Risk management in JNCC

The one-hundred-and-second meeting of the Joint Nature Conservation
Committee to be held at 0930 hours on 19 March 2015, at JNCC,
Inverdee House, Baxter Street, Aberdeen, AB11 9QA
This paper was provided to the Joint Committee for decision/discussion
or information. Please refer to the minutes of the meeting for
Committee’s position on the paper.
To view other Joint Committee papers and minutes visit http://www.jncc.gov.uk/page-2671
To find out more about JNCC visit http://www.jncc.gov.uk/page-1729
JNCC15 04
March 2015
Joint Nature Conservation Committee
Risk management in JNCC
Paper by Guy Duke, Marcus Yeo and Tracey Quince
1.
2.
Introduction
1.1.
In June 2014, the Joint Committee agreed to hold an annual discussion on
high-level risks, with a view to reinforcing Committee’s ownership of risks
facing the organisation, and enabling them to provide a steer to ARAC and
EMB.
1.2.
This paper is intended to stimulate Committee’s discussion. It summarises
JNCC’s approach to risk management, and presents risk registers and a
statement of risk appetite, revised by EMB for 2015/16. The main risks facing
JNCC in 2015/16 (as set out in the significant risks register) are discussed.
JNCC’s approach to risk management
2.1.
JNCC has well-developed processes for risk management. JNCC’s approach
is centred on two risk registers.
2.2.
The high-level corporate risk register describes the principal longterm/standing risks affecting JNCC. It lists the core controls associated with
each of the five main categories of risk, but does not include specific control
improvements. The corporate risk register is reviewed annually. The latest
version, incorporating amendments proposed by EMB, is attached at Annex 2.
2.3.
The annual significant risks register captures a small number of significant
risks which are “live” and require active attention during the year. The 2014/15
Significant Risks Register was based on the list of issues/risks in the
Governance Statement that formed part of the 2013/14 Annual Report and
Accounts. It forms the basis for quarterly risk reporting to EMB, ARAC and
Joint Committee. The significant risks register for 2014/15 is included within
the quarter 3 performance report to Joint Committee.
2.4.
Annex 1a contains a proposed significant risks register for 2015/16. Additional
work will be required to ensure the risks are defined adequately and control
measures are identified. The significant risks register has been
comprehensively reviewed by EMB to reflect changing circumstances; some
risks have been deleted as they are no longer considered to be sufficiently
significant, some new risks have been added. Annex 1b describes the
changes from 2014/15. The 2015/16 register contains fewer risks than that for
2014/15, so that management attention can be focused on the highest
priorities.
2.5.
Taken together, the two registers capture all relevant high-level risks facing
the organisation. They help to focus management effort and form an integral
part of the internal audit process.
2.6.
At a corporate level JNCC has a statement of risk appetite that is reviewed
annually. JNCC’s proposed risk appetite for 2015/16 is contained in Annex 3.
1
JNCC15 04
March 2015
The risk appetite can be defined as the amount and type of risk that an
organisation is prepared to seek, accept, tolerate or be exposed to at one time
or the amount of risk that an organisation is willing to seek or accept in the
pursuit of its long term objectives. Communicating the risk appetite to staff
and being clear at all levels of the organisation about the amount of risk the
organisation is willing to take ensures that performance and delivery will be
maximised and opportunities will be taken.
3.
2.7.
In the main, JNCC has adopted an informed cautious appetite for taking
significant risk. EMB has recommended some changes to this position in light
of the challenges facing JNCC in 2015/16. In particular, it is proposed that
higher levels of risk may need to be accepted, for example in back-office
activities and in pursuing funding opportunities. However, it is considered
important to maintain a cautious risk appetite in relation to providing evidence
and advice to governments.
2.8.
Further work will be undertaken in the next few months to define risk appetite
categories to different areas of JNCC’s work.
Discussion
3.1.
JNCC has in place robust governance mechanisms and a system of policies
and procedures to manage risk. It does not operate in an inherently high-risk
environment. However, external factors present substantial risks during
2015/16 and beyond, and this is reflected in the revised significant risk
register (Annex 1a).
3.2.
The principal risks facing JNCC in 2015/16 relate to political change (Risk 1)
and funding (Risk 2). These two issues are closely linked and together will
fundamentally affect the environment within which JNCC operates, in the
public sector and beyond.
3.3.
Changing political priorities and arrangements (Risk 1) are inevitable and
JNCC has proved in the past to be flexible in its approach to deal with such
changes as they arise. 2015/16 will bring major political changes, with a
General Election in May 2015, and potential changes in devolution, following
on from the Smith Commission in Scotland and the Silk Commission in Wales.
There will also be significant changes in Northern Ireland, including
restructuring of departments within the Executive.
3.4.
Funding pressures (Risk 2) have been a fact of life for several years, and
will continue over the next few years. If anything, reductions in government
funding are likely to have even more significant impact on JNCC’s work in
future, as any potential for stopping low-priority work or making significant
efficiency savings has already been taken. JNCC also faces the challenge of
trying to access new funding sources to deliver the revised strategy.
3.5.
Acting together, these two factors have potential to cause major disruption to
most, if not all, of JNCC’s stakeholders (Risk 4), which in turn will affect JNCC
in various ways. They will also interact with implementation of JNCC’s
strategy review (Risk 3) and drive efforts to enhance management capacity
and expertise (Risk 5).
2
JNCC15 04
March 2015
4.
Internal audit on risk management
4.1.
The risk management area is audited each year and the audit findings are a
key component of the Governance Statement which sits with the Annual
Report and Accounts.
4.2.
In November, ARAC discussed the findings from an audit of risk management
and performance reporting within JNCC (see Annex 4). A considerable
amount of change has taken place in both areas over the past year, so
members were pleased to see that substantial assurance had been achieved
at a time when new processes are still bedding in.
4.3.
In addition to the comments in the report, KPMG (JNCC’s internal auditors)
advised that they had undertaken a number of similar audits in the past and
the quality of the documentation they scrutinised during the JNCC audit was
the best they had seen.
3
JNCC15 04
March 2015
Annex 1a. DRAFT significant risks register for 2015/16
Risk score
Risk
no
1
2
Significant risks
Residual
likelihood
Residual
impact
Residual
score
Poor alignment with
changing government
priorities and institutional
arrangements (UK and
devolved administrations)
5
4
20
Insufficient funding to
remain effective in fulfilling
JNCC’s role and meeting
customers’ expectations
5
Crossreference
to
corporate
risk
register
RR1
Action planned by
management
•
•
4
20
RA1
•
•
•
•
3
Ineffective strategic
positioning
3
5
15
RR1, Q3,
Q4
•
•
4
Early and proactive
engagement with
governments to identify
priorities.
Flexibility in resource
allocation and planning to
enable JNCC to respond to
changing requirements.
Dialogue with government
funders to identify priorities
and associated funding.
Identification and securing of
external funding
opportunities, building on
strategy review.
Ongoing efficiency savings.
Improved communications
strategy.
Complete strategy review
and start to implement.
Engagement with main
funders and stakeholders to
secure active support for
new strategic direction.
Comments
Main risks are
around the General
Election and
changes to the
devolution
settlement (Smith
Commission, Silk
Commission).
JNCC15 04
March 2015
Risk score
Risk
no
4
Significant risks
Multiple changes to
JNCC’s stakeholders
(budget pressures,
changes in role)
Residual
likelihood
Residual
impact
Residual
score
5
4
20
Crossreference
to
corporate
risk
register
RR2,
RR3, RR4
•
•
Action planned by
management
Comments
Engagement with a wider
range of stakeholders to
manage relationships,
identify opportunities, etc.
Improved communications
strategy.
Funding cuts
across the public
sector may provide
opportunities for
collaboration but
also increased
competition.
Continued
existence of some
bodies may be
threatened by
funding cuts.
5
Insufficient capacity and/or
expertise at middle and
senior management levels
to deal with the challenges
of an increasingly complex
operating environment
4
4
16
RA2
•
•
•
•
5
Training and development to
equip managers for future
challenges, and develop
junior managers.
Phase 2 of structural
reorganisation.
Streamlined recruitment
processes.
Business partnering to
provide managers with
better information and
advice.
Risk not evenly
distributed within
JNCC.
High turnover less
likely to be a
serious problem in
future, as staff
numbers will be
reduced.
JNCC15 04
March 2015
Annex 1b. Changes to 2014/15 significant risks register
2014/15 significant risks register
Risk
no
Proposed significant risks for 2015/16
Significant risks
1
Senior management capacity and competence do not keep pace
with the challenges of an increasingly complex operating
environment
Retained with minor amendments.
2
A high rate of internal staff turnover causes a high level of
vacancies and additional management input to staff recruitment,
induction and training.
Not retained.
No longer such a high risk. Measures have been put in
place to reduce internal staff turnover. The risk is also
likely to diminish as JNCC seeks to reduce overall staff
numbers in the medium/long-term.
3
Ineffective prioritisation of effort and assessment of risk as
JNCC is expected to deliver demanding work programmes with
reduced resources
Devolution and changes in legislation and other Government
priorities lead to a divergence in approaches and institutional
arrangements in different parts of the UK.
High turnover in Joint Committee membership and the
appointment of a new Chair result in reduced effectiveness of
the Joint Committee and its sub-groups.
Not retained.
Subsumed within risk relating to funding.
6
Greater scrutiny of JNCC’s advice to government, evolving
evidence requirements, challenge from NGOs, and government
changes to arrangements for prioritising, collecting,
communicating and funding evidence.
Not retained.
Risks relating to evidence will persist but are generally
being managed effectively through JNCC’s evidence
quality processes.
7
Inappropriate data exposure (either intentional or accidental)
and general inefficiencies within data use caused by
inadequacies in data management practice.
Not retained.
New information management policies have reduced this
risk.
4
5
6
Retained with minor amendments.
Not retained.
Committee turnover will not be a significant risk in
2015/16.
JNCC15 04
March 2015
2014/15 significant risks register
Risk
no
8
9
Proposed significant risks for 2015/16
Significant risks
Ineffective processes and procedures in relation to business
continuity.
Not retained.
Business continuity procedures are now considered to be
robust.
Insufficient funding to remain effective in fulfilling JNCC’s role
and meeting customer’s expectations.
Retained.
New risk.
Ineffective strategic positioning.
New risk
Multiple changes to JNCC’s stakeholders.
7
JNCC15 04
March 2015
RA1
RA2
RA3
RA4
RA5
RA6
RA7
IN1
IN2
IN3
IN4
INFORMATION ACCESSIBILITY AND
SECURITY
Owner: Sue McQueen
Inadequate data management practices (leading to loss of
date or inability to readily access information)
IT fraud (including access by hackers and inappropriate use by
staff).
Accidental and deliberate breaches of security of sensitive
information by staff
Failure to meet transparency obligations defined in legislation
and government policy
Residual score
Residual impact
Residual
likelihood
Inherent rating
Risk description
RESOURCE AVAILABILITY AND USAGE
Owner: Sue McQueen
Downward pressure on government funding
Staff numbers, structure and competencies do not support
effective and efficient delivery of current/future work
programmes
Ineffective use of resources (including failure to obtain vfm).
Major fraud and other losses.
Failure to meet financial and accounting obligations
Unsuitability of office facilities
Poor staff cohesion, morale and motivation.
Inherent impact
Inherent
likelihood
Risk no
Annex 2. Corporate risk register February 2015
Core controls
5
5
5
5
25
25
5
5
4
4
20
20
a)
b)
c)
4
2
5
3
4
3
3
3
3
4
12
6
15
9
16
2
1
2
2
4
3
2
2
2
3
6
2
4
4
12
d)
e)
3
4
12
2
3
6
4
4
16
2
2
4
3
3
9
2
2
4
4
3
12
2
1
2
f)
Responsibilities of funding bodies set in governance documents.
Relationship management controls.
Dialogue with government and other funding bodies to identify priorities and funding
requirements.
Robust resource allocation, monitoring and management processes.
Internal structures and accountabilities that relate resources to priorities and provide necessary
controls.
Measures to ensure staff are equipped with competencies in resource planning and management.
a)
b)
c)
d)
e)
Supportive and encouraging culture.
Cross-cutting management groups to improve cohesion.
Corporate decisions taken in a timely manner.
Effective internal communications.
Good line management at all levels.
a)
b)
c)
d)
Information systems in place to support business needs.
Physical/technical security measures.
Policies and procedures and associated controls in place.
Measures to ensure staff are equipped with competencies in securing and appropriately sharing
data and information.
Central/ searchable storage of electronic data and information.
Key datasets documented and responsibility assigned to individuals.
Routine risk assessment of HR data.
Terms and conditions for third parties (security and access) and routine review of compliance by
key partners.
Search tool.
Good accessibility and effective management of datasets held across JNCC.
Sufficient capacity deployed into the network infrastructure to manage both storage and backup
for data gathered from marine survey work.
Storage and back-up capacity for continuing growth for the short to medium term and
centralisation of data and software in relation to the use of GIS.
e)
f)
g)
h)
i)
j)
k)
l)
GC1
GC2
GOVERNANCE/COMPLIANCE
(Miscellaneous)
Owner: Sue McQueen
Ineffective governance at Committee, Company Board and
EMB levels
4
4
16
3
2
6
4
3
12
2
2
4
GC3
Failure to comply with employment or health and safety
legislation
Failure to comply with environmental management obligations
4
2
8
2
2
4
GC4
Ineffective governance of work delivered in partnership with
2
4
8
2
4
8
8
a)
b)
c)
d)
e)
f)
g)
h)
Clear framework of accountabilities and delegations maintained and reviewed periodically.
Measures to ensure relevant groups/ individuals have appropriate competencies/ access to
competencies.
Effective administration of all groups.
Regular scrutiny of performance reports by executive and non-executive groups.
Measures to ensure staff are equipped with necessary knowledge.
Policies and procedures and associated controls.
Robust auditing of compliance measures to ensure duty of care.
Robust partnership working arrangements.
Residual score
Residual impact
Residual
likelihood
Risk description
Inherent rating
Inherent impact
Inherent
likelihood
Risk no
JNCC15 04
March 2015
Core controls
other organisations.
QUALITY OF ADVICE AND DECISIONMAKING
Owner: Paul Rose
Q1
Advice provided to Government (or other stakeholders) is
based on an inadequate evidence base or is not appropriately
quality assured
4
4
16
4
4
16
a)
b)
Q2
Advice provided to Government (or other stakeholders) fails to
recognise wider political implications
4
4
16
3
3
9
Q3
Failure to identify major issues affecting the environment
4
4
16
2
3
6
Q4
Delays to decision-making and missed opportunities because
too risk-averse
4
3
12
4
3
12
Q5
Failure to deliver services and products of appropriate quality
under contract to other organisations
3
3
9
2
2
4
c)
d)
e)
f)
g)
h)
i)
Effective engagement with customers for advice to identify priorities, understand requirements
and ensure ‘no surprises’.
High profile or contentious advice signed off by senior staff or Committee, in line with schedule of
delegations.
Research, survey, etc. commissioned where necessary to underpin advice.
Legal advice sought where appropriate.
Recruitment and training ensure staff have appropriate competencies (including up-to-date
scientific knowledge for specialist staff).
Committee forward programme focused on issues of strategic importance.
Effective process of engagement between Committee and staff to consider emerging issues.
Ongoing implementation of JNCC's risk management strategy.
Implementation and monitoring of evidence quality assurance policies, standards and procedures.
ROLES AND RELATIONSHIPS
Owner: Marcus Yeo
RR1
Not being aligned to the priorities of UK Government and
devolved administrations, especially in response to rapidly
changing requirements.
4
4
16
3
4
12
RR2
Changes to the status or functions of the country conservation
bodies or JNCC’s government sponsor bodies
5
4
20
5
3
15
RR3
Lack of clarity regarding JNCC’s role in relation to other
government bodies
4
4
16
4
4
16
b)
c)
d)
e)
RR4
Significant loss of co-operation between JNCC and partner
organisations
3
3
9
3
2
6
f)
RR5
Loss of impartiality, e.g. through acceptance of inappropriate
external funding or strong links to other organisations
4
4
16
4
3
12
RR6
Governments and/or partners lose faith in JNCC’s ability to
deliver priority work
3
4
12
3
4
12
9
a)
g)
h)
Strategy, corporate/ business plans and project plans agreed with stakeholders and
communicated effectively externally and internally.
Effective engagement with stakeholders at all levels (Committee and support company).
Intelligence on political developments in UK government and devolved administrations.
Active engagement in key government reviews and initiatives.
Maintenance of a partnership working culture in JNCC, through training, performance
management, etc.
Flexible approach within the support company, allowing rapid responses to changing
circumstances.
Robust contract management arrangements.
Effective arrangements for engagement with NGOs.
JNCC15 04
March 2015
Annex 3. JNCC’s risk appetite
JNCC takes a balanced approach to risk and is committed to managing risks effectively at all
levels in the organisation. We will focus our effort on addressing the significant risks
affecting our ability to achieve the performance measures set out in our business plan for
2015/16 and our longer-term strategic goals, but accept that exposure to some risk is
necessary to enable the effective delivery of objectives.
We will take the action needed to safeguard our assets and resources, meet legal
requirements and comply with our governance arrangements.
We will take appropriate action to ensure that back-office activities are undertaken at the
most cost-effective level, commensurate with the risk to the public purse, employees’ safety
and data security. Given current financial restraints, this will include reducing administrative
controls where we consider they are disproportionate to the level of risk, balancing this by
placing appropriate levels of responsibility, and accountability, for compliance on staff.
Our risk appetite will be increased in relation to potential opportunities to increase the
security of our funding and the reach and utility of our work under our developing strategy.
We will, however, ensure that such decisions are taken at senior levels and with a full and
clear understanding of the risks involved.
We will ensure the standard of evidence and advice we provide is appropriate for its
intended use. The level of evidence quality assurance we apply will be based on the degree
of risk to biodiversity and ecosystems from decisions based on our advice and evidence.
Political and institutional changes, both in Whitehall and the devolved administrations, will
present JNCC with particular challenges, e.g. in leading the development of new areas of
work, building new partnerships and adopting new working practices. We recognise that
these developments will often involve a high degree of risk, and we will manage them
accordingly.
10
JNCC 15 04
March 2015
Annex 4
Risk management
and Joint Committee
performance
monitoring
2014-15 internal audit report
Joint Nature Conservation
Committee
JNCC
November 2014
Overall rating:
Substantial
Assurance
Contents
The contacts at KPMG
in connection with this
report are:
Tamas Wood
Director
Page
1.
