Annual Review of Risk Management 2023-2024
The purpose of this report is to set out the Annual Review of Risk Management for 2023-2024. This report is a look back and sets out the management of risk in SEPA during this period along with details of the specific risks that were managed and monitored corporately at this time.
This report should be considered in context of the significant changes to our approach to Risk Management that have been initiated since financial year end. This includes a strategic reset of our risk management framework, including the:
- development of a clear common vision for risk management that helps enhance the risk culture across the organisation and supporting SEPA’s strategic direction;
- agreement of a set of guiding principles which enable and support the role of risk management, its purpose and approach;
- creation of a set of strategic/principal risks for SEPA; and
- consideration of SEPA’s appetite to risk and tolerances.
Our new strategic risk approach was considered by the Audit and Risk Committee in a session following their meeting on 11 June 2024. The revised risk profile sets out the current Corporate Leadership (CLT) view of risk and a range of further work is underway to embed a new framework within SEPA and support the related cultural change.
In previous years, this report covered the calendar year January to December. In February 2024, the decision was taken to re-align this report with financial year end reporting, so this report covers the 15-month period from January 2023 to March 2024.
SEPA’s corporate risk register is updated quarterly and reviewed by the CLT, and the Audit and Risk Committee.
The Annual Review of Risk Management 2023-2024 provides an update on the steps SEPA has taken to formally manage our risks over the previous year.
The Agency Board is asked to review and note the annual review of risk management 2023-2024
Kirsty-Louise Campbell, Chief Officer Governance, Performance, and Engagement
Katie Cairnie, Business Strategy
14 June 2024
1. Introduction
1.1 In this report, we provide an update on how SEPA managed risk over the period from 01 January 2023 to 31 March 2024. We include a summary of the risks which we have added, amended and removed from the corporate risk register. We also detail some of the key risks that were highlighted in top risk reports for 2023 and measures that SEPA have put in place to reduce the impact of these on the organisation.
2. Background
2.1 The risks on the corporate risk register are reviewed and updated quarterly by the risk coordinator. A report on the most recent updates to the register and risk management process, including a dashboard risk register is compiled and reviewed quarterly by the Corporate Leadership Team and the Audit and Risk Committee, and annually by the Board.
2.2 We have a risk register for each of the following current workstreams, Flooding, Organisation and Regulatory as well as the Systems and Information Programme Board. There is a dedicated risk coordinator for each, and these registers are reviewed, and new risks assessed at each of the coordinating workstream management meetings.
2.3 Since year-end, we have initiated significant changes to our risk management framework. These are outlined below (section 4.3). It is important to note that this review provides an overview on how SEPA managed risk in accordance with the risk management process in place during the period of this report.
3. Overview of the corporate risk management process
3.1 Risks can be raised by all colleagues as well as Senior Leaders, the Corporate Leadership Team, Audit and Risk Committee and the Board. Potential risks may also be raised via internal audit findings.
3.2 Once a risk has been identified it is profiled, scored and added to a risk register. The register that a risk will sit on is dependent on the score. Risks that score 16 or above or have an impact score of 5 are added to the corporate risk register. Risks that score below that are added to the relevant Workstream risk register. All actions to mitigate risks are completed by the person or team responsible for that area of work and progress is reported via the update section on each risk card by the risk coordinator, who is usually a Senior Leader.
3.3 Once all of the actions that we can take to mitigate a risk have been completed, the risk score is reassessed, and the decision is made to either continue treating the risk or tolerate it if the target score has been achieved. Some risks have target scores that would still put it in the bracket of being managed at the Workstream risk register level. These risks usually have an element of likelihood or impact that is outwith our control, for example, human error, or reliance on a customer or partner to complete actions.
4. Annual Review
4.1 Risk Management Goals 2023-2024
We set out our approach to risk management in a risk management handbook. We produced the handbook in 2018. We complete a full review of the handbook annually and any significant changes to the process are updated as required. The last annual review was completed in 2023. Each year we agree a set of goals for risk management for the financial year ahead. The goals for 2023-2024 are listed below:
- Build capability in risk management through mandatory training.
- Ensure risk consideration is built into the Annual Operating Plan and Corporate planning processes.
- Consider SEPA’s risk appetite for key areas of work.
