing Ofcom’s Risk Management Framework
Figure 1: Top Down, Bottom Up approach to Risk Management
3.9.3 At the bottom of the pyramid, all colleagues (as noted on Section 3.1) have responsibilities within the Risk Management Framework. The risk champions, project managers and team directors focus on identifying specific risks, by group or project, which creates the Group Risk Register, and when they are escalated to the strategic areas, ultimately form the strategic risk register.
4. Training
4.1 Senior management is responsible for ensuring that colleagues have the appropriate skill levels to identify, evaluate and manage the potential for risk/opportunity to arise. In support of the senior managers role in championing the risk process, the Head of Risk Management works across all areas of the organisation to promote and integrate the risk management process and to support and educate others.
4.2 During 2019 a new risk management e-learning course has been designed, and Operations Board has approved that the training is to be mandated to all members of the Senior Management Specialists (SMS) and all risk champions.
Board
Risk & Audit Committee
PMB
Group Directors/Directors Risk Champions/Project Managers
All Colleagues
Top Down
8
5. Governance
5.1 The Head of Risk Management is responsible for ensuring that the risk management policy and process continually reflects Ofcom’s operational requirements, any appropriate legislative guidelines and best practice.
9
6. Risk Management Process
6.1
Definitions
6.1.1 There are many definitions of risk. The one used for the purposes of this policy is that risk is defined as “The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and probability.”
6.1.2 At Ofcom, risk is expressed at two levels: (a) Strategic – a risk that
a. has a direct impact on Ofcom’s strategic direction, or b. affects two or more functional areas of Ofcom; and
(b) Group – an operational risk that has been identified by any Group within Ofcom, but only affects one functional area.
6.1.2 All strategic risks are assessed through a filter of Ofcom’s five Strategic Risk Areas. These areas currently are:
(a) Ofcom’s reputation;
(b) Broadband and Mobile Coverage; (c) Fairness for Customers;
(d) Major programmes; and (e) People.
6.1.3 These strategic risk areas may change over time, depending on the stability/instability of the external environment, with the input and agreement of the Ofcom Board, Risk & Audit Committee and the Policy Management Board. They may increase in number, or decrease, and the risk management policy is flexible to reflect the possibility that this may happen.
6.1.4 On an annual basis, the Strategy team will present a five-year horizon scan to the Risk & Audit Committee, including a presentation on the likely risks to be faced by Ofcom, and how they are managed.
6.2
Risk Registers – Strategic & Group
10
the Ofcom register is a dynamic document and therefore should not contain an excessive number of risks if this is avoidable.
6.2.2 The Strategic Risk Register will be maintained by the Head of Risk Management. This reports on the high-level risks as listed above. The strategic risk register is reviewed and agreed by PMB and is then presented to the Risk & Audit Committee on a quarterly basis. The agreed register is then presented to the Board, with a verbal update from the Chair of the Risk & Audit Committee.
6.2.3 The Group Risk Registers reflect the operational risks of each Group Director. Group Registers are maintained by Risk Champions, and the Finance Business Partner for the Group. Risk Champions are notified by the Head of Risk Management when their register needs to be updated for submission to PMB and R&AC.
6.3
Risk Assessment & Scoring
6.3.1 A risk is assessed by evaluating the likelihood or frequency of the risk occurring and the impact of the risk, should it occur over a 12-month horizon. The following table provides a consistent framework for assessing both the likelihood/frequency and impact of risks across the organisation. The framework has 5 ‘bands’, ranging from ‘very low’ to ‘very high’. There are 4 types of impact; Cost, Delay, Reputation and Objective Realisation. If a risk impacts more than one impact type, then the risk should be assessed against the impact type which is most severe.
11
Table 1: Risk score framework
6.3.3 There are two levels of scoring used at Ofcom:
(a) The gross or inherent score assesses the risk without any controls in place; and
(b) The risk is re-assessed at a residual level, which shows the remaining risk based on the controls in place operating as designed.
6.3.4 All strategic risks are required to have a Target Residual Risk Score using the same risk matrix used in the risk register, which reflects the level of risk appetite that management would accept. This approach enables the risk owner to identify mitigating actions that help to reduce risk and helps clarify and seek assurance that the actions are performing according to plan.
6.4
Risk Management & Mitigation
6.4.1 There are four methods of risk mitigation that need to be assessed before deciding which one is appropriate:
(a) Terminate: stop the activity that is producing the risk;
(b) Tolerate: accept the risk because its impact and probability are low and/or other control operations are unacceptable because of e.g. cost;
Very High >75% 11 16 20 23 25 High 51%-75% 7 12 17 21 24 Medium 26%-50% 4 8 13 18 22 Low 5%-25% 2 5 9 14 19 Very Low <5% 1 3 6 10 15
Very Low Low Medium High Very High
Cost <£25k or minimal cost-over £26k-£99k or cost over-run can be accommodated within agreed
project budget
£100k-£499k or cost over-run will exceed agreed
project budget
£500k-£2,499k or cost over-run may result in Group
expenditure exceeding agreed budget
>£2,500k or cost over-run may result in total
expenditure exceeding Ofcom budget
Delay
1 day or delay can easily be accomodated
within overall project plan
Up to 1 week or
no significant impact on benefits to consumers and citizens or
dependant projects
Up to 2 weeks or benefits to consumers and citizens
offsets 'costs' of delay
Up to 1 month or delay may undermine the benefits
to consumers and citizens
Greater than 1 month or benefits to consumers and citizens
are severely damaged by delay
Political, stakeholder or media scrutiny
Outcome is unlikely to attract any negative commentary
Outcome that may result in isolated, low level, negative
commentary
Outcome is unlikely to be seen as controversial, but may attract some
public negative commentary and political opinion
Outcome is likely to attract some public negative commentary and political opinion but is consistent
with our duties and benefits to consumers & citizens are clear
Outcome is seen as being controversial, perceived to be at odds with our values or duties and
results in overwhelming, co-ordinated and public negative
stakeholder commentary and political opinion
Objective Realisation
Will result in a minor delay in completing a project or package of
work
Will result in the failure to successfully deliver a project or package of work aligned to a Team
objective
Will result in the failure to successfully deliver a project or complete a package of work aligned
to a Group objective
Will result in the failure to deliver one or more of Ofcom's priorities or major work areas as outlined in
the Annual Plan
Will materially undermine the achievement of a stated outcome as
defined in the Annual Plan.
