belfast education and library board corporate … · belfast education and library board . ......

1

BELFAST EDUCATION AND LIBRARY BOARD

CORPORATE RISK REGISTER 2010/2011

VERSION: SEPTEMBER 2010

2

THE BELFAST EDUCATION AND LIBRARY BOARD’S BUSINESS OBJECTIVES

Vision: The Belfast Education and Library Board is committed to providing a quality education and youth service which contributes to life-long learning for all the people of Belfast

The BELB’s key Education Priorities are: Raising Standards for All

Meeting Needs (Closing the Performance Gap, Increasing Access and Equity)

Developing People (Developing the Education Workforce)

Optimising Resources (Improving the Learning Environment)

Strengthening Partnerships (Transforming Education Management)

We seek to deliver these by:

Ensuring resources are secured and allocated in line with education priorities.

Holding ourselves and others to account for agreed outcomes.

Working collaboratively with our partners.

Embracing equality and diversity.

Learning from research, best practice and experience.

The BELB’s Business Objectives for 2010/11 are set out in the BELB Resource Allocation Plan. This Risk Register identifies key risks that could militate against the achievement of those objectives and the action being taken to reduce those risks.

3

Corporate Risk No. 1 Risk Evaluation Description: The Board does not remain within its allocation from sponsoring departments

Inherent Impact Likelihood

Residual Impact Likelihood

Residual Risk Score 15

Critical (5)

Almost certain

(5)

Critical (5)

Possible (3)

Consequence

Unable to provide the full range of educational services Possible adverse affect on Children’s education in the Board area Adverse publicity Loss of jobs Lead Risk Owner Date Reviewed

CEO Potential Root Causes Current Actions to Manage Risk

(Include corresponding Business Plan Ref., where appropriate)

Responsible Official

Allocation of resources not linked to departmental plans / objectives

Budget broken down at corporate level across services CFO

Failure to define, delegate and communicate responsibility to budget holders their responsibilities and initial budget allocation

Monitoring of expenditure at corporate, department and budget holder level

CFO

Key staff and budget holders not trained Communication through board , SMT, department and section briefings

SMT

Information provided to budget holders is not in a format that is easily understood

Budget reports detailing expenditure to enable managers to monitor spend (including earmarked initiatives)

CFO

4

High number of children with special needs where there is a statutory requirement to provide services irrespective of the cost.

IFS system training provided to budget holders CFO

Timely and accurate information Key posts within finance department with knowledge of Board finance functions

CFO

Defined budget holder responsibility CEO Review of compliance mechanisms CFO &SMT Standard reports presented monthly to SMT, DE and

the board CFO

Training for budget holders and budget manual produced. Finance awareness sessions were held for board members

CFO

Budgets tailored to meet the needs of budget holders CFO Allocation of resources linked to departmental plan. CFO & SMT Contingency Reduce spend in areas which will not affect front line service delivery Seek additional funding from DE Action Plan for Improvement Action by Whom Date Continue to identify pressures and communicate to DE via MEMR and develop bids for additional funding.

CFO Ongoing

Ensure all board members have relevant finance skills and knowledge CEO & SMT March 2011 Carry out a review of services to identify any savings in service delivery which can be achieved

CFO & SMT December 2010

Continue to work closely with sponsoring departments to identify and manage pressures.

Raise the issue of timely notification of allocation of funding with the Department of Education

CEO & SMT March 2011

5

Corporate Risk No. 2 Risk Evaluation Description: To fulfil the Board’s statutory obligations




Critical (5)

Almost Certain

(5)

Critical (5)

Possible (3)

Consequence

Failure to comply with statutory obligations. Legal cases for failing to comply with statutory obligations Inadequate service delivery. RAP 2 targets are not met. Budget allocation is not suffice to enable compliance with statutory obligations. Lead Risk Owner Date Reviewed




Lack of awareness and non communication of the boards statutory obligations and legislative requirements

Oversight role of board activities by members CEO & SMT

Services are not adequately resourced SMT meet regularly to discuss boards objectives, policies and performance

CEO & SMT

Lack of resources to complete annual accounts by required deadline

Management understanding of statutory obligations and legislation impinging upon their department.

CEO & SMT

Lack of professional knowledge results in annual accounts being qualified.

CEO’s financial memorandum and management statement

CEO & SMT

Relevant officers not informed of key changes in statutory requirements

Ensure DAO letters and directives from sponsoring departments are circulated to relevant board officers.

