belfast education and library board corporate … · belfast education and library board . ......
TRANSCRIPT
1
BELFAST EDUCATION AND LIBRARY BOARD
CORPORATE RISK REGISTER 2010/2011
VERSION: SEPTEMBER 2010
2
THE BELFAST EDUCATION AND LIBRARY BOARD’S BUSINESS OBJECTIVES
Vision: The Belfast Education and Library Board is committed to providing a quality education and youth service which contributes to life-long learning for all the people of Belfast
The BELB’s key Education Priorities are: Raising Standards for All
Meeting Needs (Closing the Performance Gap, Increasing Access and Equity)
Developing People (Developing the Education Workforce)
Optimising Resources (Improving the Learning Environment)
Strengthening Partnerships (Transforming Education Management)
We seek to deliver these by:
Ensuring resources are secured and allocated in line with education priorities.
Holding ourselves and others to account for agreed outcomes.
Working collaboratively with our partners.
Embracing equality and diversity.
Learning from research, best practice and experience.
The BELB’s Business Objectives for 2010/11 are set out in the BELB Resource Allocation Plan. This Risk Register identifies key risks that could militate against the achievement of those objectives and the action being taken to reduce those risks.
3
Corporate Risk No. 1 Risk Evaluation Description: The Board does not remain within its allocation from sponsoring departments
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score 15
Critical (5)
Almost certain
(5)
Critical (5)
Possible (3)
Consequence
Unable to provide the full range of educational services Possible adverse affect on Children’s education in the Board area Adverse publicity Loss of jobs Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Allocation of resources not linked to departmental plans / objectives
Budget broken down at corporate level across services CFO
Failure to define, delegate and communicate responsibility to budget holders their responsibilities and initial budget allocation
Monitoring of expenditure at corporate, department and budget holder level
CFO
Key staff and budget holders not trained Communication through board , SMT, department and section briefings
SMT
Information provided to budget holders is not in a format that is easily understood
Budget reports detailing expenditure to enable managers to monitor spend (including earmarked initiatives)
CFO
4
High number of children with special needs where there is a statutory requirement to provide services irrespective of the cost.
IFS system training provided to budget holders CFO
Timely and accurate information Key posts within finance department with knowledge of Board finance functions
CFO
Defined budget holder responsibility CEO Review of compliance mechanisms CFO &SMT Standard reports presented monthly to SMT, DE and
the board CFO
Training for budget holders and budget manual produced. Finance awareness sessions were held for board members
CFO
Budgets tailored to meet the needs of budget holders CFO Allocation of resources linked to departmental plan. CFO & SMT Contingency Reduce spend in areas which will not affect front line service delivery Seek additional funding from DE Action Plan for Improvement Action by Whom Date Continue to identify pressures and communicate to DE via MEMR and develop bids for additional funding.
CFO Ongoing
Ensure all board members have relevant finance skills and knowledge CEO & SMT March 2011 Carry out a review of services to identify any savings in service delivery which can be achieved
CFO & SMT December 2010
Continue to work closely with sponsoring departments to identify and manage pressures.
Raise the issue of timely notification of allocation of funding with the Department of Education
CEO & SMT March 2011
5
Corporate Risk No. 2 Risk Evaluation Description: To fulfil the Board’s statutory obligations
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score 15
Critical (5)
Almost Certain
(5)
Critical (5)
Possible (3)
Consequence
Failure to comply with statutory obligations. Legal cases for failing to comply with statutory obligations Inadequate service delivery. RAP 2 targets are not met. Budget allocation is not suffice to enable compliance with statutory obligations. Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Lack of awareness and non communication of the boards statutory obligations and legislative requirements
Oversight role of board activities by members CEO & SMT
Services are not adequately resourced SMT meet regularly to discuss boards objectives, policies and performance
CEO & SMT
Lack of resources to complete annual accounts by required deadline
Management understanding of statutory obligations and legislation impinging upon their department.
CEO & SMT
Lack of professional knowledge results in annual accounts being qualified.
CEO’s financial memorandum and management statement
CEO & SMT
Relevant officers not informed of key changes in statutory requirements
Ensure DAO letters and directives from sponsoring departments are circulated to relevant board officers.