Executive Summary
2
KPMG LLP (UK)
Tel: 0207 311 6458
Appendices
tamas.wood@kpmg.co.uk
Sally-Anne Eldridge
Senior Manager
KPMG LLP (UK)
Tel: 0207 311 2146
sallyanne.eldridge@kpmg.co.uk
1. Objective one: Results of review of the risk management
process
2. Objective two: Results of review of the Joint Committee
performance monitoring process
3. Staff involvement and documents reviewed
4. Low Level Recommendations
5. Description of levels of assurance
Reporting
Key stages
Date
ToR issued
20/08/14
ToR accepted
15/09/14
Fieldwork started
13/10/14
Draft report issued
05/11/14
Final report issued
10/11/14
Distribution
To (for action):
• Tracey Quince, Planning Reporting • Sue McQueen, Director of
and Review Manager
Corporate Services
• Sarah Harrison, Business Manager • Sue Bennett, Head of Finance and
Planning
This report, together with its attachments, is provided pursuant to the terms of our engagement. The
use of the report is solely for internal purposes by JNCC, pursuant to the terms of the engagement,
it should not be copied or disclosed to any third party or otherwise quoted or referred to, in whole in
part, without our written consent.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
1
1. Executive Summary
Summary of assessment
An assessment of substantial assurance has been made in respect of our risk management and Joint
Committee performance reporting review at Joint Nature Conservation Committee (JNCC) compared to
Management’s anticipated level of assurance of substantial.
JNCC has adequate procedures for the identification of possible risks for inclusion as high level corporate risks
or active significant risks which should be managed most urgently. The ownership of risk is being encouraged
at the Executive Management Board and at the Joint Committee member level through the changes made to
the risk management process in assigning risk areas to Directors. Adequate systems have been put in place to
ensure that these risks are monitored and tracked.
There are adequate procedures in place to compile the Joint Committee reports and actions are appropriately
owned by senior or Director level staff.
We have reviewed the procedures for the monitoring and tracking of risks. These are robust and for a sample
of programmes during 2013/14, we have verified that the reporting process was carried out in line with the
established procedures, training materials and guidance.
Background
JNCC is an executive non-departmental public body of the Department for Environment, Food and Rural
Affairs (Defra). JNCC advises the UK Government and devolved administrations on UK-wide and international
nature conservation. JNCC is led by the Joint Committee, which brings together members from the nature
conservation bodies for England, Scotland, Wales and Northern Ireland and independent members appointed
by the Secretary of State for the Environment, Food and Rural Affairs under an independent Chair.
Effective risk management and governance is critical to the ability of JNCC to achieve its strategic objectives
and manage the risks it faces. JNCC has recently changed its risk management arrangements, these now
comprise three strands:
 a high level corporate risk register, which includes the principal long term / standing risks affecting JNCC;
 an annual risk register capturing a small number of significant risks which are ‘live’ and require attention
during the year; and
 quarterly reporting on programme risks which will be included in the new quarterly reporting pack.
We also considered the timeliness and appropriateness of the information presented to the Joint Committee
and the Executive Management Board (EMB) on performance.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
2
1. Executive Summary cont.
Objectives
The objectives of our review were:
Objective
Objective one
Risk Management
Description of work undertaken
We will review the new risk management processes and will consider how effective
these are and how effective JNCC has been in embedding risk management across
the organisation. Our work will include:

A review of the risk registers, considering the extent to which the strategic risks
drive the Board and Joint Committee agenda and how those risks are identified,
monitored, controlled and tracked. As part of this we will consider how effectively
JNCC draws together assurances, internal and external, that risks are being
appropriately managed;

An understanding of how staff are trained in risk management, how risks are
identified, categorised and reported;

Assessing the connection between the day to day management of risks and the
risk register; and

The arrangements in place to ensure the Annual Governance Statement is an
accurate and evidence-based statement by the accounting officer.
As part of this we will draw on our experience of working with other organisations to
make suggestions for improvement to the risk registers.
Objective two
Quarterly performance reporting
to the Joint Committee
It is vital that the Joint Committee have appropriate oversight of the organisation’s
performance and are able to challenge individuals where necessary. We will consider
the effectiveness of JNCC processes. In particular we will focus on the quarterly
performance report to the Joint Committee:

We will review the timeliness and appropriateness of the performance information
presented;

We will consider management’s arrangements for assuring the data that informs
these reports; and

We will also consider EMB decision making processes and outcomes, actively
following through to the schedule of delegations.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
3
1. Executive Summary cont.
Areas of good practice
 There is evidence of risk ownership spanning the organisation from programme leaders to the Joint
Committee, which is actively reviewed and drives the discussion of the JNCC.
 There is detailed evidence of monitoring and ongoing review of controls relating to risk management.
 The assurance processes regarding risk involve cross-membership of the JNCC and the audit and risk
assurance committee (ARAC) to provide a more joined up approach to risk management.
 Up to date and relevant training is provided to each of the programme leaders.
 The entity is able to evidence multiple layers of high level review of the annual governance statement.
Recommendations raised
We have not raised any high or medium priority recommendations. Low priority areas for development have
been raised within Appendix 4 for management consideration. No management response is required on these.
