British Library Risk Management Policy Framework (2017)

Transcription

1 Risk Management Policy Framework May

2 British Library Risk Management Policy Framework (2017) 1. Introduction The Library defines risk as being the quantifiable level of exposure to the threat of internal or external events that will adversely affect the Library s ability to achieve its strategic and operational goals. In simple terms, risk is regarded as uncertainty. The task of management is to effectively respond to these risks and to minimise the impacts and/or probability of these risk transpiring and to maximise the likelihood of the organisation achieving its goals thereby delivering our Living Knowledge Purposes through the best use of public money and resources. Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and reviewing of risks along with their causes and impacts takes place, new risks might emerge, some might change and others disappear. Risk management should not be a standalone activity separated from other activities and processes of the organisation. It is essential that it is embedded in the core responsibilities of management and is integral to organisational decision making, including a complete landscape of assurance; strategic planning; change management; and operational delivery. As resources are finite, the Library recognises that some risk taking will always be necessary especially if we are to exploit opportunities as they present themselves. To inform this risk taking, the Library has adopted a risk management process outlined below. 2. Assurance The Library has made some changes to its governance landscape over the last two years in response to its Living Knowledge Purposes and to ensure it is focussed on their delivery in a climate of tight financial constraints but an eagerness to innovate and expand. In light of these changes strategic risk management activities have been transferred into Finance so they can be more closely aligned to compliance and audit activities; and corporate planning. The Policy Framework has also been updated to align to the principle decision making role of the Strategic Leadership Team (SLT); ensuring risks are reviewed quarterly at formal SLT meetings with the support of a new Corporate SLT Risk register. Based on gaps identified through assurance mapping exercises in 2016/17, we will review existing operational risks to form the register during 2017/18, with the aim of forming and cementing the register for the end of the 2017/18 period. We will also re-assess our organisation wide assurance framework to ensure that risk management is appropriately understood and embedded and sits appropriately alongside our wider assurance and control mechanisms of internal audit, business planning, governance and compliance. One important aspect of risk management is that assurances are provided by risk and control owners demonstrating confidence and trust that risks are being adequately, effectively and efficiently managed. Through assurance mapping workshops we will identify the level of assurances already in place and assess whether these are appropriate. 3. Framework Successful risk management depends on the effectiveness of the management policy framework providing the foundations and arrangements that will embed it throughout the organisation at all levels. The management framework facilitates the risk management process at varying levels and 2

3 within specific contexts of the Library. It ensures that information about risk derived from the risk management process is transparent and used as a basis for decision making and accountability at all relevant organisational levels. The Library s risk management framework has been in place since 2006 in the British Library Risk Management Policy and Strategy but this document updates that framework in line with ISO The recasting also aims to separate the top level framework from the process guidance which was previously integrated in one document. (A separate guidance document has been written describing the day to day operational procedures.) 4. Mandate and Commitment To ensure the effectiveness of risk management at the Library, strong and sustained commitment is required. Strong leadership across all relevant stakeholders is needed to establish an environment for the free and open disclosure and discussion of risk. Management will: endorse the risk management policy framework; determine risk management performance indicators including through the establishment of the Library s risk statement; align risk management objectives with the objectives and strategies of the organisation; ensure legal and regulatory compliance; assign accountabilities and responsibilities at appropriate levels within the Library; ensure that the necessary resources are allocated to risk management; and demonstrate and communicate the benefits of risk management 5. Risk Management Rationale The Library is committed to risk management because it believes that risk evaluation is central in informing decision making. Decisions should take account of the wider context including consideration of risk as set out by the British Library Board. Using risk evaluation, the Library is able to make informed decisions about how to treat the risk through the addition or modification of controls. In particular, risk management seeks to identify potential problems before they occur so that riskhandling activities may be planned and invoked as needed to mitigate adverse impacts on achieving objectives. Effective risk management includes early and aggressive risk identification through the collaboration and involvement of relevant stakeholders. Strong leadership across all relevant stakeholders is needed to establish an environment for the free and open disclosure and discussion of risk. All decision making within the Library, should involve the explicit consideration of risks and the application of risk management to some appropriate degree and it should be possible to see that all components of risk management are represented within key decision making processes, e.g. for decisions on new services; potential partners and/or funding sources; the allocation of budgets; and on programmes and projects delivering change. The establishment of effective risk management is recognised by The Treasury, the DCMS, the Board and the Strategic Leadership Team as being fundamental in ensuring good corporate governance. 3