CEO & SMT
BELB is not notified of changes in statutory obligations Monitoring of RAP section on a quarterly basis CEO & SMT
6
Board members have received training on the boards statutory obligations
CEO & SMT
Continuous review of compliance mechanisms CEO & SMT Maintain and update list of key statutory obligations
and undertakings CEO & SMT
Contingency Action Plan for Improvement Action by Whom Date Ensure board members have an understanding of the board’s statutory obligations
CEO & SMT March 2011
7
Corporate Risk No. 3 Risk Evaluation Description: To ensure the successful delivery of projects undertaken by the board
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score 6
Major (4)
Possible (3)
Significant (3)
Remote (2)
Consequence
Projects not delivered on time Costs/penalties incurred for failing to deliver project on time Adverse publicity Project incurring additional running and staffing costs Lead Risk Owner Date Reviewed
C E O Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
System / resource issues results in project not being delivered in time.
DE established ESA ICT programme board to coordinate projects in all boards
CEO ( ESA board )
New system not integrating with other board IT systems Business Case CEO ( ESA board )
Lack of system development knowledge within project board / team
Project initiation document
CEO ( ESA board )
Lack of communication with end users Project board, manager and team with relevant skills
CEO ( ESA board )
Lack of planning Proven methodology followed
CEO ( ESA board )
Overview / coordination of all board projects CEO ( ESA board )
8
Gateway review CEO ( ESA board )
User groups
CEO ( ESA board )
Testing and implementation
CEO ( ESA board )
Budget monitoring CEO ( ESA board )
Contingency Continue to operate with current systems as fall back. Action Plan for Improvement Action by Whom Date Review current projects and their status and need for continuation. CEO & SMT December 2010
9
Corporate Risk No. 4 Risk Evaluation Description: To manage human resources efficiently and effectively
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score 12
Significant (5)
Probable (4)
Significant (3)
Probable (4)
Consequence
Service delivery is affected due to lack of resources Lack of appropriate qualified staff Children’s education affected Targets are not achieved and statutory obligations are not adhered to. Loss of key knowledge Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Lack of succession planning Manpower plans for all departments CEO & SMT No clear retention policy HR strategy CEO & SMT Current freeze on training/recruitment (vacancy control) Job evaluation scheme CEO & SMT Loss of knowledge/key staff Human resources section providing recruitment,
training, development and attendance management CEO & SMT
No department / section business plans Job descriptions and specifications with key responsibilities defined for post holders
CEO & SMT
Continuous review of staffing to ensure adequate resources.
CEO & SMT
Management structures in place to communicate business needs through SMT, and department meetings
CEO & SMT
10
Continuous review of resources and structures CEO & SMT Contingency Utilise other staff for cover. Use of agency staff when required Prioritising service delivery. Action Plan for Improvement
Action by Whom
Date
Discussion with Department of Education regarding removal of vacancy control CEO March 2011
11
Corporate Risk No. 5 Risk Evaluation Description: To embed principles of corporate governance
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score 15
Critical (5)
Almost Certain
(4)
Critical (5)
Possible (3)
Consequence
Potential fraud due to lack of knowledge on polices and procedures Lack of controls which allows opportunity for fraud Board members not aware of the principals of corporate governance Lack of appropriately qualified staff available to discharge statutory obligations. Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Departmental objectives not linked to corporate objectives
Transitional Board comprising non executive members in place formulating and approving policy.
CEO & SMT
Lack of understanding of corporate governance / risk management process among managers and members
Board officers providing advice and implementing policy
CEO & SMT
Managers and members roles and responsibilities in relation to risk management not defined or understood
Internal / External audit CEO &CFO
Insufficient resource, skills, training and experience to discharge statutory and legal responsibilities.
Stakeholder communication through board minutes, website and annual report.
CEO & SMT
Statement of internal control. CEO SMT
12
Code of conduct/declaration of interests CFO Hospitality, Anti Fraud and Whistleblowing policies Corporate planning Communication strategy CAO Embedded risk management CEO &SMT Training / information on corporate responsibilities and
risk management process for all managers and members
CEO
CEO liaises with DE accounting regarding the transitional board.
March 2011
Contingency Action Plan for Improvement
Action by Whom
Date
Review of media publicity / strategy and structures CEO March 2011 CEO to liaise with DE accounting officer regarding the review of governance arrangements, training and experience including the option of co-opting additional members.
