Risk- Landscape and Heat Maps - Social Security Scotland
Transcript of Risk- Landscape and Heat Maps - Social Security Scotland
Dignity, fairness, respect.
Risk- Landscape and Heat MapsSocial Security Scotland Agency Risk Management Function
August 2020
Risk-Landscape & Heat MapsIntroduction
2
• Since the last meeting of the Audit and
Assurance Committee there has been
substantial changes to the Strategic Risk
Register.
• As a result of the full review of the Strategic
Risk register the number of risks have dropped
from 32 risks to 20.
• Slide 3 shows the changes from May 2020 to
August 2020
• Slide 4 & 5 are cluster maps of all risk.
• Slide 6 to 12 are those risk scoring 20 or higher
(full mitigations and actions contained within the
strategic risk register).
• Slide 13 shows the current landscape of
residual risk score against tolerance levels
• Slide 14 to 16 a show risks by risk themes.
• NB- the information contained within this
document is valid up to 12th August 2020. There
may have been some amendments since that
date that are not captured here.
3
Impa
ct
Likelihood
1
2
3
4
5
1 2 3 4 5 1 2 3 4 5
New Risk
Key= no movement
= score increase
= score decrease
AS-R050 AS-R045 AS-R037aAS-R047AS-R070
AS-R029AS-R034a
AS-R062 AS-R048AS-R053AS-R061AS-R064
AS-R001aAS-R002aAS-R011aAS-R012aAS-R014aAS-R015aAS-R032aAS-R044AS-R058aAS-R063AS-R065AS-R072
AS-R066
AS-R040a AS-R010aAS-R073
AS-R056
AS-R060 AS-R017a
Current position from May 2020- August 2020 (as of 6th July 2020)
Outside Tolerance
AS-R037aAS-R047AS-R070
AS-R029*AS-R034a
AS-R062AS-R072
AS-R001aAS-R048AS-R061AS-R064
AS-R002aAS-R012aAS-R032aAS-R063 AS-R065
AS-R015aAS-R066
AS-R073
AS-R060
* Risk is currently awaiting score change approval
4
Risk outside tolerance
Resource
Security
Compliance
Financial
Governance
Operational Delivery
Policy
Operational Readiness
AS-R062
AS-R072
AS-R001a
AS-R048
AS-R061
AS-R064
AS-R065
AS-R073
AS-R037a
AS-R047
AS-R070
AS-R002aAS-R012a
AS-R032a
AS-R063
AS-R060
*AS-R034a
AS-R015a
AS-R066
AS-R029
*Risk awaiting score change
approval
5
Communications
Compliance
Financial
Governance
Operational DeliveryOperational Readiness
Policy
Resource
Security
Technology
=risk currently out with tolerance
072
060
012a
015a
061062
002a
029
047
063
064
070
001a
066065
032a *034a
037a048
073 *034a =risk currently awaiting score changeapproval
Risk-Landscape & Heat MapsHighest Scoring Risks
6
AS-R029
Date Added 23/01/19 Risk Type Operational Delivery
Risk Description IF there is no formal Business Continuity Management System in place THEN any incident that requires its plans to be invoked
will depend on reactive management to resume services RESULTING IN significant reputational damage, impact to client service
delivery, impact on health, safety and wellbeing of our people, significant financial implications and failure to meet statutory
obligations
Current Impact 5 Current Likelihood 5
Action Owner Julie Clark Risk Owner Janet Richardson
Update TRS position filled as of the 19/3/20. Ongoing work to implement Business Continuity Management System as outlined in
framework has been significantly hindered due to Covid-19. All Business Resilience resource has been focused on Covid-19
response since end of Jan 2020. Work to restart early July 2020 to create Major Incident Response Plan and other requirements
as per framework.
Business Continuity teams have been identified across the Agency to support the Business Resilience function in terms of some
of the activity required.
Project planner has been updated identifying key milestones for business resilience activity.
Risk-Landscape & Heat MapsHighest Scoring Risks
7
AS-R034a
Date Added 23/01/19 Risk Type Resource
Risk Description IF it is not possible to fully understand and define the Agency’s future space and headcount requirements the estate procured will not be to
the required standard in order for the Agency to deliver its business requirements (e.g. mail, courier, Wi-Fi, training spaces etc.) and the
estate cannot house the appropriate volume of staff THEN efficiency may be impacted in regards to service delivery and workforce
planning requirements RESULTING IN reduced quality of services for citizens and difficult working environment for staff
Current Impact
Proposed Impact
5
4
Current Likelihood
Proposed Likelihood
5
4
Action Owner Jeremy Smart Risk Owner James Wallace
Update RISK SCORE UNDER REVIEW (06/08/20)- presenting to Risk Review Group 20/08/20
Updated 07/08/20
Risk relating to agency's future headcount remains - The figures still have a large variance so impossible to be absolutely specific.
However the overall risk has however reduced in part due to the Covid-19 pandemic. The agency has moved almost its entire work force
onto a home working basis. Thus, while far from ideal, should accommodation not be ready, it is still possible for staff to continue this
arrangement. The overall risk also reflects the Dundee position as the Glasgow side would be less if shown as separate risk, given the
lease on 220 High Street.
Risk-Landscape & Heat MapsHighest Scoring Risks
8
AS-R015a
Date Added 23/01/19 Risk Type Governance
Risk Description IF the Agency is not provided with policy and product to deliver effective internal control systems for the delivery of benefit products which
are secure by design THEN the Agency may experience increased levels of fraudulent activity both internal and external RESULTING IN
financial loss and reputational damage for the Agency.
Current Impact 5 Current Likelihood 4
Action Owner Meg Fowler Risk Owner James Wallace
Update Work is presently underway in conjunction with Service Design (Audit) to produce the first line of defence assessment for all operational
areas. Op Finance have completed, as has External Fraud - Debt is next. Gaps identified will be used to generate new user stories.
Audit/Error/Financial Controls/Fraud service design leads are now collaborating to produce a matrix of
preventative/detective/corrective/deterrent control requirements to inform a new controls 'Feature' - Data Protection agency experts also
invited to contribute.
Risk-Landscape & Heat MapsHighest Scoring Risks
9
AS-R037a
Date Added 23/01/19 Risk Type Governance
Risk Description IF the Agency continues to be dependent on Central Scottish Government HR for recruitment services THEN the Agency may be unable to
have the right people in place at the right time RESULTING IN an inefficient and ineffective service with reputational damage for the
Agency.
Current Impact 5 Current Likelihood 4
Action Owner Nicola Bailey Risk Owner James Wallace
Update Expecting partition work to begin in May with a 25 day development time. No definitive date for delivery yet.
Read-only VOL training planned, but currently SG having issues accessing VOL from home and system is limited to 4 log ins at one time.
This issue may impact the partitioning work and our ability to access system until we return to offices.
Risk-Landscape & Heat MapsHighest Scoring Risks
10
AS-R047
Date Added 30/01/19 Risk Type Operational Delivery
Risk Description IF the Agency is not prepared to deliver Wave 2 Disability benefits; preparation being the cumulative effect of training, suitable estates and
operational guidance/instructions being ready before live running THEN the Agency may deliver a service that will cause hardship to its
users RESULTING IN inefficient (cost and purpose) service with a loss of confidence and reputation for the Agency and Scottish
Government.
Current Impact 5 Current Likelihood 4
Action Owner Ally MacPhail Risk Owner James Wallace
Update Clinical lead on CDP now in post to support discussions on the clinical structure and consultation process. Clinical lead for adult disability
being recruited. CDP pilot dates proposed for March 2021 and launch date proposed for August 2021.
Re-engagement with NSS to support recruitment and HR payroll services for Clinical staff. Clarity on numbers of staff being requested from
CAD due July, alongside locations for staff based on demand from clients, all essential to support recruitment and learning. Joined up
working with programme to understand the activities outstanding to support the launch.
Risk-Landscape & Heat MapsHighest Scoring Risks
11
AS-R066
Date Added 20/03/20 Risk Type Policy
Risk Description IF the Agency fails to have appropriate and robust audit controls in place and have these controls fully maintained THEN we may be
ineffective in detecting fraud or unauthorised data access RESULTING IN a loss of money or data and reputational damage to the Agency
and SG.
Current Impact 4 Current Likelihood 5
Action Owner Meg Fowler Risk Owner James Wallace
Update Current controls in place: random sampling, some targeted data mining in place, 2nd tier checking for Searchlight access, controls around
SPM access, range of tactics to increase awareness (responsibilities, process compliance, risk indicators), investigatory expertise in post
supported by statutory powers, access to audit table data via request to CDO.
Future: risk and control framework gap analysis, enhanced access to bespoke mining queries, independent ability to draw audit table data,
enhanced detective controls. Work to propose technical preventative controls continues in collaboration with SPM Service Design.
ELK solution to make better sense of daily dump of audit data is coming to fruition with target go live date of 20/7/20
Work to define requirements for strategic ATRS system is presently underway - however this cannot deliver any preventative (alerting)
functionality. Service Design have still to consider how this might be achieved.
Risk-Landscape & Heat MapsHighest Scoring Risks
12
AS-R070
Date Added 20/03/20 Risk Type Operational Delivery
Risk Description IF the Agency does not have appropriate plans or resilience arrangements in place for an outbreak of Pandemic Flu THEN the Agency may
not be able to provide an effective response RESULTING IN damage to reputation, staff wellbeing and client service delivery.
Current Impact 5 Current Likelihood 4
Action Owner Julie Clark Risk Owner Janet Richardson
Update Impact assessment list completed for all business areas
Steering group in place to develop plans and contingencies
COVID-19 plan with Chief Executive
UK Government remaining at "Containment" phase.
Staff awareness has been raised with articles on SCOTS
Posters being displayed in all areas of offices
Antibacterial hand sanitiser being provided at desk
Risk-Landscape & Heat MapsRisk Map- Residual Risk Score against Tolerance
13
0
5
10
15
20
25AS-R001a
AS-R002a
AS-R012a
AS-R015a
AS-R029
AS-R032a
AS-R034a
AS-R037a…
AS-R047
AS-R048…AS-R060
AS-R061
AS-R062…
AS-R064…
AS-R065
AS-R066
AS-R070
AS-R072
AS-R073
AS-R074…
Risk Score vs. Tolerance Level
Tolerance Level Residual Risk Score
Risk-Landscape & Heat MapsRisk Map- Residual Risk Score against Tolerance
14
20
25
20
8
12
20 20
AS-R015a AS-R029 As-R047 As-R060 AS-R065 As-R066 AS-R070
Behaviour
16
25
AS-R032a As-R034a
Dundee as HQ
16
25
20 20
12
16
12 12
9
External Relationships/Stakeholders
20
16
20 20
8
12
20
AS-R015a AS-R032a As-R037a As-R047 As-R060 AS-R065 AS-R070
Culture
Risk-Landscape & Heat MapsRisk Map- Residual Risk Score against Tolerance
15
16
20
25
20
12
8
16
12 12
20 20
9
Finance
8
20
89
AS-R062 As-R066 As-R072 AS-R073
Information Governance
25
8
20
9
AS-R029 AS-R062 As-R066 AS-R073
Information Security
16 16
25 25
20
12
8
16
12
20
Operational Readiness