CEO & SMT

BELB is not notified of changes in statutory obligations Monitoring of RAP section on a quarterly basis CEO & SMT

6

Board members have received training on the boards statutory obligations

CEO & SMT

Continuous review of compliance mechanisms CEO & SMT Maintain and update list of key statutory obligations

and undertakings CEO & SMT

Contingency Action Plan for Improvement Action by Whom Date Ensure board members have an understanding of the board’s statutory obligations


7

Corporate Risk No. 3 Risk Evaluation Description: To ensure the successful delivery of projects undertaken by the board




Major (4)

Possible (3)

Significant (3)

Remote (2)

Consequence

Projects not delivered on time Costs/penalties incurred for failing to deliver project on time Adverse publicity Project incurring additional running and staffing costs Lead Risk Owner Date Reviewed

C E O Potential Root Causes Current Actions to Manage Risk



System / resource issues results in project not being delivered in time.

DE established ESA ICT programme board to coordinate projects in all boards

CEO ( ESA board )

New system not integrating with other board IT systems Business Case CEO ( ESA board )

Lack of system development knowledge within project board / team

Project initiation document

CEO ( ESA board )

Lack of communication with end users Project board, manager and team with relevant skills

CEO ( ESA board )

Lack of planning Proven methodology followed

CEO ( ESA board )

Overview / coordination of all board projects CEO ( ESA board )

8

Gateway review CEO ( ESA board )

User groups

CEO ( ESA board )

Testing and implementation

CEO ( ESA board )

Budget monitoring CEO ( ESA board )

Contingency Continue to operate with current systems as fall back. Action Plan for Improvement Action by Whom Date Review current projects and their status and need for continuation. CEO & SMT December 2010

9

Corporate Risk No. 4 Risk Evaluation Description: To manage human resources efficiently and effectively




Significant (5)

Probable (4)

Significant (3)

Probable (4)

Consequence

Service delivery is affected due to lack of resources Lack of appropriate qualified staff Children’s education affected Targets are not achieved and statutory obligations are not adhered to. Loss of key knowledge Lead Risk Owner Date Reviewed




Lack of succession planning Manpower plans for all departments CEO & SMT No clear retention policy HR strategy CEO & SMT Current freeze on training/recruitment (vacancy control) Job evaluation scheme CEO & SMT Loss of knowledge/key staff Human resources section providing recruitment,

training, development and attendance management CEO & SMT

No department / section business plans Job descriptions and specifications with key responsibilities defined for post holders

CEO & SMT

Continuous review of staffing to ensure adequate resources.

CEO & SMT

Management structures in place to communicate business needs through SMT, and department meetings

CEO & SMT

10

Continuous review of resources and structures CEO & SMT Contingency Utilise other staff for cover. Use of agency staff when required Prioritising service delivery. Action Plan for Improvement

Action by Whom

Date

Discussion with Department of Education regarding removal of vacancy control CEO March 2011

11

Corporate Risk No. 5 Risk Evaluation Description: To embed principles of corporate governance




Critical (5)

Almost Certain

(4)

Critical (5)

Possible (3)

Consequence

Potential fraud due to lack of knowledge on polices and procedures Lack of controls which allows opportunity for fraud Board members not aware of the principals of corporate governance Lack of appropriately qualified staff available to discharge statutory obligations. Lead Risk Owner Date Reviewed




Departmental objectives not linked to corporate objectives

Transitional Board comprising non executive members in place formulating and approving policy.

CEO & SMT

Lack of understanding of corporate governance / risk management process among managers and members

Board officers providing advice and implementing policy

CEO & SMT

Managers and members roles and responsibilities in relation to risk management not defined or understood

Internal / External audit CEO &CFO

Insufficient resource, skills, training and experience to discharge statutory and legal responsibilities.

Stakeholder communication through board minutes, website and annual report.

CEO & SMT

Statement of internal control. CEO SMT

12

Code of conduct/declaration of interests CFO Hospitality, Anti Fraud and Whistleblowing policies Corporate planning Communication strategy CAO Embedded risk management CEO &SMT Training / information on corporate responsibilities and

risk management process for all managers and members

CEO

CEO liaises with DE accounting regarding the transitional board.