12
(c) Treat: prevent the risk having an impact; or
(d) Transfer: move the risk to another organisation eg, through insurance.
6.5
Risk Escalation
6.5.1 There are three reasons why a risk will be escalated within the risk management hierarchy: 1. The risk cannot be adequately mitigated at project or Group level i.e. the residual
risk score is above a level which is acceptable to the project or Group;
2. The risk has a direct impact on a related project or impacts another area of the business; and
3. Although the risk is being adequately managed, its potential impact is so significant that it requires, or would benefit from, greater visibility.
6.5.2 The following guidelines should be followed when considering risks for escalation:
6.5.3 The strategic risk register is formed by taking the Group risks where:
1. the residual risk score is ≥ 15 (this captures risks with a very high impact); 2. the inherent risk score is ≥ 20 (this captures‘red’ risks); and
3. the risk will impact on areas or functions of Ofcom beyond its immediate Group.
Escalation from Group to Strategic Risk Register
• Successful mitigation requires additional resource/engagement to implement. • Risk will impact on other areas of Ofcom.
• Reputational risk is very high
• Risk could have a material impact on a strategic priority/major work area
Escalation from Project to Programme/Steering Group/Group Risk Register
• Successful mitigation requires additional resource/engagement • Mitigating action requires Senior Leadership Group (SLG) engagement. • Risk is common across a Group’s portfolio of projects.
• Risk will impact on other areas of the Group’s projects.
6.6
Assurance
6.6.1 As a key process in the internal control framework, assurance is needed through the risk management process.
6.6.2 Assurance will be obtained to confirm that the residual risk assessment, based upon the controls in place, is reasonable. Assurance may be sought from management, internal audit, external audit or other sources as and when appropriate, ie deep dive sessions at Risk & Audit Committee.
6.6.3 Managing risk is a critical part of Ofcom’s strategic and operational management and
13
Ofcom’s wider risk management framework and defines the methodology for identifying, assessing, managing and reporting risks.
6.7
Other Risk Management Areas
6.7.1 Fraud Risk Management
Fraud risks are recognised as a distinct category of risk within Ofcom. While the process outlined in this document should be followed for managing fraud risks, these risks are captured on a dedicated fraud/security risk register. The fraud/security risk register is owned by the Head of Risk Management and is updated on a quarterly cycle and submitted to the Security Committee for review.
6.7.2 Other Ofcom reference documents for cross reference
1. Security Policy
2. Health & Safety Policy 3. Incident Management Policy 4. Anti-Fraud Policy
Header
13
7. Risk Appetite
7.1 Risk appetite and risk exposure should be considered within the context of other business decisions, rather than as a stand-alone decision.
7.2 The aim is not to remove all risk and it is necessary to recognise that some level of risk will always exist. Risk appetite is the amount of risk that the organisation is prepared to accept, tolerate, or be exposed to at any point in time.
7.3 Ofcom’s risk appetite statements are reviewed annually and approved by the Board. 7.4 If a change in risk appetite is agreed by the Board, business teams should revisit their risk
registers to ensure that the mitigating actions are enough to manage the risks in line with the revised tolerance for risk. There are 8 categories of Risk and 5 levels of Risk Tolerance as illustrated below (Figure 2). All risks should be considered for Risk Appetite purposes. The numbers along the ‘Risk Tolerances’ specifically refer to the Impact/Likelihood scoring in the risk register.
Header
13
7.5 Ofcom’s allowed tendency towards the different tolerances is shown by the ‘blue-shaded’ box in each risk category. The detailed Risk Appetite Statement is in the attached Appendix.
Header
13
8.
Version history
Version number
Version date Revised by Description of changes made
15 14/11/2019 EH
Updating policy to new template.
Significant revisions to the 2018 Risk Management policy, removing operational detail, and focussing on the strategic framework.
Moved Risk Appetite section to end. Definitions section improved and clarified. Removed full Risk Management process element. Input new Top Down, Bottom Up definition of risk management at Ofcom.
Discussion and review with Chair of the Risk & Audit Committee.
Inclusion of 5 year horizon scan paragraph
14 21 January R Sadiq Board review requested addition of “Reputational Risk” category to Section 2.1.1
13 14 January 2019
R Sadiq Reviewed by Angela Dean (Chair of Risk & Audit Committee)
12 8 January 2019
R Sadiq Reviewed by Curtis Juman
11 10 December
2018
R Sadiq Revised by adding comments raised on the Risk & Audit Committee
10 29
November 2018
R Sadiq Reviewed and approved by the Policy & Management Board
9.0 November
2018
R Sadiq KPMG
Revisions including suggestions from KPMG
Note: The risk management policy is regularly reviewed, and previous version control can be requested from the Head of Risk Management.
Distribution
Name Action required Date required by
Header
13
Name Action required Date required by
Elaine Heyworth Review Annually