CEO March 2011
13
Corporate Risk No. 6 Risk Evaluation Description: Improve service delivery
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score 9
Critical (5)
Probable (4)
Significant (3)
Possible (3)
Consequence
Failure to understand customers needs and expectations Failure to delivery education for all Ineffective service delivery could have an adverse effect on collaborative partners Failure to meet RAP targets Non compliance with statutory obligations Adverse publicity Lead Risk Owner Date Reviewed
CEO Potential Root Causes (Comment: Bolster remaining root causes)
Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Budget allocation not received on a timely basis SMT commitment to training provision. CEO &SMT Reduction in educational funding Resource allocation plans. (RAPs) CEO &SMT the boards statutory obligations and legislative requirements are not communicated to officers
Continuous improvement culture identifying opportunities for improvement and promoting quality
CEO &SMT
Loss of knowledge and key members of staff Consultation with customers providing feedback and identifying customer needs
CEO &SMT
Failure to understand customer needs / expectations Complaints procedure CEO &SMT Consultation framework developed and implemented CEO & SMT Ensure business are aligned to RAP targets SEO/CAO/
CFO
14
Contingency Action Plan for Improvement
Action by Whom
Date
Review service delivery to ensure customer needs are being met CEO & SMT March 2011
15
Corporate Risk No. 7 Risk Evaluation Description: To implement the board’s strategy of engaging in PPP to deliver facilities for the provision of educational services
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
9
Critical
(5)
Almost Certain
(5)
Significant (3)
Possible (3)
Consequence
PPP projects are not completed on time Additional costs are incurred in completion dates are not met Possible legal action Adverse relations with strategic partners Provision of education is affected. Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Affordability
PID developed and implemented detailing governance and management structures
CAO
Failure to identify risks Project board CAO Poorly defined governance / management structures Board members CAO Unsuitable strategic partners lacking knowledge / skills and finance
Existing working group with senior BELB officers
CAO
Needs not clearly identified and assessed Risk registers established for PPP CAO Unfavourable contracts established Funding not received to complete and maintain projects
Board / Department of Education / DFP and Strategic Investment Board involvement
CAO
Officers are trained in PPP CAO PPP accountant in post CAO
16
Continuous review and updating of risk registers CAO Properly qualified staff CAO Agreed contract and terms and conditions CAO Advisers CAO Consultation with stakeholders CAO Contingency Action Plan for Improvement
Action by Whom
Date
Identification of pressures and development of business case to DE and monthly communication to sponsoring department via MEMR
Bid for funding to Department of Education CFO March 2011
17
Corporate Risk No. 8 Risk Evaluation Description: The Board’s reputation and integrity is upheld amongst all its stakeholders
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
6
Critical (5)
Possible (3)
Significant (3)
Remote (2)
Consequence
Adverse publicity Board reputation is affected Stakeholders reputation is affected Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Failure to manage controversial decisions taken relating to service provision
Code of practice for board members CE & CAO
Failure to manage issues of confidentiality Hospitality Policy CE & CAO Ineffective crisis and emergency planning / management Whistleblowing policy CE & CAO Anti fraud policy CE & CAO Emergency planning CE & CAO Board ethos, standards and values clearly
communicated in corporate plan CE & CAO
Code of conduct / declaration of interests CE & CAO Information officer CE & CAO Communication strategy CE & CAO Compliance with FOI and Data protection CE & CAO Transparency in board meetings and minutes CE & CAO Training of board members CE & CAO
18
Contingency
Action Plan for Improvement
Action by Whom
Date
Review of internal and external communication
CE & CAO March 2011
19
Corporate Risk No. 9 Risk Evaluation Description: To prevent or minimise fraud and identify and manage instances of occurrence
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
9
Significant
(3)
Almost Certain
(5)
Significant (3)
Possible (3)
Consequence
Inadequate controls facilitate fraud Fraud arises due to officers lack of knowledge on policies and procedures Adverse publicity Loss of assets Not able to recover loss Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Lack of effective systems Zero tolerance approach CEO &SMT Failure to implement systems Continual review of systems through audit plan CEO &SMT Lack of management control Systems in place for service provision CEO &SMT Policies and guidance has not been effectively communicated to all staff
Anti Fraud policy / procedures CEO &SMT
Whistleblowing / Hospitality policy CEO &SMT Internal Audit / external audit investigations CEO &SMT
20
Fraud awareness through treasury fraud reports CEO &SMT Disciplinary policy communicated to all staff CEO &SMT Consultation with NIAO / PSNI and sponsoring
departments CEO &SMT
Awareness through DAOs Fully qualified fraud investigators
CEO &SMT
Participation in NFI Data matching exercise and investigation of data matches
CE/SEO/CAO/CFO
Fraud awareness training for managers as required CFO & SMT Contingency
Action Plan for Improvement
Action by Whom
Date
21
Corporate Risk No. 10 Risk Evaluation Description: To provide a safe working and learning environment
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
9
Critical (5)
Probable (4)
Significant (3
Possible (3)
Consequence
Loss of life to board officer/child/other persons Adverse publicity Loss of assets Children being educated in unsafe buildings Potential corporate manslaughter Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Building structure or fabric is unsafe Health and safety manual for schools
CAO
Contact surfaces have hazardous design elements Premises are designed and maintained to health and safety regulations
CAO
Contact surfaces are maintained in hazardous condition Staff are trained in safe handling and in first aid CAO Equipment is hazardous in design or operation Board has H&S policies and procedures for most
situations CAO
22
Unsafe practices. Malicious attack. Accident Most premises have adequate security systems and procedures
CAO
Child protection officer responsible for the implementation and monitoring of child protection policy and awareness
CAO
Implementation of revised vetting and barring scheme CFO Full review of the board’s responsibilities in regard to
transport arrangements and school trips etc followed by policies, procedure and training to ensure effective discharge
CAO
Contingency Emergency response plan Action Plan for Improvement
Action by Whom
Date
Continue to submit bids to De for additional funding for risk assessments CFO March 2011 Carry out fire risk assessments CAO March 2011
23
Corporate Risk No 11 Risk Evaluation Description: To provide security of data
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
9
Critical (5)
Almost Certain
(5)
Significant (3)
Possible 3)
Consequence
Sensitive information is lost/stolen Adverse publicity Legal cases taken against BELB Information is lost if not backed up Unauthorised access to sensitive information Non compliance with data protection act 1998 Service level agreements are breached Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Information not backed up regularly Information backed up at the centre on a daily basis CEO & SMT Information not easily recovered Services providers back up information on a regular
basis CEO & SMT
Information is not securely held Recovery tests carried out CEO & SMT Absence of protocols and service level agreements with external system providers / users
Access controls, passwords, logins and user profiles created to restrict access to authorised officers only
CEO & SMT
24
Officers saving sensitive board information to removable hardware (cd / dvd or memory stick).
Fire wall software protection installed on servers and pc’s
CEO & SMT
Information transmitted via unsecured networks eg internet, postal services , email etc
Email and internet policy, Data protection guide for staff and BELB security policy circulated to staff
CEO & SMT
Non compliance with legislation (Data Protection Act 1998) Data wipe contract with disposal company for redundant computer hardware and equipment
CEO & SMT
Records manager ensures manually records are securely held and disposed at the appropriate date
CEO & SMT
Seek assurance from external system providers regarding data protection
CFO
Contingency Action Plan for Improvement
Action by Whom
Date
Develop an action plan to improve the board’s level of security compliance across the wide range of areas of IT.
CEO & SMT March 2011
Management should carry out frequent audits and continual assessment on information security issues.
CEO & SMT March 2011
Liaise with counterparts in the other ELB’s to ensure commonality of compliance.
CEO & SMT March 2011
Maintain a register of all data transfers that entail data moving outside BELB HQ. and to non board locations.
CEO & SMT March 2011
Carry out a review of procedures for sending data outside of the board. CEO & SMT March 2011
25
Corporate Risk No. 12 Risk Evaluation Description: To ensure continuity of business
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
9
Critical (5)
Probable (4)
Significant (3)
Possible (3)
Consequence
Unable to deliver service/services Loss of assets Loss of sensitive information Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Unexpected events occurring that directly affect board business. E.g. flood, fire, power failure, infectious diseases or terrorism.
Emergency management policy established by senior management outlining strategy to deal with emergencies.
CAO
Lack of coordinated action / approach to disaster recovery plans
Schools Emergency plans developed and disseminated to all schools detailing actions to be taken in the event of an emergency.
CAO
Data security review undertaken for BELB during 2008 / 09. Data protection policy developed in 2004.
CAO
T security policy and internet / email policy developed and provided to all staff. Posted on BELB intranet.
CAO
26
Workshops held to inform section managers of responsibility in relation to business continuity and disaster recovery. Sectional risk registers incorporate a business continuity section.
CAO
Contingency Action Plan for Improvement
Action by Whom
Date
Policy needs to be revised and updated to detail officers responsible and all steps to be taken depending on the nature of the emergency.
CAO March 2011
An integrated IT disaster recovery policy needs to be formulated to incorporate the various policies in place at present. (some IT systems providers have independent policies in place ie oracle.)
CFO March 2011
BELB contingency arrangements to be integrated into formal policy and plan. CFO March 2011
27
Corporate Risk No. 13 Risk Evaluation Description: To assist ESAIT in implementing its transitional arrangements
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
15
Critical (5)
Probable (4)
Critical (5)
Possible (3)
Consequence
Officers not aware of transitional arrangements Delay in transitional arrangements Lead Risk Owner Date Reviewed
Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Senior BELB officers not involved or engaged with ESAIT in relation to transition arrangements through discussion.
Continue to attend transition board meetings CEO & SMT
Lack of communication of ESAIT arrangements Bi monthly accountability meetings CEO & SMT Lack of support / resources to enable ESAIT to work efficiently and effectively
Regular update of information posted on BELB intranet
CEO & SMT
Lack of information provided to ESAIT to enable them to make transitional arrangements
Provide briefings as required CEO & SMT
28
Risk that budgetary control will be affected during transition to ESA
Continue to monitor staffing levels.
CEO & SMT
Monthly accounting meetings with DE CEO Contingency Services continue to operate under current procedures Action Plan for Improvement
Action by Whom
Date
Continued monitoring and reporting of system developments and changes to senior BELB officers.
CFO March 2011
Project team to keep SMT appraised of developments through appropriate channels.
CFO March 2011
Provide contractual information / updates as when required by ESAIT CAO March 2011
29
Corporate Risk No. 14 Risk Evaluation Description: Failure to meet RAP 2 targets established by DE.
Inherent Impact Likelihood
Residual Impact Likelihood
Residual Risk Score
10
Critical (5)
Possible (3)
Critical (5)
Remote (2)
Consequence
Failure to raise standards for all Failure to close the education gap and increasing access and equity Failure to develop an education workforce Failure to improve the learning environment Failure to transform education management Failure to retain COPE status Lead Risk Owner Date Reviewed
CEO Potential Root Causes Current Actions to Manage Risk
(Include corresponding Business Plan Ref., where appropriate)
Responsible Official
Unrealistic RAP targets set. To meet all targets detailed in the 2010/2011 RAP2 target. Examples listed below:
Lack of understanding of RAP targets. Working with schools to raise education standards for all to ensure every school a good school
SEO
Lack of resources to achieve RAP targets Complying with SENDO requirements SEO
30
Allocation of resources not linked to departmental plan. Monitoring of extended schools SEO Dependence on key staff to prepare the annual accounts Training provided to BOG and Principals SEO No contingency plan if key staff are not available to prepare the annual accounts
Compliance with prompt payment code. CFO
Lack of information in relation to convergence delivery plan Working with schools to complete budget breakdown and 3 year plan
Lack of funding to carry out statutory risk assessments Fully utilise budget CFO Key staff leave and cannot be replaced. Monitoring teachers absence CFO Review of board and ancillary buildings CAO Teachers absence management policy CAO Working with schools in NRA’s CAO Contingency
Action Plan for Improvement
Action by Whom
Date
Continue close working relationships with sponsoring departments to Identify and communication of pressures to sponsoring departments
CFO December 2010
Develop a contingency plan for preparation of the annual accounts CFO December 2010 Review resources available for completion of the year end accounts CFO December 2010 Obtain COPE accreditation CAO March 2011 Complete statutory risk assessments for schools CAO March 2011 Liaise with C2K in relation to management information targets CEO & SMT March 2011 Review all assets owned by BELB and confirm surplus CAO March 2011 Liaise with de to agree methodology for the implementation of area planning through the board’s estate
CAO December 2010
Ensure NRA targets are met SEO March 2011