March 2011

Contingency Action Plan for Improvement

Action by Whom

Date

Review of media publicity / strategy and structures CEO March 2011 CEO to liaise with DE accounting officer regarding the review of governance arrangements, training and experience including the option of co-opting additional members.

CEO March 2011

13

Corporate Risk No. 6 Risk Evaluation Description: Improve service delivery




Critical (5)

Probable (4)

Significant (3)

Possible (3)

Consequence

Failure to understand customers needs and expectations Failure to delivery education for all Ineffective service delivery could have an adverse effect on collaborative partners Failure to meet RAP targets Non compliance with statutory obligations Adverse publicity Lead Risk Owner Date Reviewed

CEO Potential Root Causes (Comment: Bolster remaining root causes)

Current Actions to Manage Risk



Budget allocation not received on a timely basis SMT commitment to training provision. CEO &SMT Reduction in educational funding Resource allocation plans. (RAPs) CEO &SMT the boards statutory obligations and legislative requirements are not communicated to officers

Continuous improvement culture identifying opportunities for improvement and promoting quality

CEO &SMT

Loss of knowledge and key members of staff Consultation with customers providing feedback and identifying customer needs

CEO &SMT

Failure to understand customer needs / expectations Complaints procedure CEO &SMT Consultation framework developed and implemented CEO & SMT Ensure business are aligned to RAP targets SEO/CAO/

CFO

14


Action by Whom

Date

Review service delivery to ensure customer needs are being met CEO & SMT March 2011

15

Corporate Risk No. 7 Risk Evaluation Description: To implement the board’s strategy of engaging in PPP to deliver facilities for the provision of educational services



Residual Risk Score

9

Critical

(5)

Almost Certain

(5)

Significant (3)

Possible (3)

Consequence

PPP projects are not completed on time Additional costs are incurred in completion dates are not met Possible legal action Adverse relations with strategic partners Provision of education is affected. Lead Risk Owner Date Reviewed




Affordability

PID developed and implemented detailing governance and management structures

CAO

Failure to identify risks Project board CAO Poorly defined governance / management structures Board members CAO Unsuitable strategic partners lacking knowledge / skills and finance

Existing working group with senior BELB officers

CAO

Needs not clearly identified and assessed Risk registers established for PPP CAO Unfavourable contracts established Funding not received to complete and maintain projects

Board / Department of Education / DFP and Strategic Investment Board involvement

CAO

Officers are trained in PPP CAO PPP accountant in post CAO

16

Continuous review and updating of risk registers CAO Properly qualified staff CAO Agreed contract and terms and conditions CAO Advisers CAO Consultation with stakeholders CAO Contingency Action Plan for Improvement

Action by Whom

Date

Identification of pressures and development of business case to DE and monthly communication to sponsoring department via MEMR

Bid for funding to Department of Education CFO March 2011

17

Corporate Risk No. 8 Risk Evaluation Description: The Board’s reputation and integrity is upheld amongst all its stakeholders



Residual Risk Score

6

Critical (5)

Possible (3)

Significant (3)

Remote (2)

Consequence

Adverse publicity Board reputation is affected Stakeholders reputation is affected Lead Risk Owner Date Reviewed




Failure to manage controversial decisions taken relating to service provision

Code of practice for board members CE & CAO

Failure to manage issues of confidentiality Hospitality Policy CE & CAO Ineffective crisis and emergency planning / management Whistleblowing policy CE & CAO Anti fraud policy CE & CAO Emergency planning CE & CAO Board ethos, standards and values clearly

communicated in corporate plan CE & CAO

Code of conduct / declaration of interests CE & CAO Information officer CE & CAO Communication strategy CE & CAO Compliance with FOI and Data protection CE & CAO Transparency in board meetings and minutes CE & CAO Training of board members CE & CAO

18

Contingency

Action Plan for Improvement

Action by Whom

Date

Review of internal and external communication

CE & CAO March 2011

19

Corporate Risk No. 9 Risk Evaluation Description: To prevent or minimise fraud and identify and manage instances of occurrence



Residual Risk Score

9

Significant

(3)

Almost Certain

(5)

Significant (3)

Possible (3)

Consequence

Inadequate controls facilitate fraud Fraud arises due to officers lack of knowledge on policies and procedures Adverse publicity Loss of assets Not able to recover loss Lead Risk Owner Date Reviewed




