Latest
A47 Norfolk | Eastbound | Accident, road closed   ...   A47 Norfolk | Westbound | Accident, road closed   ...   M271 Hampshire | Northbound | Incident, 1 lane closed   ...   M25 Essex | Clockwise | Heavy traffic   ...   M60 Greater Manchester | Clockwise | Heavy traffic   ...   M25 Surrey | Clockwise | Accident, road closed   ...   A12 Essex | Northbound | Heavy traffic   ...   M6 Warwickshire | Northbound | Heavy traffic   ...   M1 Nottinghamshire | Southbound | Heavy traffic   ...   A20 Kent | Westbound | Accident, 1 lane closed   ...   A20 Kent | Eastbound | Incident, 1 lane closed   ...   M271 Hampshire | Southbound | Overturned vehicle, road closed   ...   M6 Cumbria | Southbound | Vehicle recovery, 2 lanes closed   ...   M25 Hertfordshire | Anticlockwise | Heavy traffic   ...   A66 County Durham | Westbound | Broken down vehicle   ...   A74 Cumbria | Northbound | Heavy traffic   ...   M4 Wiltshire | Eastbound | Broken down vehicle, 1 lane closed   ...   M6 West Midlands | Northbound | Broken down vehicle | Clear   ...   A404 Buckinghamshire | Southbound | Heavy traffic   ...   A52 Derbyshire | Eastbound | Heavy traffic   ...   M5 South Gloucestershire | Southbound | Heavy traffic   ...   A13 Essex | Westbound | Broken down vehicle   ...   A46 Leicestershire | Southbound | Broken down vehicle   ...   A5036 Merseyside | Northbound | Heavy traffic   ...   A49 Herefordshire | Southbound | Heavy traffic   ...   M1 Nottinghamshire | Northbound | Heavy traffic   ...   M60 Greater Manchester | Anticlockwise | Flooding, 1 lane closed   ...   
Home » About Us » Corporate Documents » Highways Agency Framework for Business Risk Management » Highways Agency Framework for Business Risk Management
Contact us

by phone or email

Register for
email alerts

On information that's important to you

Feature

Better information for your journey

The National Traffic Control Centre collects real-time information on road conditions.

Quick Links

See when traffic will be lightest

Our traffic forecaster can help get you there quicker

« Previous
Next »

Highways Agency Framework for Business Risk Management

2 DEVELOPING THE AGENCY RISK MANAGEMENT FRAMEWORK

2.1 The Agency Risk Management framework will pull together the existing Risk Management arrangements and turn them into a comprehensive framework, which combines strategic arrangements at the top of the organisation and embeds Risk Management behaviour into the day to day decision making of all colleagues at every level. The strategic and operational elements of the framework are outlined in the paragraphs below.

STRATEGIC RISK MANAGEMENT

2.2 The following diagram shows the strategic element of the Risk Management framework and is the part, which will require input from the Accounting Officer (Chief Executive), Audit Committee and Board Directors. The strategic risk analysis and the three components of the high level control framework (see diagram below), sets the "tone from the top". It allows for senior management to be fully involved in:

  • the identification of strategic objectives and the threats to their achievement; and
  • setting the high level 'culture' which exists in the Agency to encourage responsible risk taking at all levels to achieve VFM.

diagram description

2.3 Taking each aspect of the diagram in turn:

Strategic Risk Analysis:

2.4 The Highways Agency Management Board has identified eight key Agency business and administrative objectives and these are reflected in the Agency's Business Plan. In respect of each objective, key threats to their achievement need to be formally identified and prioritised. Board Members will consider the high-level risk mitigation activities available and decide upon the approach required for each key Agency objective.

2.5 The options for dealing with risk are: terminate the activity; put controls in place to manage the risks; pass on to a partner or provider; or accept the risk and make an informed decision to do nothing. Thereafter, the strategic planning process must ensure that threats and countermeasures are captured and considered when new objectives are set or existing objectives are materially altered.

Philosophy:

2.6 The Accounting Officer (advised by the Audit Committee) needs to clearly define the approach to managing risk, its overall 'appetite' for risk and expectations as far as risk taking/management and delegation of authority is concerned. Agency colleagues should be clear about what is expected of them and what is not.

Behaviour:

2.7 A culture should be created within the Agency that supports the considered and effective management of risk. Agency colleagues must understand what is required of them in managing risk and have the appropriate skills and knowledge to carry out that role.

Roles and responsibilities:

2.8 Paragraph 1.6 briefly mentions the important role played by 'effective' Risk Management arrangements in the achievement of 'sound' Corporate Governance. Effective Risk Management arrangements cannot be achieved unless there is a clear understanding of roles and responsibilities down through the organisation and clear lines of accountability back up the organisation.

2.9 The Accounting Officer is ultimately responsible for demonstrating that adequate sources of assurance are available to confirm that the various control systems have been effective in managing risks.

2.10 Highways Agency Board Directors are responsible for:

  • Defining and communicating the Agency's risk tolerance i.e. the level of exposure and nature of risks which are acceptable;
  • Developing and communicating Agency strategy, aims and objectives to all colleagues to set the context for Risk Management and control activities;
  • Setting policies on internal control based on the Agency's risk profile, its ability to manage the risks identified and the cost/benefit of related controls; and
  • Seeking regular assurance that the system of internal control is effective in managing risks in accordance with Agency policies.

2.11 Assurance will be provided by Agency Board Directors via the production of quarterly reports (to co-incide with Audit Committee meetings), highlighting changes to risk registers (e.g. new risks identified, changes to risk rankings etc) and the effectiveness of measures introduced to control and manage the risks. Such reports will be subject to review by the Audit Committee. Section 3 of this document provides more detail on the Agency's procedures for review and assurance.

