Scottish Public Finance Manual

Issue

Response

Details, including review work you have carried out to verify response (mandatory)

Guidance note (where applicable)

1. Risk Management

1.1 Risk and Objectives Do you have processes in place to identify and manage risks to the delivery of divisional business plans, (including objectives and targets) and that this information is reviewed on an on-going basis?

 Yes/No               

Your objectives should be the focus of any risk management information; risk identification needs to be undertaken with a clear strategy and clarity of purpose. Risk identification is an important part of business/project planning, managing performance and prioritising effectively.

Confidence levels will be shaped by:

• the identification and recording of key business risks as part of business planning activity; regular management discussions take place that consider risks and objectives together alongside performance monitoring arrangements
• processes that ensure the right people are involved in the management of risk and that each stage in the process is being actively recorded and managed
• you revisit risks periodically to ensure that updates or changes to business planning activity, objectives or projects reflect the current situation
• the maintenance of risk registers, based on the standard template, at directorate/divisional/branch/project level (as appropriate) and that there is a nominated person within your division/team with responsibility for coordinating the update of the register
• risks are owned and managed by a named person who is responsible for coordinating any actions
• risks to delivery are discussed as often as is appropriate at key senior team and governance meetings within your division
• You engage with your Risk Champion within your Directorate who has the responsibility to ensure that systems and processes are in place and are consistent with the Scottish government (SG) Risk Management approach

(The SG Risk Guide and the SG Template risk register is available on the intranet. General guidance is available through Risk Management in the SPFM.)

1.2 Risk Identification - do you employ a systematic approach to help the identification and prioritisation of your risks and manage them by allocating resources proportionately in alignment with your business plans?

Yes/No               

A systematic approach to risk identification should be taken to ensure you have a complete risk profile.

 Confidence levels will be shaped by:

• using a simple technique that provides a wide scan of areas that may affect objectives such a PESTLES or SWOT Analysis
• undertaking risk identification exercises periodically and/or when priorities or circumstances change and/or when new pieces of work start
• using available sources of data to support risk identification and prioritisation
• consideration of cost, feasibility, probability, risk appetite and the potential impact when determining how to address your risks
• utilising diverse perspectives from stakeholders, your teams, division, directorate, project or programme and think about what arrangements are in place in your area to ensure that risk information is supporting your decision–making

(The SG Risk Guide and Supplementary Guide: Identifying Risk are available on the Intranet. General guidance is available through Risk Management in the SPFM.

1.3 Risk Leadership - is risk management activity within your area led from the top, actively promoted, and delivered by branch heads and team leaders alongside support from your Directorate’s Risk Champion

Effective communication is vital to effective risk management. Confidence levels should be shaped by:

• Deputy Directors, Branch Heads and Team Leaders understand their responsibilities and are actively involved in the identification and management of risk
• the Risk Champions within your Directorate are known and utilised to support the development of your risk management approach
• all risks, once identified, are assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time
• colleagues at all levels have a clear understanding of the current risk landscape, are empowered to identify, and raise risks for discussion and emerging risks are recorded risk management is viewed as a continual learning process, good practice is shared and communicated allowing your teams to benefit from lessons learned in a project or programme
• risk is discussed as a regular part of management/senior team discussions lines of communication are clearly articulated and documented to ensure that relevant teams and colleagues are informed of further action, escalation, and the general outcome of discussions
• risk escalation routes are clearly documented and risk discussion forms a part of formal (and informal) management and team meetings, with information communicated in both directions to ensure common understanding and feedback on risk matters

(The SG Risk Guide and  Supplementary Guides for Roles and Responsibilities and Recording, Reviewing, Reporting and escalating risk are available on the Intranet. General guidance is available through Risk Management in the SPFM.)

1.4 Risk Learning - are you assured that all staff have undertaken basic risk management training in your area and understand their role in the identification and management of risk?

Ensuring all staff have the right level of skills and training to ensure effective engagement with the risk management process is key. Everyone in the organisation has a role in helping to identify and manage risks, therefore it is essential that all staff have a basic understanding of risk management policy and process. All staff but especially those who lead risk management activity should have some risk management training to ensure a base level of knowledge of the corporate processes.

Confidence levels should be shaped by:

• all staff within the core SG should have at minimum completed the mandatory SG Risk Management eLearning Pathway your confidence level should reflect the published stats for your area (these can be obtained from your risk champion).
• key staff with particular responsibility or interaction with risk management have undertaken the further training (either externally or provided by the Risk Management Policy Team)
• Risk Champions have completed appropriate learning as set out in the Risk Champion Role Profile and Support Model on page five of Risk Management  intranet pages
• key staff may have undertaken equivalent training from external training providers such as CIPFA, the Institute of Risk Management (IRM) or Management of Risk (MoR) qualification
• lessons learned exercises are undertaken where appropriate to learn from for example perceived failures (e.g. an unforeseen risk or a crystallised risk which turned out more damaging than expected) and instances where risks have been managed well, to see whether there is anything to be gained by repeating effective techniques elsewhere
• output from the recent Risk Management Maturity Exercises or Internal Audit reviews that have been implemented

(The SG Risk Guide is available on the Intranet. General guidance is available through Risk Management in the SPFM.)

1.5 Recording and Reviewing Risk - do you regularly review your key risks (including Cyber risks and threats), record them using the standard SG Risk Register format and do you receive reports on the management of those key risks and controls/mitigating actions?

Yes/No               

Good risk management means documenting and assessing identified risks, implementing controls and actions to reduce risks to within agreed levels. Risk documentation must be reviewed regularly to ensure that appropriate action is being taken and progress documented. Risk Registers should be a dynamic means of recording risks, reporting on risks should include analysis and ask key questions of risk owners – it should not always be a review of the risk register.

Confidence levels should be shaped by:

• recording risks on an appropriate risk register held a directorate/divisional/project/branch level and in compliance with SG guidance and template
• processes which utilise risk register detail and the knowledge of wider outside influences to support your understanding of the wider risk landscape and help to recognise current pressures across a project or programme
• routinely looking across your risk landscape and perform deep dives on key risks
• risks form a part of regular management discussions with controls, actions, target scores and dates scrutinised, preferably using a form of reporting other than the risk register to summarise risks or drive focus on key aspects of the risk register and focus management attention
•  processes in place to escalate key risks ensuring effective communication, increasing awareness of the risk, and highlighting where more senior supportive action is needed
• lines of communication to ensure that relevant teams and colleagues are informed of further action, escalation, and the general outcome of discussions

(The SG Risk Guide and Supplementary Guide: Recording, Reviewing, Reporting and Escalating risk are available on the Intranet.  The Standard Risk Register Template is also available on the intranet. General guidance is available through Risk Management in the SPFM.)

1.6 Risk Appetite Have you articulated your appetite for key risks and do you use this to help identify the extent to which you need to address your risks?

Yes/No               

Your risk appetite should reflect the level of risk that you are prepared to accept (and not accept) for different types of risk in order to achieve your objectives. Ensuring you understand your appetite for risk is essential to helping you prioritise risk mitigations, and therefore resources, on those risks outside of your agreed acceptable limits. Risk appetite should be considered within the wider context of your Directorate and DG to ensure that your approach is appropriate.

Confidence levels should be shaped by:

• having clearly articulated risk appetite statements/or equivalent for the most appropriate categories of risk either within your divisions projects, programmes or at directorate level
• having clear definitions that provide lower-level examples to clarify meaning for use during day-to-day processes and procedures. This can help guide and advise staff on what is expected of them as part of a programme. For example, when staff should avoid actions or particular risks, when they should not allow certain things to happen and where people should look to take more risk
• having effective measures that can actively monitor performance against the appetite definitions as well as the overall statements. This can be taken from appropriate IT and other systems to support the risk management processes, such as financial information, people information, consultation information etc. All forms of measurement need to be appropriate to the relevant environment
• using target scoring within your risk register to ensure you risk appetite is reflected in the register, supporting effective discussion when current scores are beyond the target/risk appetite and when risks are close/proximate

(The SG Risk Guide and the supplementary Guide: Risk Appetite are available on the Intranet. General guidance is available through Risk Management in the SPFM.)

1.7 Is there a Business Continuity Plan covering the critical functions of your business area, as identified through a business impact analysis, which has been reviewed and updated and exercised in the last year?