Acknowledgement
We thank your staff for their assistance during our review.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
4
Appendix One
Results of review of the risk management process
The JNCC has recently undertaken a significant piece of work to review and redesign its risk management
processes to make a clear distinction between corporate risk and significant risk impacting the organisation.
The key risks in this area are that there are inadequate procedures to identify possible risks, monitor and track
actions to mitigate risk, that there is inappropriate or out of date guidance and training provided to staff and that
risk registers have no impact on the day to day management of risk.
Below we have documented each stage of the process for the risk management. We have provided an
assessment in the context of the risk assessment process and recognised best practice.
Stage
Processes
How risks
for the
corporate
and
significant
risk registers
are
identified,
monitored,
controlled
and tracked.
There is a high-level corporate risk register which closely resembles the old
style corporate risk register and this describes what has been identified by
the JNCC as higher level and constant risks which impact the organisation.
It is split into five areas of risk each with a director taking ownership of the
risk area:
- Resource availability and usage;
- Information accessibility and security;
- Governance/compliance;
- Quality of advice and decision-making; and
- Roles and relationships.
The corporate risk register makes use of a 5 by 5 risk matrix before and
after key controls to mitigate are applied. This document is not intended as
an active risk register to drive risk management on the day to day basis.
The main means of identification, monitoring, control and tracking occurs
through the significant risk register. The main sources of risk identification
occurs when the annual governance statement is drafted for the year and is
subject to a quarterly review. The second source of risk identification
comes from the programme level risks which are communicated by the
programme leaders to Directors who will then report them at a corporate
level through the EMB. In this way those risks considered to be most
immediate are included within the significant risk register
Assurance
gained by
the JNCC
that risks are
being
managed
The significant risk register also keeps track of progress made to mitigate
each risk and is the main document to monitor risk within JNCC. The
significant risk register is reviewed quarterly by EMB, ARAC and the Joint
Committee.
Minutes of the JNCC identified that the committee had received an oral
update stating that risk management should be the priority for both ARAC
and the Joint Committee and that there would be two members of the Joint
Committee on the ARAC. This provides the JNCC with a greater insight
and assurance into the risk management through cross committee
membership.
In addition to this we identified that risk is a recurring agenda item at
meetings of the Joint Committee, EMB and the ARAC which is evidenced
as being subject to thorough inquiry during the meeting. This level of
reporting has seen enhanced focus from the JNCC through the new and
updated risk management process in place.
Risk management is covered within the annual governance statement
which makes up a key part of the annual report which is subject to external
review by the NAO.
It was verified through collaborative inquiry that the JNCC does not
currently note any sources of external assurance for the management of
risk. However our review of the reporting outputs has identified that the
JNCC remain open and aware to new sources of assurance to support the
assurance framework for risk management.
Assessment of the
design of the process
Our review of the
corporate risk register
identified that it contains
all components
recognised as best
practice to be included.
One weakness in the
significant risk register
was identified as the
actions to be completed to
mitigate risk are not
specifically time bound to
months for completion.
This undermines the
ability to track and monitor
the progress to mitigate
risks. This issue was
identified by the ARAC in
September and at that
time management agreed
to action.
(Recommendation 1)
Minutes to the JNCC
contain a detailed
summary narrative to
support the appendices
containing the risk
register. This could be
enhanced by including
summary dashboards and
graphical analysis such as
graphs for each quarter of
the number of red, amber
and green risks, direction
of travel and trend
analysis.
The risk register could be
enhanced by including
other sources of
assurance relating to the
risks.
(Rec 2 & 3)
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
5
Appendix One
Results of review of the risk management process
Stage
Processes
Training and
guidance
provided to
those
involved in
risk
management
Our field work identified that there have been two specific training
sessions for programme leaders, who are the individuals at JNCC who
are responsible for day to day management of risk relating to the
programmes and who also are a key source of identifying risk that
could be included within the significant risk register.
Day to day
management
of risks.
Risks are managed by a director who will feed back to the ARAC and
the JNCC on the risk through the programme level risks that are
identified through the day to day management.
In addition to this each programme leader receives a guidance
document to aid them in the day to day assessments and the reporting
processes that are to be followed.
This occurs through the reporting document that is completed on a
quarterly basis for the JNCC, this document contains both performance
outcome and risks associated with the programme. This coupled with
the quarterly meetings that are held with the director and programme
leader allows the director to perform an assessment of the risks
impacting the programme on a day to day basis.
Assessment of the design
of the process
Our review of the design and
implementation of the training
and guidance provided to
individuals was that it was
sound and contained
appropriate content in line
with our understanding of the
risk management process.
Our review of the design and
implementation of the
processes relating to day to
day management of risks
found them to be sound and
appropriate.
As a part of the quarterly reporting the directors receive a briefing on
the finance issues impacting their programme areas which will link to
risks of delivery due to funding.