4 6. Risk Treatment The Library will select the most appropriate treatment option based of consideration of risk, costs and efforts of implementation against benefits derived. When selecting risk treatment options, the organisation should consider the values and perceptions of stakeholders. It should also be noted that risk treatment itself can introduce new risks or change the profile of existing linked risks. Risk treatment action plans should include: who is accountable for the plan proposed actions resources required reporting and monitoring requirements timing and scheduling of deliverables 7. Recording and Transparency To support the application of the risk management framework in practice, a risk management information system in the form of a series of integrated risk registers has been established, implemented and is maintained on an on-going basis. The top level risk register, the Strategic Risk Register considers risks that, if realised, could fundamentally affect the way in which the organisation exists or provides services in the next 1 to 5 years. These risks will have a detrimental effect on the organisation's achievement of its key business objectives and ultimately our Living Knowledge Purposes. The risk realisation will lead to failure, loss or lost opportunity. Below the Strategic Risk Register are operational risks. These risks will affect the day to day running of the British Library and achievement of service area business objectives and therefore ultimately may impact the Living Knowledge Purposes. These operational risks will either be held within registers maintained in individual service areas or have been escalated to the Corporate SLT Risk Register for regular scrutiny and monitoring at the Strategic Leadership Level. The risks held on the Corporate SLT Risk Register, sitting directly below the Strategic Risk Register in terms of escalation, represent operational risks recognised that, following consideration of existing controls, are outside of acceptable levels (risk levels) and/or have a high residual impact and high residual likelihood of occurrence. In line with the Library s Risk Management Guidance, this corresponds to risks that have a residual impact and probability risk scores of 12 or above (see Risk Matrix Below). Operational level risks not held on the Corporate SLT Risk Register are subject to processes that identify and escalate any significant risks for review at SLT level. Risk registers are also maintained for projects and programmes and other specific change activities. Risk can be escalated or de-escalated from one register to another. Likewise, a system is in place to link risks. Please see the Risk Management Guidance for further details. 4

5 Risk Matrix Impact (I) Catastrophic Major Moderate Minor Almost None (5) (4) (3) (2) (1) (10) (8) (6) (4) (2) (15) (12) (9) (6) (3) Primary (20) Primary (16) (12) House Keeping (8) House Keeping (4) Rare Unlikely Possible Likely Likelihood (L) Primary (25) Primary (20) (15) House Keeping (10) House Keeping (5) Almost Certain 8. Monitoring and Reviewing The performance of the risk management system is monitored and reported to The British Library Strategic Leadership Team for review and appropriate decision-making and the Audit and Risk Group for challenge and scrutiny. The Board Audit Committee also receives regular reports to allow them to take assurance as to the on-going effectiveness of risk management. These arrangements are endorsed and upheld by The British Library s Board. Furthermore, they are suitably robust and transparent to enable the production and certification of a fair and representative Statement on Internal Control (SIC) or corporate governance statement by the British Library. 9. Accountability The Library s Strategic Leadership Team should ensure that there is accountability, authority and appropriate competence for managing risk, including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficiency of any controls. In particular by ensuring that risk owners are identified and have the accountability and authority to manage risks. The Chief Operating Officer is responsible for overseeing the function of Risk Management and advising the Audit Committee and Strategic Leadership Team on progress of Risk Management activities and acting as key contact in connection with risk management issues. The Library requires all members of the Strategic Leadership Team (SLT) to sign an Annual Assurance Statement relating to their area s risk management activities. This is a key control over risk management as it will allow the Chief Executive, acting as the Accounting Officer, and Chairman of the Board to sign the Statement of Internal Control as the Statement can only be signed without reservation if risk management arrangements have been in place and operating throughout the year. 5

6 10. Risk Appetite Risk is defined as the Library s willingness to accept risk in pursuit of its objectives. The establishment of the British Library s statement on risk is intended to guide risk owners in their actions and ability to accept and manage risks. Risk is the shorthand phrase used to describe where the Library considers itself to be on the spectrum ranging from willingness to take or accept risk through to an unwillingness or aversion to taking some risks. It is about the question what are we prepared to take on, which risks do we need to reduce and which risks are we not prepared to accept? The Strategic Leadership Team and the Board currently review the risk levels annually in light of any changes both within the Library and outside in our external landscape. In times of limited resources for example, it may be that the Library will need to be less risk averse to be able to maximise opportunities and deliver strategic objectives. Five levels of risk have been established from the highest level, Risk Appetite 1 where the Library has a minimum acceptance of risk to Risk Appetite 5 where the Library is willing to accept significant risks in pursuit of major gains. These are described in the table below. (Note: These scores relate solely to the risk, they are not comparable with the impact and probability scores.) Risk Appetite levels and descriptions Assessment Minimum Risk Appetite 1 Risk Appetite 2 Modest Risk Appetite 3 Moderate Risk Appetite 4 Maximum Risk Appetite 5 Description The Library is not willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, minor significant incidents(s) of regulatory noncompliance, potential risk of injury to staff and readers. The Library is not willing to accept risks in most circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory noncompliance, potential risk of injury to staff and readers. The Library is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, major incidents(s) of regulatory non-compliance, potential risk of injury to staff and readers. The Library is willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff and students. The Library accepts opportunities that have an inherent high risk that may result in reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incidents(s) of regulatory non-compliance, potential risk of injury to staff and readers. 6

7 Minimum Risk Appetite - 1 Risk Appetite- 2 Modest Risk Appetite - 3 Moderate Risk Appetite - 4 Maximum Risk Appetite - 5 RISK APPETITE LEVEL Risk Area Description FINANCE - Stewardship The Library will maintain its high financial stewardship standards. The Strategic Leadership Team and Board have a duty to manage the finances and resources of the Library to ensure transparency, accountability, efficiency, economy and effectiveness. COMPLIANCE - H&S + Data Protection & other legal or regulatory frameworks The Library will not accept risk in most circumstances in relation to legal matters BRAND ACADEMIC & SCHOLARLY REPUTATION INSTITUTIONAL REPUTATION BOARD AND MAJOR PORTFOLIO/PROGRAMME GOVERNANCE PHYSICAL SECURITY The Library aims to protect its brand, seeking to develop or align the expectations behind the brand experience, creating the impression that a brand associated with a product or service has certain qualities or characteristics that make it special or unique. Our brand is therefore considered one of the most valuable elements that demonstrate what the Library is able to offer in the marketplace and we are not willing to accept risks in most circumstances. The Library will continue to maintain its high standards of scholarship, conduct and academic quality when dealing with matters associated with the Collections within its financial limits. The Library will continue to maintain the highest reputational standards in all activities The Library is not willing to accept risks in most circumstances in relation to governance. However, we accept the potential for minor risk within contractual matters and governance processes. The Library will continue to protect its visitors, staff, Collections and physical assets to the highest standards possible within its financial limits.* DIGITAL SYSTEMS SECURITY Digital security of Library management systems, digital repositories, cataloguing systems and key corporate systems, such as those of Finance and HR, commensurate with resources, are protected to 7

8 the highest possible standard.* IT INFRASTRUCTURE INFORMATION MANAGEMENT SERVICE DELIVERY - inc Digital Services FINANCE - Budgeting STAKEHOLDER RELATIONSHIPS The Library will maintain the availability and integrity of infrastructure. We are willing to accept some risk in pursuit of creative and innovative technical solutions. The Library will maintain the integrity of information systems managed by the Library at the highest levels possible commensurate with resources. The Library will not accept risk in most circumstances. In this area of significant uncertainty and high costs of mitigation, some limited risk has to be accepted. We accept that day to day service reductions are inevitable due to the volatility of supply and demand. Whilst maintaining its high financial stewardship standard, the Library accepts that there may be budgetary overspends. Any resulting impact will be managed within the Library s overall resources. The Library will continue to maintain good relationships with critical stakeholders (community, funders, donors, government). However, we are willing to accept some risks in certain circumstances that may result in damage to some stakeholder relationships. This may be for example where stakeholder groups have conflicting views or needs or where the costs of mitigating the risks are particularly high. STAFF The Library will develop capabilities and capacity of staff in order to deliver key priorities and maintain service levels. We will strive to recruit and retain the best possible staff within the organisation s budgetary limits while accepting because of these limits that we may not be able to recruit and retain staff with ideal competency sets. BUSINESS CONTINUITY The Library mitigates the impact of interruptions to its services when it is possible to do so within its financial limits. As a consequence the Library accepts a level of risk for service interruptions that are either unlikely to occur or that are beyond the Library s financial resources to address. 8

9 BUILDINGS AND PHYSICAL ENVIRONMENT The Library will continue to use the resources available for the maintenance of the Estate to ensure it is fit for purpose and is utilised as efficiently as possible. We will accept some risk in managing the Estate including on building projects where gains are particularly significant. We further accept however that, given the ageing nature of some parts of the Estate and the resources available, it will not be possible to maintain all buildings beyond ensuring that they meet the minimum requirements to make them fit for purpose. * The score shown for these areas is a holistic average representation of the approach the Library has to its custodianship activities, which depicts a low risk as the most widely applied approach. Further details regarding the varied risk s towards Physical and Digital custodianship of collection items can be found in the following tables. Review date May