Yes/No               

Every directorate should have a Business Continuity Plan. Every division must ensure their functions are reflected in the directorate plan or in their own divisional plan, if appropriate.

The plan should describe how essential business across the directorate would carry on in the event of disruption to staff, building access, systems such as information communications technology (ICT), data or organisations you depend on (such as supppliers). These plans should include robust communication and incident management arrangements are in place (e.g., sign up to GroupCall as well as local business area arrangements) and incident management arrangements.

A business impace analysis should be used to determine the critical functions of the directorate and the maximum tolerable period of disruptions and recovery time objectives for these functions. It should identify what is required to carry out those functions (staff, buildings, systems including ICT, other organsiations such as suppliers).

Plans should be reviewed, updated and exercised at least annually or more frequently to accommodate change in: personnel; responsibilities; priorities; working practices; processes; procedures; the external and internal operating environment; to apply lessons learned.

Your level of confidenct should reflect your confidence in the directorate's ability to continue delivery of critical functions in the event of disruption.

Guidance and support for local business continuity planning activities can be requested from the Security and Business Continuity Unit. Guidance and templates are available on the intranet.

1.8 Do you have disaster recovery plans/arrangements in place for the event of the loss of key systems (including corporate ICT systems and line of business applications) upon which your and/or other business operations depend on?

Providers of corporate services must ensure plans are in place for dealing with systems failure, including both to continue to provide critical services to other users and to recover affected systems. Where local systems are in operation, including but not exclusively ICT systems, the business area has a responsiblity to ensure that plans are in place for business continuity and for recovery e.g., back-up data to ensure that services can be fully restored. Local response to the possible loss of corporate functions and resources (e.g., accommodation, SCOTS, SEAS, eRDM, e-HR, MiCase, line of business applications) might be considered in the context of divisional risk management, incident management and business continuity processes and procedures. Business areas with staff in non-main buildings may have local arrangements in place in the event of loss of key facilities and resources. Your recovery plans/arrangements should be tested regularly to ensure they are fit for purpose and meet your needs in the event of a loss or continuity event; your level of confidence should reflect the extent to which you have tested your plans and updated them accordingly.

2. Business planning               

2.1 Do you have clear business objectives relating to the high priority business objectives of your division (linked to National Outcomes) and do they relate to those articulated within your Directorate business plan?

Yes/No               

You should have clear business objectives which are linked to key National Outcomes as outlined in the National Performance Framework and where appropriate the Programme for Government as early as possible in the process so that appropriate advice can be provided.

Business plans should be refreshed on a one-year cycle but should include indications of how the business plan will develop over the following two years. Business Plans should also inform risk management information. Confidence levels should be shaped by:

• your business objectives/SMART targets are reflected and documented in the Divisional Plan and via staff performance appraisal forms at all levels as appropriate
• plans provide a clear link (golden thread) to your Directorate’s Plan and provide a clear set of priorities

Yes/No               

New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement and Internal Audit colleagues before proposals are finalised. New property requirements should be discussed with Property and Construction Division for advice.

For change initiatives managed as projects or programmes, section 3 (major investment) or 4 (projects) should be completed. The Approaches and methodologies toolkit provides some guidance on the difference between Business-as-Usual and projects.

Teams should utilise the AO templates for spending decisions per approval limits.

The Organisational Change and Performance Division can support colleagues planning to undertake change and improvement work. The Organisational Change and Performance Division can advise on a range of improvement and change methodologies, and signpost colleagues additional supports available within the Scottish Government.

2.3 Are there clear plans for how your division will contribute to Directorate improvements in their performance – in keeping with the vision and values of In the Service of Scotland?

This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing business and staff performance measures. Our vision - 'In the Service of Scotland' - provides the blueprint for how to successfully operate in an uncertain and evolving world. If you would like to know more about our vision and how you can help shape how we achieve it.

Additionally, guidance on Performance Management is available on the intranet.

2.4 Do you regularly receive timely, relevant, and reliable reports on progress and performance against key indicators and targets alongside your risk information and take corrective action where necessary?

Yes/No               

This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reprioritisation/reallocation of resources (budgets and staff) and the reordering of key business priorities.

2.5 Does your business plan inform your financial, people, and operational plans and prioritisation?

This could be demonstrated whereby the business plan is used as a reference document when considering new requests that come in to identify opportunity cost and prioritisation advice. There should be a connection between the items in the business plan and assumptions for finance, people and operational decision making – whereby delivery identified within the business plan has resource allocated within financial and people plans, and operational plans about where people are deployed accommodate the deliverables and schedule within the business plan.

3. Major investment               

3.1 Has your area been responsible for the initiation or delivery of one or more major projects or investments during the past financial year? (If not, please ignore the other questions in this section)

Yes/No               

Major investments are defined in the Major Investment Projects section of the Scottish Public Finance Manual (SPFM) but can also be defined as initiatives:

• have a total anticipated whole-life (capital or revenue) cost of £5 million plus inclusive of fees and VAT or is above your delegated authority limits or
• could create pressures leading to a potential overspending on portfolio budgets or
• would entail contractual commitments to significant levels of spending in future years for which plans have not been set or
• could set a potentially expensive precedent or
• will be challenging to deliver within existing resources and capability and/or
• represents a material level of expenditure and/or
• will have a material ongoing financial impact or
• is novel, and/or contentious and/or complex, or
• could impact on the delivery of a Programme for Government commitment or
• requires primary legislation

All Major Investments must adhere to the guidance in the SPFM, and its key principles should be adopted in relation to all investment projects.

3.2 Do/did your project’s governance arrangements align with the Scottish Government’s strategy and sector specific governance procedures?

Yes/No               

Relevant procedures include the following:

3.3 Have you assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process?

Yes/No               

Relevant procedures include the following:

• submitting the completed Risk Potential Assessment to the SG’s Portfolio, Programme and Project Assurance Hub for review of your project’s assurance needs
• actively engaging with corporate assurance providers, taking advice on board, and promptly acting on review recommendations
• major infrastructure projects over £20 million in value, or of critical importance/unusual scale or nature to the procuring organisation, or revenue funded, or procured through competitive dialogue, may require Key Stage Reviews (KSRs) during key procurement stages - KSRs are undertaken by the Scottish Futures Trust

3.4 Do you have an up-to-date case for change (e.g., business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project?

Yes/No               

You must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency. Your business case should encompass relevant data from impact assessments, benefit measures, delivery approaches and optimism bias to allow a proportionate evaluation.

For projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM. 

For construction and/or an infrastructure project, you must be able to demonstrate compliance with Client Guide to Construction Projects. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit. 

3.5. Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource?

Yes/No               

The SRO (Senior Responsible Owner) must be appointed at the earliest possible stage of the project. Clear roles and responsibilities should be assigned and levels of delegated authority should be clearly identified and agreed. These should be documented in formal letters of appointment between the Investment Decision Maker and the SRO and between the SRO and various post holders within the Project Management Structure.

You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience, and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question 8.1.

All major projects should have undertaken a PPM Maturity Self-Assessment, and these should be reviewed periodically, where additional assurance of capacity or capability is required, an early capability checkpoint review is available from the Portfolio, Programme and Assurance Team.

You should have engaged with relevant professions or cross-functional teams in the planning and scoping stages of your project to ensure they can help inform opportunities and risk assessments at the earliest opportunity to maximise successful outcomes. For example, have you engaged with the following for advice and guidance, and, to embed their expertise in your planning, business case and risk & impact assessment, enabling a whole system approach:

• Finance Business Partners on funding, budgetary or grant management considerations
• the Scottish Procurement and Commercial Directorate on driving commercial and sustainable outcomes through procurement, commercial and/or property projects
• Digital DATS on digital and agile skills and approaches
• People Directorate on HR considerations
• Economists, Legal, etc as required

Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with COA question 7.5.