- Strengthen our approach to information and cyber risks.
- Use SharePoint to increase visibility of the risk management process for all colleagues.
4.1.1 2023-2024 Goal updates
The risk management SharePoint intranet pages were launched at the end of June to help increase visibility of the risk management process. The launch was communicated to all colleagues via the latest news and updates section on the home page of the intranet. The pages include information, guidance and tools to help colleagues identify, manage and escalate risks.
The risk management training for 2023 was planned and we intended to follow the same format as the voluntary training that was launched in 2022. The 2022 training was based on the top ten operational risks that were identified in expert risk reports. It was made available to colleagues via our E-Learning platform, Discover. Following feedback from the senior managers involved in the creation of the 2023 training, we concluded that a review of training requirements for different areas of responsibility in risk management is required. A more comprehensive training plan will be developed and delivered in 2024-2025. Bespoke advice for all colleagues remains available from the Business Strategy Team in Governance, and Workstream risk register coordinators.
There were four main information risks identified as part of the modernising information project. Two of these risks are already being managed through the corporate risk register. A risk on managing information is being managed through the Organisation Workstream and work is ongoing to consider and profile the fourth risk around proactive publication of data.
We have published our 2024-2027 Corporate Plan and the 2024-2025 Annual Operating Plan. Risks to delivery were considered as part of this work. A workshop on risks to the delivery of the Corporate Plan was held with the Agency Board on 6 September 2023. A strategic review of risk is currently underway, risk experts from BDO are running a series of three workshops over the first quarter of 2024-2025.
As part of our strategic review of risk in early 2024-2025, a workshop will be held with the Corporate Leadership Team and Board to define SEPA’s risk appetite. Facilitated by risk experts from BDO, the outputs of this will include a set of risk appetite statements aligned to a specific area. Many of our internal processes and procedures, however, do already have strict limits on our appetite for risk in those areas. For example, we have zero tolerance for risks to the Health and Safety of colleagues, and this is clearly set out in our Violence and Aggression Policy, and our Standing Financial instructions set out clear thresholds for expenditure, purchasing and procurement.
4.2 Changes to risk management
After receiving feedback from the Audit and Risk Committee and the Chief Executive, we also made some changes to improve the format of the risk register for the June half year report. We now included a summary risk table which detailed: the risk number and title; the risk coordinator; the date the risk first appeared on the corporate risk register (date raised); the initial risk score; the risk scores over the last 4 quarters; a summary of the mitigating actions; and the target risk score.
Following these changes, it was agreed by both, the Corporate Leadership Team and the Audit and Risk Committee, at their meetings in September that the information contained in the new risk summary table is sufficient assurance that risk is being well managed. Therefore, the detailed risk cards have been removed from the quarterly report and will only be presented if: a. they are new risks; or b. if the score of a current risk has been increased.
4.3 Risk management look ahead
We are carrying out a strategic review of risks with the Corporate Leadership Team and the Board. This will include consideration of our risk appetite and tolerance. A series of three Corporate Leadership Team workshops have been arranged with risk experts from BDO. The objectives of the first workshop, taking place on 01 May are:
- Corporate Leadership Team understander-positions risk for SEPA;
- To establish a joined-up approach to risk management, connecting risk to strategy;
- To define a clear common vision for risk management that helps enhance the risk culture across the organisation;
- To agree a set of guiding principles which enable and support the role of risk management, its purpose and approach; and
- To link the risk vision to support SEPA’s strategic direction.
At the second workshop, scheduled for the end of May, we will agree the top principal/strategic risks for SEPA. We will provide an update on the outputs from the first two workshops at the Audit and Risk Committee meeting on 11 June. The third workshop will focus on determining SEPA’s risk appetite and developing a series of risk appetite statements.
- An internal audit of SEPA’s risk management process is currently scheduled for quarter 3.
- We will consider and share options to embed risk most effectively within SEPA, including consideration of the role of the Risk Management Group.
- We will complete our annual review and update of our risk management approach and include new goals for 2024-2025.
- We will carry out a review of training requirements and put together a comprehensive training package to be launched in 2024-2025.
