1. Home
  2. About SEPA
  3. Who we are
  4. Our Board
  5. Meetings, agendas, and minutes

Back to Meetings, agendas, and minutes

  • Quarter 1 review of risk management 2024-2025

Quarter 1 review of risk management 2024-2025

The purpose of this report is to review the changes to risk management in SEPA from April 2024. This report is a look back and sets out the shift in approach to effectively manage risk in SEPA.

Our nine draft risk appetite statements, one for each of our current principal risks, are being submitted to the Agency Board for approval at this meeting.

The Agency Board is asked to approve the risk appetite statements set out in appendix 1 to this report.

Katie Cairnie, Senior Business Consultant.

Kirsty-Louise Campbell, Chief Officer Governance, Performance and Engagement.  

Date: 20 September 2024

1. Introduction

1.1 In April 2024, we began work to review and reset our strategic approach to risk management. We now have a set of guiding principles for risk management, a risk vision statement, and a principal risk register containing nine strategic level risks for SEPA.

1.2 In addition, we have drafted and engaged with board members on a set of risk appetite statements, one for each of the nine principal risks, to be approved by the Board.

1.3 While we have been conducting our strategic review, we have also kept the current risk process going to ensure that we do not lose sight of the risks we are managing while we work to put a new process in place. The operational risks contained in the corporate and workstream risk registers will be reviewed and redistributed among the new operational risk registers through the workshops that we are currently undertaking with Portfolio Management Teams.

2. Strategic risk of risk management

2.1. Risk vision and guiding principles

On 1 May 2024, we held the first of three workshops with the Corporate Leadership Team (CLT). The purpose of this workshop was to reposition risk in SEPA by:

  • Enabling CLT to design and develop a fresh approach to effective risk management for SEPA;
  • Establishing a joined-up approach to risk management by connecting risk to strategy and performance;
  • Defining a clear common vision for risk management that helps enhance the risk culture across the organisation;
  • Agreeing a set of guiding principles which enable and support the role of risk management, it’s purpose and approach; and
  • Linking the risk vision to supporting SEPA’s strategic direction.

Following the in-person workshop, a draft risk vision statement and guiding principles document was circulated. These were reviewed and agreed by CLT before being presented to the Audit and Risk Committee for feedback at their workshop on 11 June 2024.

SEPA’s risk vision statement

The Scottish Environment Protection Agency’s vision of Risk Management is to maintain a strong and responsive risk culture, protect our assets through continuous improvement, and enable SEPA to achieve our objectives to protect and improve the environment.

SEPA’s guiding principles for risk management

  1. A structured, consistent and proactive approach to risk management, within the scope of the 3 lines of defence, that captures early risk signals, sets out a proportionate and timely response that enables effective action.
  2. There is clear risk ownership and accountability. We are responsible for risks that impact on achievement of our objectives and have a shared responsibility over the broader landscape of risks facing SEPA, that are within our control.
  3. Risk management is positioned around a growth and value creation mindset, empowering our people to act with autonomy and effectively within our risk appetite.
  4. Risk management informs budgeting and planning cycles, with past learnings helping to improve operational resilience and performance.
  5. Calculated risk-taking, aligned with our strategic ambition, is informed by the right science, evidence and management information, at the right time and in the right format.
  6. Risk management governance, processes and methodology make clear our role and responsibilities – to our stakeholders, our people, our partners, our government, and society.
  7. The risk framework is responsive to policy changes and enables continuous improvement.
  8. Risk culture empowers SEPA’s ways of working, enabling a learning culture.

2.2. Principle risks

The second in-person workshop with CLT took place on 29 May 2024. The focus of this workshop was to agree the top strategic risks for SEPA. Prior to the workshop, CLT members were asked to complete a survey asking them to briefly describe the top six Strategic Risk which may have an impact on SEPA achieving its strategic initiatives/ objectives. The survey responses were then collated and reviewed at the second workshop to be refined and CLT risk owners identified for each risk before being presented to the Audit and Risk Committee for feedback at their workshop on 11 June.

SEPA’s principal risks 2024-2025

  1. Strategic direction is not focused and agile enough to adapt to political and policy changes which impact SEPA’s ability to deliver on its purpose and duties.
  2. Pace, scale and scope of transformation impacts our ability to deliver in an evolving environment.
  3. Inability to influence the pace and direction of policy change impacting SEPA’s ability to proactively/effectively perform its duties.
  4. Health and safety incidents and hazards limit SEPA's ability to operate, compromising work environments and leading to harm.
  5. SEPA’s data and evidence does not enable efficient and effective delivery of statutory duties.
  6. SEPA is given additional duties without adequate additional funding.
  7. Inadequate protection of the technology and Information Governance landscape leads to reduced defences against cyber-attack, loss of systems and/or loss of confidential data.
  8. Inability to attract, retain and develop core skills impacting SEPA’s ability to deliver on its strategic objectives.
  9. Organisational capability and capacity are not able to deliver on SEPA’s objectives effectively and efficiently.

Following agreement of the principal risks, the owner(s) for each risk had a one-to-one session to complete a risk dashboard which details for each risk:

  • Risk title
  • Risk owner
  • Risk Category
  • Potential causes
  • Potential consequences
  • The existing risk mitigating controls
  • Proposed risk mitigating controls
  • The inherent risk score (before considering the impact of any controls); and
  • The residual risk score (after controls have been considered and factored into the end rating).

Board feedback at the recent strategy highlighted some key areas for future consideration. This was focused on plain language and potential gap areas such as how we embed reputational considerations and our regulatory approach. These considerations are being factored into the first review of principal risks. Going forwards, the risks and related dashboards will be kept up to date and will be reported on throughout the year to the Audit and Risk Committee. We will also undertake an annual programme of ‘deep-dives’ on each of the principal risks.

2.3. Risk appetite

The third and final in-person workshop with CLT was held on 30 July 2024; the purpose of this workshop was to draft a set of risk appetite statements that aligned with each of td principal risks.

The draft risk appetite statements were then shared with the Agency Board for feedback at their workshop on 3 September. Updates following that session were then shared with the Audit and Risk Committee on 9 September. The risk appetite statements were then circulated to Board members for further discussion and feedback. The final draft can be found in appendix 1.

These are being presented for approval by The Agency Board.

2.4. Portfolio risk registers

The next stage of our journey to reset risk in SEPA is to update our operational risk registers in line with the work we have completed on the principal risks. We have scheduled a series of six workshops, one for each of our portfolio management teams, and the sixth workshop is with senior leaders and managers from across SEPA to help us develop our information risk register to ensure we are complying with the requirements in that area. These workshops, which will be run in the week commencing 23 September 2024, are designed to help us identify, assess, and manage risks effectively, ensuring that our operations remain robust and resilient.

In advance of these workshops, we will be engaging with senior leaders to discuss the processes in their areas and any associated risks. To prepare for these meetings, we have advised senior leaders to have a discussion with their own leadership teams to get their insights to feed into their one-to-one discussions.

The outputs from these workshops will be:

  • Operational risk registers for each of the five portfolios, and an information risk register. Which identifies and documents risk and mitigating controls for each risk.
  • Agreed risk ratings for all risks in line with agreed methodology, used already for the principal risks.
  • Documented Key Risk Indicators (KRI’s) for all high risks.
  • Operational risk registers mapped to the nine principal risks.

The operational and information risk registers will be presented to the Corporate Leadership Team and Audit and Risk Committee via the quarter two review of risk management at their meetings in November (CLT) and December 2024 (ARC).

Next steps

We are in the process of recruiting a Risk and Audit Manager who will work within the Governance, Performance and Engagement Portfolio. This role will play a fundamental part in developing our risk management framework and culture which will help drive forward and embed the changes to risk management in SEPA.