Lack of effective systems Zero tolerance approach CEO &SMT Failure to implement systems Continual review of systems through audit plan CEO &SMT Lack of management control Systems in place for service provision CEO &SMT Policies and guidance has not been effectively communicated to all staff

Anti Fraud policy / procedures CEO &SMT

Whistleblowing / Hospitality policy CEO &SMT Internal Audit / external audit investigations CEO &SMT

20

Fraud awareness through treasury fraud reports CEO &SMT Disciplinary policy communicated to all staff CEO &SMT Consultation with NIAO / PSNI and sponsoring

departments CEO &SMT

Awareness through DAOs Fully qualified fraud investigators

CEO &SMT

Participation in NFI Data matching exercise and investigation of data matches

CE/SEO/CAO/CFO

Fraud awareness training for managers as required CFO & SMT Contingency


Action by Whom

Date

21

Corporate Risk No. 10 Risk Evaluation Description: To provide a safe working and learning environment



Residual Risk Score

9

Critical (5)

Probable (4)

Significant (3

Possible (3)

Consequence

Loss of life to board officer/child/other persons Adverse publicity Loss of assets Children being educated in unsafe buildings Potential corporate manslaughter Lead Risk Owner Date Reviewed




Building structure or fabric is unsafe Health and safety manual for schools

CAO

Contact surfaces have hazardous design elements Premises are designed and maintained to health and safety regulations

CAO

Contact surfaces are maintained in hazardous condition Staff are trained in safe handling and in first aid CAO Equipment is hazardous in design or operation Board has H&S policies and procedures for most

situations CAO

22

Unsafe practices. Malicious attack. Accident Most premises have adequate security systems and procedures

CAO

Child protection officer responsible for the implementation and monitoring of child protection policy and awareness

CAO

Implementation of revised vetting and barring scheme CFO Full review of the board’s responsibilities in regard to

transport arrangements and school trips etc followed by policies, procedure and training to ensure effective discharge

CAO

Contingency Emergency response plan Action Plan for Improvement

Action by Whom

Date

Continue to submit bids to De for additional funding for risk assessments CFO March 2011 Carry out fire risk assessments CAO March 2011

23

Corporate Risk No 11 Risk Evaluation Description: To provide security of data



Residual Risk Score

9

Critical (5)

Almost Certain

(5)

Significant (3)

Possible 3)

Consequence

Sensitive information is lost/stolen Adverse publicity Legal cases taken against BELB Information is lost if not backed up Unauthorised access to sensitive information Non compliance with data protection act 1998 Service level agreements are breached Lead Risk Owner Date Reviewed




Information not backed up regularly Information backed up at the centre on a daily basis CEO & SMT Information not easily recovered Services providers back up information on a regular

basis CEO & SMT

Information is not securely held Recovery tests carried out CEO & SMT Absence of protocols and service level agreements with external system providers / users

Access controls, passwords, logins and user profiles created to restrict access to authorised officers only

CEO & SMT

24

Officers saving sensitive board information to removable hardware (cd / dvd or memory stick).

Fire wall software protection installed on servers and pc’s

CEO & SMT

Information transmitted via unsecured networks eg internet, postal services , email etc

Email and internet policy, Data protection guide for staff and BELB security policy circulated to staff

CEO & SMT

Non compliance with legislation (Data Protection Act 1998) Data wipe contract with disposal company for redundant computer hardware and equipment

CEO & SMT

Records manager ensures manually records are securely held and disposed at the appropriate date

CEO & SMT

Seek assurance from external system providers regarding data protection

CFO


Action by Whom

Date

Develop an action plan to improve the board’s level of security compliance across the wide range of areas of IT.


Management should carry out frequent audits and continual assessment on information security issues.


Liaise with counterparts in the other ELB’s to ensure commonality of compliance.


Maintain a register of all data transfers that entail data moving outside BELB HQ. and to non board locations.


Carry out a review of procedures for sending data outside of the board. CEO & SMT March 2011

25

Corporate Risk No. 12 Risk Evaluation Description: To ensure continuity of business



Residual Risk Score

9

Critical (5)

Probable (4)

Significant (3)

Possible (3)

Consequence

Unable to deliver service/services Loss of assets Loss of sensitive information Lead Risk Owner Date Reviewed




Unexpected events occurring that directly affect board business. E.g. flood, fire, power failure, infectious diseases or terrorism.

