Social Security Scotland: framework document

Risk Management

66. The Chief Executive is responsible for embedding arrangements for identifying, assessing and managing risks. Risk management is closely linked to the business planning process. There is a considered choice about the desired risk profile, taking account of the Agency's legal obligations, ministers' policy decisions, Agency business objectives, and public expectations of what the Agency delivers. The management of risk is reviewed regularly to monitor whether or not the risk profile is changing, to gain assurance that risk management is effective, and to identify when further action is necessary. There is regular review of whether risks still exist, whether new risks have arisen, whether the likelihood and impact of risks has changed, report significant changes which adjust risk priorities, and assurance on the effectiveness of control.

67. The overall risk management process is reviewed at least once a year to deliver assurance that it remains appropriate and effective.

68. The Agency's Audit and Assurance Committee and the assurance and advisory work of internal audit are key parts of the review and reporting process. These are not a substitute for management ownership of risk or for an embedded review system carried out by the various staff who have executive responsibility for the achievement of organisational objectives.