2.12 In developing and assigning Risk Management roles and responsibilities throughout the Agency, we need to understand that the Agency has three 'lines of defence' against the risks faced i.e.

diagram description

2.13 In order to achieve objectives, all Agency colleagues have some responsibility for Risk Management - "the first line of defence". They should collectively have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This requires an understanding of the Agency, its objectives, its stakeholders and the risks it faces.

2.14 All line managers are responsible for ensuring that policy on Risk Management is implemented and for ensuring that all colleagues understand the policy and comply with it. Divisional Directors and Heads of Division are responsible for providing input to the respective Board Directors quarterly Risk Management report. They are accountable for the quality of information included within their reports.

2.15 Within the 'project' environment it is worth noting the Risk Management responsibilities of certain key individuals:

  • Project Owner (PO)
    The PO owns the business case, which identifies project risks. They are responsible for reporting risks to the relevant Programme Owner (via the Programme Co-ordinator);
  • Investment Decision Maker (IDM)
    The IDMs role is to ensure that the business case has reported on the risks and provided detail on how they are to be managed;
  • Project Sponsor (PS)
    The PS is responsible for the day-to-day management of the risks;
  • Programme Co-ordinator (PC)
    The PC is responsible for the effective management of programme risks; and
  • Programme Owner (PO)
    Finally, the PO is responsible for ensuring that all programme risks have been identified.

2.16 The formal groups established to oversee management arrangements provide the "second line of defence". These include; Performance Monitoring Action Group, Capital Investment Committee, Confirming Committees and the Audit Committee. Such groups have a key role in supporting the business and assessing the effectiveness of the management and ongoing monitoring of risk.

2.17 The "third line of defence" is provided by groups such as Internal Audit, who will review the robustness of arrangements in place for managing risks. Also sitting within Internal Audit is the Corporate Risk Management Advisor whose main purpose is to develop and maintain the Agency's arrangements for Risk Management. Other 'external assurance' providers include the National Audit Office (NAO).

OPERATIONAL RISK MANAGEMENT

2.18 The operational element of the Risk Management framework allows for the key threats to delivery of business objectives to be managed in a structured way. Again, it relies upon clear lines of responsibility/accountability and the development of robust systems for Risk Management, including reporting on how well risks have actually been managed. The diagram below incorporates the 'operational element' of the Risk Management framework (strategic element shaded grey):

diagram description

Operational risk analysis:

2.19 For effective Risk Management, clear lines of accountability for business objectives are essential. For individual objectives, the Board Member accountable needs to define the high-level control environment required and, in doing so, indicate the level of risk the Agency is willing to accept.

2.20 Following on from HA Board identification of the key Agency business and administrative objectives, an operational risk assessment is required to determine whether arrangements for the management of risks are sound. An operational risk assessment will:

  • Identify all risks - via the systematic identification and recording of the risks faced by the Agency in delivering its business and administrative objectives.
  • Evaluate identified risks - via the assessment of the relative likelihood of risks occurring, and the impact/materiality of potential consequences. To ensure consistency, it is essential that risk evaluations be carried out to the same standard using a uniform methodology, throughout the Agency.
  • Evaluate current mitigation arrangements - via the consideration of the current methods used to mitigate each identified risk and whether they are appropriate.

2.21 Regular monitoring of, and reporting on, Risk Management arrangements is also required to enable the Accounting Officer to be assured that arrangements are operating as intended.

DEVELOPING THE STRUCTURES AND INFRASTRUCTURES

2.22 The overall aim is to show that the Agency complies with Treasury requirements for there to be an appropriate 'Risk Management framework' within Government departments, Agencies etc. This involves:

  • the development of the Corporate Risk Register, with significant input from the Agency Board; and
  • the introduction of robust systems to ensure that the Agency is able to give adequate and reliable disclosures with regard to the management of key risks (including the effectiveness of internal control systems).

INTEGRATING RISK MANAGEMENT INTO THE AGENCY

2.23 Integrating Risk Management into the day-to-day business processes provides an opportunity to add value to the business as a whole. Integration will be achieved through:

  • raising colleagues awareness of Agency Risk Management procedures through existing communication channels;
  • providing training in Risk Management where appropriate (e.g. to colleagues with related responsibilities);
  • arranging and assisting in the performance of facilitated risk review workshops; and
  • promoting the management of risk as a process improvement tool using the Control & Risk Self Assessment (CRSA) problem solving techniques.

2.24 The diagram below provides an overview of the levels at which risk reviews are performed and the types of risk identified:

diagram description

2.25 The diagram reflects that, should a risk be assessed as 'critical' to the achievement of longer-term 'strategic' objectives, it may move 'up' from being managed at project level to Agency Board level. This 'movement' of risk may also go in the opposite direction, again, depending upon the ongoing assessment of likelihood and consequence.

LIVING RISK MANAGEMENT AT ALL LEVELS OF THE AGENCY

2.26 The experience of both private and public sector organisations shows that embedding of Risk Management at all levels is a long-term ambition, but this is no reason not to aim for that as a goal. To help realise the full benefits of Risk Management, the management of risk already forms part of the core competence areas for colleagues (competency number 8 - problem solving and decision making). Training and coaching for colleagues in the identification of risk and the design and evaluation of mitigation arrangements is to be made available.

2.27 Some of the key milestones for the development of Risk Management arrangements in the Agency are:

Implementing Risk Management in Agency - Outline Timetable: