Risk Management policy
Published: 04 February 2025Freedom of information class: How we manage our resources
This policy sets out RoS' commitment to responding to the identified threats to achieving our objectives and opportunities for increasing likelihood of success.
Table of contents
1. Purpose and scope
1.1 The RoS Board and Executive Management Team (EMT) recognise that RoS will face a variety of risks in delivering its objectives.
1.2 This policy sets out RoS commitment to responding to the identified threats to achieving our objectives and opportunities for increasing likelihood of success.
1.3 In doing so, the Keeper, RoS Board and the EMT are also committed to supporting the benefits from deploying and resourcing an integrated enterprise risk management (ERM) approach to strategic, change and operational risks, set in the context of the Corporate Plan and risk appetite agreed by RoS Board and EMT.
1.4 This policy applies to all enterprise activities in RoS including all people, processes, premises, technology, information and supply chain activities.
2. Guiding principles
2.1 The principles of this policy are to ensure risk management is:
- proportionate and fit for purpose in line with the Scottish Public Finance Manual (SPFM) risk management and internal control guidance
- aligned to the context set by the Corporate Plan
- comprehensive in scope covering all of our activities
- embedded across the organisation
- dynamic to respond to change.
2.2 RoS risk management activities will be guided by an understanding of risk appetite which shall be defined by the EMT and kept under review. Risk appetite will be recorded and communicated as part of the RoS risk management framework. The framework shall be used to operate risk management practices in a standard, consistent and repeatable way within RoS.
3. The policy
3.1 RoS objectives for enterprise risk management (ERM) are :
- provide appropriate risk information to support decision making at all levels
- assist in achieving economic, efficient and effective processes to achieve the best outcomes, reduced uncertainty and a supportive risk culture
- achieve compliance with our mandatory obligations
- provide assurance that our internal control activities and risk management practice comply with our risk management principles.
4. Roles and responsibilities
4.1 The Keeper has overall accountability for risk management at RoS.
4.2 The EMT is responsible for the content of this policy, its approval and review. They are responsible for ensuring its implementation in practice and for monitoring this over time. They are also responsible for ensuring that appropriate procedures, guidelines or standards as are required to support this are maintained and ownership for these assigned appropriately. They are responsible for setting and communicating RoS' risk appetite.
4.3 The RoS Accountable Officer (AO) has responsibility for delivery of the enterprise wide implementation of the policy, principles and objectives. The AO also approves the governance statement within the RoS Annual Report and Accounts (ARA). The ARA governance statement outlines and evaluates the governance, risk management and internal control arrangements in place during the preceding year. The Audit and Risk Committee (ARC) supports and advises the Accountable Officer in monitoring the corporate governance, risk, value for money and control systems in RoS.
4.4 All Heads of Service are responsible for leading risk management for their services and providing annual certificates of assurance and assurance opinions to the Accountable Officer for the ARA governance statement. Heads of Service are responsible for ensuring risk management activity informs business continuity arrangements for their services.
4.5 All RoS colleagues have a responsibility to be aware of risk, and to support and participate in risk management activities led by Heads of Service.
4.6 The RoS Risk and Information Governance function is responsible for the delivery of the integrated risk approach, including enterprise-wide support, training and awareness, on behalf of the Accountable Officer.
5. Approval and review
5.1 This policy will be reviewed annually, unless earlier review is appropriate, by the Information Security and Assurance Group (ISAG) and approved by EMT. A copy will be provided to ARC and RoS Board for noting.
Author | Head of Enterprise Risk Management | ||
---|---|---|---|
Reviewed | Head of Risk & Information Governance | ||
Cleared | Policy and Corporate Services Director | ||
Approval | EMT | Approval date | December 2024 |
Policy version | V 3 | ||
Review responsibility | EMT | Review date | December 2025 |
Publication scheme | Yes | ||
Email to contact | rossecretariat@ros.gov.uk |