Emergency management policy established by senior management outlining strategy to deal with emergencies.

CAO

Lack of coordinated action / approach to disaster recovery plans

Schools Emergency plans developed and disseminated to all schools detailing actions to be taken in the event of an emergency.

CAO

Data security review undertaken for BELB during 2008 / 09. Data protection policy developed in 2004.

CAO

T security policy and internet / email policy developed and provided to all staff. Posted on BELB intranet.

CAO

26

Workshops held to inform section managers of responsibility in relation to business continuity and disaster recovery. Sectional risk registers incorporate a business continuity section.

CAO


Action by Whom

Date

Policy needs to be revised and updated to detail officers responsible and all steps to be taken depending on the nature of the emergency.

CAO March 2011

An integrated IT disaster recovery policy needs to be formulated to incorporate the various policies in place at present. (some IT systems providers have independent policies in place ie oracle.)

CFO March 2011

BELB contingency arrangements to be integrated into formal policy and plan. CFO March 2011

27

Corporate Risk No. 13 Risk Evaluation Description: To assist ESAIT in implementing its transitional arrangements



Residual Risk Score

15

Critical (5)

Probable (4)

Critical (5)

Possible (3)

Consequence

Officers not aware of transitional arrangements Delay in transitional arrangements Lead Risk Owner Date Reviewed

Potential Root Causes Current Actions to Manage Risk



Senior BELB officers not involved or engaged with ESAIT in relation to transition arrangements through discussion.

Continue to attend transition board meetings CEO & SMT

Lack of communication of ESAIT arrangements Bi monthly accountability meetings CEO & SMT Lack of support / resources to enable ESAIT to work efficiently and effectively

Regular update of information posted on BELB intranet

CEO & SMT

Lack of information provided to ESAIT to enable them to make transitional arrangements

Provide briefings as required CEO & SMT

28

Risk that budgetary control will be affected during transition to ESA

Continue to monitor staffing levels.

CEO & SMT

Monthly accounting meetings with DE CEO Contingency Services continue to operate under current procedures Action Plan for Improvement

Action by Whom

Date

Continued monitoring and reporting of system developments and changes to senior BELB officers.

CFO March 2011

Project team to keep SMT appraised of developments through appropriate channels.

CFO March 2011

Provide contractual information / updates as when required by ESAIT CAO March 2011

29

Corporate Risk No. 14 Risk Evaluation Description: Failure to meet RAP 2 targets established by DE.



Residual Risk Score

10

Critical (5)

Possible (3)

Critical (5)

Remote (2)

Consequence

Failure to raise standards for all Failure to close the education gap and increasing access and equity Failure to develop an education workforce Failure to improve the learning environment Failure to transform education management Failure to retain COPE status Lead Risk Owner Date Reviewed




Unrealistic RAP targets set. To meet all targets detailed in the 2010/2011 RAP2 target. Examples listed below:

Lack of understanding of RAP targets. Working with schools to raise education standards for all to ensure every school a good school

SEO

Lack of resources to achieve RAP targets Complying with SENDO requirements SEO

30

Allocation of resources not linked to departmental plan. Monitoring of extended schools SEO Dependence on key staff to prepare the annual accounts Training provided to BOG and Principals SEO No contingency plan if key staff are not available to prepare the annual accounts

Compliance with prompt payment code. CFO

Lack of information in relation to convergence delivery plan Working with schools to complete budget breakdown and 3 year plan

Lack of funding to carry out statutory risk assessments Fully utilise budget CFO Key staff leave and cannot be replaced. Monitoring teachers absence CFO Review of board and ancillary buildings CAO Teachers absence management policy CAO Working with schools in NRA’s CAO Contingency


Action by Whom

Date

Continue close working relationships with sponsoring departments to Identify and communication of pressures to sponsoring departments

CFO December 2010

Develop a contingency plan for preparation of the annual accounts CFO December 2010 Review resources available for completion of the year end accounts CFO December 2010 Obtain COPE accreditation CAO March 2011 Complete statutory risk assessments for schools CAO March 2011 Liaise with C2K in relation to management information targets CEO & SMT March 2011 Review all assets owned by BELB and confirm surplus CAO March 2011 Liaise with de to agree methodology for the implementation of area planning through the board’s estate

CAO December 2010

Ensure NRA targets are met SEO March 2011

belfast education and library board corporate … · belfast education and library board . ......

Documents