APPENDIX 2: A guide to the risk management process

Risks are prioritised by assigning a rating between 1 and 5 to the likelihood (L) of the risk occurring, and the potential impact (I) should it occur. These are then multiplied to provide the risk score; the higher the result of L x I, the greater the risk. e.g. L4 x I4 which denotes a Likelihood score of 4 (Likely) x Impact score of 4 (Major), which gives a total risk score of 16.  

 

A colour coded system, like the traffic light system, is used to distinguish risks that require intervention. Red risks are the highest (15-25), amber risks are significant (8-14), yellow risks are moderate (4-7), and then green risks are lowest (1-3). 

The Strategic Risk Register (SRR) mostly includes Red and Amber risks. Each strategic risk has a unique identifying number and is prefixed by ‘SR’ representing that it is a strategic risk.

Each risk is scored twice with an Initial ‘Current’ level of risk and a Revised ‘Target’ risk score:

The Initial ‘Current’ Risk Score reflects the Existing Controls already in

place under the ‘Three Lines of Defence’ methodology. This represents

good practice as it identifies the First Line – Management Controls; Second Line – Corporate Oversight; and Third Line – Independent Assurance and the currency and value of each control in managing the risk. Therefore, the Initial Risk Score represents the ‘as is’ position for the risk, taking account of existing controls.

 

The Revised ‘Target’ Risk Score focuses on the application of time and/or expenditure to further reduce the likelihood or impact of each risk. It assumes that any future Risk Actions, as detailed in risk registers, will have been delivered to timescale and will have the desired impact.

The Risk Owners are asked to consider the 4Ts of Risk Treatments – Treat, Tolerate, Terminate, Transfer. Risk actions should reduce the likelihood and/or impact – if neither are true, there will not be any reason to undertake the action.