- In January, the World Economic Forum published the Global Risk report 2024. This report focuses on the rapidly accelerating technological change like artificial intelligence enabling a rise in the spread false and misinformation, economic uncertainty, the climate crisis and a rise in conflict. Similar to previous years, most of the highest impact long term risks, perceived to happen in the next five to ten years, are environmental (four in the top five). For a summary of the top global risks and what we have done to minimise their impact on SEPA, see section 5 on strategic risks below.
- We will also continue to review other reports from risk expert organisations to identify any gaps on our corporate risk register.
5. Managing strategic risk in SEPA
5.1 The Global Risks Report
Each year in January, the World Economic Forum publish the results of their Global Risk Perception Survey via their annual Global risks report. In their January 2023 report, they outlined five major areas of risk for the year ahead these were: the cost-of-living crisis; economic downturn; economic warfare climate action hiatus; and societal polarisation. They also issued a mid-year update via their podcast in which they highlighted the growing interest in Artificial intelligence and the risks and opportunities associated with its use.
In SEPA we manage strategic risks by ensuring that we have policies and procedures in place to help reduce the impact of these risks on SEPA if they do happen. We also use a mixture of training, exercising and communication to ensure that colleagues are aware of potential impacts, and they are aware of the policies and procedures that are in place. Here we provide some examples of the potential impacts of these six risks and the measures that we have in place to reduce the impact on SEPA.
5.2 Cost-of-living crisis
The cost-of-living crisis was described in the 2023 report as ‘the most severe global risk over the next two years’ by respondents to the Global Risk Perception Survey. The impacts of this risk include interest rate hikes and inflation (especially of food and energy) which could lead to increased household debt, increased stress-related absence and a potential increase in instances of fraud, bribery or corruption and non-payment of charges.
To help combat these impacts, we have an anti-fraud bribery and corruption policy which includes: details of the responsibilities of managers, colleagues and different departments in SEPA where the responsibilities vary from the general responsibilities; the reporting process; role and details of the Fraud Response Officer and the Fraud Response Group; our fraud response plan; the review process; and our responsibilities in relation to the National Fraud Initiative in Scotland. We have a range of schemes and services in place to help colleagues deal with personal impacts of the cost-of-living crisis including an employee welfare scheme provided by Health Hero with a dedicated intranet page containing further information, support and links to specific advice. In addition, our recent pay offers have included several additional benefits for colleagues to help them manage their finances including partnering with AVC wise to provide advice on Additional Voluntary Contributions; membership to Edenred savings platform; a Scottish Government backed work and save initiative; and access to interest free loans to purchase public transport season tickets. We also offer payment plans to customers to help reduce instances of non-payment of charges.
5.3 Economic downturn and economic warfare
Although these risks are separated in the Global Risks Report, the potential impacts on SEPA are similar. Impacts on SEPA of the economic risks could include Budget cuts (fiscal planning); increased supply chain costs; shortage of essential supplies; energy shortages (black start events); and increased energy bills.
To help reduce the scale of these impacts on SEPA we have several measures in place to enable us to manage our finances well: we produce detailed annual financial plans and high-level and medium-term financial scenarios; we have monthly liaison meetings with the Scottish Government; we have detailed budgets, and we produce monthly financial monitoring reports. To ensure resilience in our supply chains we have access to tools to monitor the financial standing of companies and organisations that we have contracts with. The Scottish Government has also produced a guidance document on managing risks associated with supplier failure and we follow the advice set out in that.
As indicated in the cost-of-living crisis section above, there is a potential risk of non-payment of charges from customers and we offer a payment plan to customers to help reduce the risk of this happening.
A major part of risk mitigation is making sure that we are ready to respond in the event of one of these risks being realised. As part of our testing and exercising programme run by our resilience team, we have included black start exercises with the Corporate Leadership Team and have produced guidance and tools for use in the event of this happening.
5.4 Climate action hiatus and societal polarisation
In line with the previous versions of the Global Risk Report, environmental risks and in particular, impacts of climate change, feature heavily in the top ten short-term and long-term risks. This has cumulated in the failure to mitigate climate change risk being ranked as one of the most severe risks in the short term. In terms of impact on SEPA, the risk of being seen to not be doing enough to mitigate the impacts of climate change could result in the final risk highlighted in the 2023 risk report, societal polarisation with the potential for demonstrations and protests from disgruntled sections of the public.
To ensure that SEPA as an organisation move forward with actions to mitigate climate change, we have several things in place. In 2022, we revised and published our Regenerative SEPA Routemap which outlines our goals and targets along with our approach, strategy, and principles we have put in place to help us achieve these. We have rolled out an accredited Carbon Literacy Training programme which is available to all colleagues. More recently, we have embedded climate change into our priorities for the 2024-27 Corporate Plan, notably on net zero and climate resilience. We also have detailed actions outlined in our 2024-2025 Annual Operating Plan.
Externally, in partnership with the Met Office, we have launched a three-day flood forecast to give communities advance notice of potential flood events to give them time to prepare and put their own mitigations in place. We also continue to work with Local Authorities to plan and launch regional flood warning schemes.
In the event of potential disruption caused by societal polarisation we have a number of procedures and tools in place to minimise the impact on customers and colleagues.
5.5 Artificial intelligence
In their podcast in October which discussed the 2023 report six month on, the World Economic Forum highlighted artificial intelligence (AI) as an emerging risk in 2023. In recent years, there have been major developments in the world of generative artificial intelligence, for example, chat GPT. These generative AI tools have started being used more widely and although they create fantastic opportunities, there are also some major risks that need to be considered before we are able to use it safely in SEPA.
To make sure that we are able to safely take advantage of the opportunities awarded by this fast-growing technology, we have set up an Artificial Intelligence working group comprised of experts from our Information Services, Information Governance, and Legal teams, to work through the privacy, security and data protection implications of using a generative AI tool in SEPA. We have given guidance to colleagues and are developing a Generative AI policy based on the governments lead document and, pending successful outcome of the review of 'Microsoft CoPilot', we will be initiating a controlled trial of the technology amongst a subset of users to further assess the technology. This will help us gather a body of evidence as to the technology's risk, usefulness and applicability to SEPA's environment. We have also joined the Scottish Government’s AI task force to engage with peer organisations preparations and risk assessments and use this intelligence to feed into our own activities.
6. Current corporate risk register
6.1 Changes to the corporate register
Three of the risks added to the corporate risk register during 2023 were in relation to difficulty recruiting and retaining talent these are:
R044: SEPA is unable to fulfil statutory duties in relation to radioactive substances;
R045: SEPA is unable to provide the 24/7/365 Flood Warning Service;
R046: SEPA has insufficient IS resource to meet organisational requirements.
R046 has now been closed following the completion of all actions including securing additional expert resource and prioritisation of requests via a central workstream. A further two risks were identified in 2023, these were:
R047: SEPA is not constituted as a legal entity (Board recruitment)
This risk has now been closed following the completion of all actions and the successful appointment of a new Chair of SEPA’s Agency Board, and six new Board members.
R048: SEPA suffers reputational damage in relation to climate change.
Following feedback from the Corporate Leadership Team this risk was reviewed and reframed in January. Where previously the risk focused on reputational damage it focuses on the risk of us not achieving our net zero targets. The risk score was also reevaluated as part of this process and has been reduced to 12, as a result this risk has been de-escalated and will be reported via the Organisation Workstream risk register going forward.
At the end March 2024 we achieved our Annual Operating Plan 2023-2024 target to achieve a mean monthly average of responding to 82% of access to information requests by the end of March 2024. Following the achievement of this target, we have reviewed risk R043 and reduced the score from 15 to 9. It will be removed from the corporate risk register and will be managed via the workstream or portfolio registers going forward.
R043: We are unable to access the information we need to respond to requests under information rights legislation.
6.2 Risks being considered for corporate register
Throughout the year colleagues discuss potential risks with us and we work with them to profile the risks. This process usually provides reassurance that the risks are being managed appropriately and in the right place and it often leads to good discussions about further mitigating action that could be taken. Since the implementation of the Workstream risk registers, potential risks identified are considered at Workstream management level and escalated as appropriate. Going forwards, risk will form a key discussion area in quarterly Portfolio Leadership Team meetings. Risk registers will be shaped for each portfolio with a line of sight to the strategic risk register.
Areas such as recruiting and retaining talent, use of AI and a number of others are emerging through the current process set out above. These, with a number of other emerging areas, will be considered as SEPA reframes risk and develops our new strategic risk register.