Compiling
the annual
governance
statement
To ensure all risks impacting programmes are captured each director
will have a meeting with key members of the corporate team to discuss
programme risks, facilitating cross area risk identification between
directors.
Each director compiles their annual assurance statement covering their
area of work. In each case this includes the following:
- A short scope of responsibility which details the nature of the
review;
- A review of effectiveness which includes a positive statement of
assurance where applicable;
- A review of significant internal control issues, including reflecting on
the prior year and highlighting emerging issues for the coming year;
- Detail of the significant risks that are identified;
- Wider issues and other risks; and
- Potential contingent liabilities.
Our review of the design and
implementation of the
processes relating to the
compilation of the annual
governance statement found
them to be sound and
appropriate.
The annual assurance statements go through an extensive multi tier
review starting with the Planning Reporting and Review Manager and
ultimately the EMB and evidence of this review is retained.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
6
Appendix Two
Results of review of the Joint Committee performance
monitoring process
Below we have outlined JNCC’s procedures for carrying out Joint Committee performance reporting and
monitoring. We have assessed the adequacy of the design and efficiency of each stage of the process, within
the key risks faced by JNCC in the process. The key risks identified are that:
 The process as followed by JNCC are not fit for purpose and result in inadequate challenge by the Joint
Committee due to a lack of timeliness and appropriateness of information presented; and
 Actions taken by the EMB are performed by members of staff outside of the scheme of delegation.
We have also verified that the established procedures cover all aspects of the performance monitoring
process.
We have performed procedural testing for a sample of actions delegated to members of staff by the EMB
against the scheme of delegation, for which the results are given below. The sample selected consisted of all
actions delegated during the July meeting of the EMB. These were selected on the basis of the level of risk of
non-compliance with the scheme of delegation given the new risk management processes that have been
developed and adopted.
Stage
Joint
Committee
performance
reporting
Processes
Assessment of the
design of the process
Results of testing of the
process
For each reporting period (quarterly)
there is a timetable for reporting that
provides guidance and details for each
of the stages that the reporting process
is supposed to follow. This clearly sets
out what actions are to be completed by
which members of staff.
It was identified that the
programme structure of
the JNCC is to be
subject to review which
may alter the make-up
of work that is
completed by the entity.
We reviewed two programme
reporting schedules and found
that these were both
appropriately completed. These
were both completed and loaded
into the final report in a timely
manner allowing adequate time
for review whilst maintaining the
timeliness and appropriateness
of the data. This data was time
stamped as completed on
2/07/2014 and reported at the
18/09/2014 to the JNCC. This is
the quarter 1 data presented to
the EMB at 31/07/2014.
The reporting process is manual with
automated components. This reporting
process involves each programme
leader having to access a spreadsheet
for their programme and completing the
required reporting topics. This includes:
- Project targets (set at the start of the
project as fixed outputs);
- Indicating progress against target,
risks and any changes or comments in
quarter (a cumulative of year to date is
reported on using milestones as a
means of judging progress);
- Performance against priority
performance measures which are the
main external reporting measures that
the JNCC reports; and
- Programme risk profiles (which links
current corporate and strategic risk
indicators to in quarter issues raised by
programme leaders).
These are completed and the document
is uploaded through to a word format
for any specific format editing or review
as required at Director level and by the
Planning, Reporting and Review
Manager.
There currently is no
built in review of the
reporting structure as a
part of the annual
planning process to
verify that the reporting
structure is still suitable.
(Recommendation 4)
The report contained information
on:
-
Project target performance;
-
Priority performance
measures (PPMs);
-
Overall assessment of risk for
this programme; and
-
A summary of agreed
objectives, PPMs and
Milestones.
We reviewed the measures to be
included and found measures
included in the programme
reporting schedules to be robust
and comprehensive covering all
of the key measures the JNCC is
required to report on.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
7
Appendix Two
Results of review of the Joint Committee performance
monitoring process
Stage
Processes
Assessment of the
design of the process
Results of testing of the process
Information contained in the report is
informed by the Director briefings
which contain a summary of the key
issues including the risks across the
programmes.
The integrated performance report
also includes headline financial and
HR information.
Data
Assurance
Data is assured through the levels
of peer review that is included
within the process. There is also a
specific timetable that sets out the
dates by which the key stages of
reporting input (from programme
leaders), review (by directors and
key corporate personnel) and
output (by the planning, reporting
and review manager) are to take
place to assure the timeliness and
relevance of data.
Our assessment of the
design and
implementation data
assurance process found
that it was sound and
contained appropriate
levels of review and
structure to assure the
quality of data.
Executive
Management
Board (EMB)
decision
making and
outcomes
recording
The Executive Management Board
receive a quarterly set of papers for
their meetings, the process by
which the content for these is
compiled has been detailed above.
These are received by EMB for
consideration before going to the
Joint Committee
Our assessment of the
design and
implementation of
decision making and
action delegation was
that it was sound and
contained appropriate
content.
Decisions and actions are made at
the Executive Board Level and
recorded through the minutes of
these meetings. The minutes are
very concise, they do not give a
flavour of the discussion at the
meeting but provide a clear
summary of the actions coming out
of the meeting.
Of the two quarter one programmes
level reports reviewed, we identified
through time and date stamping that
both were completed on 2 July in line
with the reporting timetable. This
information was used in two versions
of the EMB Board report reviewed by
the auditor. The first of which was
given to Directors for review and
discussion with the Planning,
Reporting and Review manager
before the second which was the final
version issued to the EMB which
evidenced the multi-tier review. This
was issued for the EMB meeting on
31 July for the quarter ended 30
June.
We reviewed the most recent minutes
from the July meeting of the
Executive Management Board,
delegated actions documented were
compared and found to be inline with
the scheme of delegation for the
JNCC.
However it was found that the
minutes do not contain sufficient
detail of the EMB decision making
process.
(Recommendation 5)
Actions that are taken are
delegated to specific individuals
and these are recorded through the
minutes through a table of actions,
which is then used to track and
monitor the progress against
identified actions.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
8
Appendix Three
Staff involvement and documents reviewed
We met with stakeholders to inform this work, including:
Stakeholder
Job Title
Tracey Quince
Planning, Reporting and Review Manager
Sarah Harrison
Business Manager
Documents reviewed
During our testing, we reviewed the following documents:
■ Programme level reporting schedules;
■ Corporate risk register;
■ Significant risk register;
■ Directors assurance statements;
■ Executive Management Board minutes;
■ Evidence and Advice briefing for Directors;
■ Scheme of Delegation;
■ Quarterly reporting guidance;
■ Annual governance statement;
■ Audit and Risk Assurance Committee minutes;
■ Training packs for programme leaders;
■ Programme risk profile guidance;
■ Quarterly outturn instructions;
■ Quarterly risk management process;
■ Timetable for reporting; and
■ Salaries monitoring document.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
9
Appendix Four
Low Recommendations
This section summarises the areas of good practice that we have identified from our work.
#
Risk
1

Low Priority
Recommendation
Time bound actions to mitigate risks
Issue of design
The Strategic risk register contains details of actions to be taken to mitigate identified risks.
However not all actions are time bound and there were no instances that were specifically
time bound by more than the financial year.
The JNCC should consider including specific time frames for completion of action to provide
enhanced accountability to risk mitigation.
2

Low Priority
Summary enhancements to Board reports
Issue of design
Our review of the quarterly reports submitted to the EMB and JNCC found them to be sound
and containing appropriate information. Enhancements to the reporting could be secured
by including summary dashboards and graphical analysis such as graphs for each quarter
of the number of red, amber and green risks, direction of travel and trend analysis.
3

Low Priority
Assurance mapping
Issue of design
Our review of the risk register noted that management did not include references to other
sources of assurance relating to the risks. Discussions with officers suggest that they
consider other sources of assurance, these should be added to the rsk register as
appropriate.
4

Low Priority
Ongoing review of reporting structure
Issue of design
There should be a specific and inbuilt review of the reporting structure completed on an
annual basis.
The JNCC is to undergo a review of its programme structure which may significantly alter
the nature of work programmes that the JNCC undertakes.
The JNCC should review its reporting structure as it reviews its business objectives and
working programmes to ensure that reporting remains fit for purpose.
5

Low Priority
Minutes of Executive Management Board (EMB)
Issue of operation
The minutes of the EMB contains detailed actions that are to be taken and by who, however
they lack sufficient detail for an assessment of the decision making process to be made
using the Board minutes.
The EMB should review the level of detail that is included in minutes to ensure a clear
documentation of decision making is recorded.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
10
Appendix Five
Description of levels of assurance we provide
We have used the following as the basis of the levels of assurance that we provide you with (although it should
be noted that these represent an indicative approach as the overall assurance provided is a matter of
professional judgement).
These are the assurance levels preferred by the Government Internal Audit Service and adopted by Defra
Shared Audit Service from 01 April 2014.
Levels of assurance
Level
Substantial
Moderate
Limited
Unsatisfactory
Assurance opinion on the overall adequacy and effectiveness of the
framework of Governance, risk management and control in the
auditable area.
The framework of governance, risk management and control is
adequate and effective.
Some improvements are required to enhance the adequacy and
effectiveness of the framework of governance, risk management and
control.
There are significant weaknesses in the framework of governance, risk
management and control such that it could be or could become
inadequate and ineffective.
There are fundamental weaknesses in the framework of governance,
risk management and control such that it is inadequate and ineffective
or is likely to fail.
© 2014 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved. This document is confidential and its circulation and use are restricted. KPMG and the KPMG logo are registered trademarks of KPMG International
Cooperative, a Swiss entity.
Colour
Green
Yellow
Amber
Red
11