10 Type of use Collection Custodianship Risk Appetite Physical items Key for population ABRS Reading Categories Minimum risk T = Treasure = 1 R = Restricted ROZ, RMZ, RCZ, RRZ, Z-safe RO, RMZ, RC, RR S = Special SEL Items to which access is not G = General D = Digital O = Open DS = Document Supply GEN, SER, SUR, RO1/3, RM1/3, WY, RC1/3, RR1/3, RK3, MSS, EAR, MFM, NEW, SSC/1, CDM GEN, SER, SOA DSS, DSM Use onsite e.g. in reading rooms; Environmental Use onsite e.g. in reading rooms; Security Display onsite, in designated exhibition spaces Environmental normally granted, due to underlying issues, high monetary value, or proven susceptibility to theft or for preservation reasons. risk = 2 Items identified as being of high cultural/financial value, vulnerable to damage or theft, and subject to close supervision. Modest risk = 3 Items that can be viewed/used in reading rooms, subject to the conditions of the Library and with Reader Pass. Moderate risk = 4 Measures are in place to mitigate risk, but the BL accepts that a very small number of items may be damaged or lost. T,R R,S G O DS T,R R,S G O DS T R,S G O DS Maximum Risk = 5 The Library is willing to accept risks to items that may result in loss or damage, though some control measures are in place Display onsite, in designated exhibition spaces; Security Use onsite, outside designated exhibition spaces and RRs (show and tell etc.); Security Use onsite, outside designated exhibition spaces and RRs; Environmental Use offsite e.g. exhibitions loans, Security Use offsite e.g. exhibitions loans, environmental Collection stewardship uses, e.g. conservation, preservation, storage, security Collection stewardship uses, e.g. conservation, preservation, storage, environmental T R,S G O DS T, R,S R,S, G O DS T, R,S, R,S, G O DS T, R,S R,S, G O DS T, R,S R,S, G O DS T R,S G O,DS T R,S G O,DS 10

11 Collection Custodianship Risk Appetite Digital and Digitised Collection Items Type of use Minimum risk = 1 risk = 2 Modest risk = 3 Moderate risk = 4 Maximum Risk = 5 Use onsite e.g. in reading rooms, legal compliance risk Legal deposit; Unpublished archives Licenced-in content, subscriptions and e-resources UK web archive; Collections held on trust (digitised); Culturally sensitive collections Open access Use online off site, BL web site or aggregator sites, e.g. Europeana, legal compliance risk Use online off site through licensing arrangement, legal compliance risk Legal deposit (no offsite usage) Culturally sensitive collections Unpublished archives Legal deposit (no offsite usage) Culturally sensitive collections Unpublished archives Collections digitised with restrictions imposed by funding bodies Licenced-in content, subscriptions and e-resources; UK web archive Licenced-in content, subscriptions and e-resources; Collections held on trust; Collections held on trust; Works identified as "orphan" Out of copyright digitised collections; copy right cleared collections Works identified as "orphan" Out of copyright digitised collections; copy right cleared collections (digital or digitised) Use offsite e.g. exhibitions loans (physical exhibitions), legal compliance risk Use offsite, set free e.g. Flickr, legal compliance risk Collection stewardship including conservation, preservation, storage, legal compliance risk Collection stewardship including conservation, preservation, storage, security risk Legal deposit (no offsite usage) Legal deposit (no offsite usage); Licenced-in content, subscriptions and e-resources; Culturally sensitive collections Unpublished archives Collections digitised with restrictions imposed by funding bodies Legal deposit; unique digital collections (archives, sound etc); Digitised collections; purchased digital collections Legal deposit; unique digital collections (archives, sound Culturally sensitive collections; Licenced-in content, subscriptions and e-resources; Unpublished archives Works identified as "orphan" Out of copyright digitised collections; copy right cleared collections Collections held on trust; Works identified as "orphan" Out of copyright digitised collections; copy right cleared collections (digital or digitised) Licensed-in content Digitised collections; purchased digital collections Licensed-in content 11

12 Related Documents Orange Book: Management of Risk - Principles and Concepts. HM Treasury, 2013 ISO 31000, Risk Management, Principles and guidelines. ISO 2009 Guidance on the management of risk at the British Library. British Library, 2017 Review date: May