3.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

Yes/No               

Necessary arrangements include:

• ensuring that benefits are identified, plans for the realisation of benefits are put in place, and delivery of benefits is measured to demonstrate that the intended return on investment is being achieved. The IPA has published a “Guide on Effective Benefits Management in Major Projects”
• capturing lessons during the project lifecycle and sharing as appropriate. The Lessons Toolkit provides some guidance on how to capture lessons
• formal contract management arrangements should be put in place, where appropriate including the identified benefits, and implementing the SG’s contract management handbook guidance including recording, monitoring, and reporting KPIs

Ensuring that:

• carrying out a Post Project Review to establish how well the project was managed and benefits realised is carried out (Gate 5 Review – Operations Review and Benefits Realisation).
• post Implementation Reviews (also known as Post Occupancy Reviews for construction projects) to establish if the original project objectives are being achieved are carried out. This review is likely to be repeated all feedback is used to inform future project delivery

4. Project management               

4.1 Has your area been responsible for one or more projects - other than major investment projects – during the past financial year?

Yes/No               

This section covers all projects and investments not covered by the SPFM definition of a major investment project, including digital, business transformation, infrastructure and/or new or changing policy or legislative programmes.

The Programme and Project Management Centre of Expertise (PPM-CoE) library of support provides a range of guidance and support to help you provide a proportionate approach to project delivery.

4.2 Did/do your project’s governance arrangements align with the Scottish Government’s strategic and sector specific procedures?

Yes/No               

Projects should take a proportionate approach to employing an enabling governance regime based on the principles contained within the major project section of the SPFM. Scottish Government’s Principles for Programme and Project Management set out a framework of activities that should be embedded to enable and control projects.

Yes/No               

Relevant proportionate procedures include the following options: 

• completing the Risk Potential Assessment Forms, available from SG's Portfolio, Programme and Project Assurance hub,  to determine the potential complexity and risk of your project(s) and submitting to the SG’s Portfolio, Programme and Project Assurance Hub 

• completing the Risk Potential Assessment Forms to determine the potential complexity and risk of your project(s) 

• submitting the completed RPA to the SG's Portfolio, Programme and Project Assurance Hub

• engaging in peer review of your projects or aspects of it 

• registering the project with the Digital Assurance Office and complying with the Technology Assurance Framework; including compliance with the Digital Scotland Service Standard for new digital public services and Scottish Government corporate system 

4.4 Do you have an up-to-date case for change (e.g., business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project?

Yes/No               

All projects should articulate an accurate and up-to-date justification, proportionate to the size of the investment. The five cases of the UKG’s Treasury Model should be identifiable though the document may vary in size and complexity.

4.5 Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource?

Yes/No               

Projects should not be entered into without a viable route to the appropriate capacity and capability to deliver in line with the Management Case of the above the model. 

All projects and project areas are encouraged to undertake a regular PPM Maturity Assessment and plan activities required to close any gap between actual and desired/targeted PPM maturity.

4.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

Yes/No               

Benefits should be specifically described and measurements applied, and then actively managed to ensure the purpose of the investment can be adequately justified before and during delivery, then measured and assessed post-project, and maximum value can be achieved from the investment.

Projects are learning organisations and they should put proportionate arrangements in place to identify and gather knowledge to improve their delivery and the delivery of other projects across the SG. 

 5. Financial management               

5.1 Do you ensure that a documented business case has been prepared for all policy proposals and do you ensure that your Finance Business Partner (or equivalent) and, as necessary, Scottish Procurement and Property Directorate SPPD and Internal Audit and Assurance Directorate is involved at the earliest possible stage in its preparation where there are resource, control, procurement, property or other finance related implications and that they are kept informed of developments?

Finance should also be consulted on any novel or contentious spending proposal, in line with the Financial accountability and assurance and any matter which includes issues of financial propriety and regularity. The need to consult Finance might also be included in induction material and local desk instructions. We recommend that the relevant UK guidance such as the Green Book is also consulted as part of any policy proposal alongside the SG approach to Risk Management.

Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.

5.2 Do you have procedural instructions, cleared with Finance, about how financial matters are handled within the area, including guidance to ensure that proper and accurate accounting records are maintained and entries in them are properly authorised? Are processes in place for regular monitoring of compliance with these instructions?

Local desk instructions should be drawn, as appropriate, from the key principles of the SPFM. Instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments, including VAT – and ensuring adequate separation of duties. This may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications.

Monitoring of compliance should be supported by regular management checks and the consideration of financial matters at regular meetings with your managers. The response to this question needs to reflect both the provision of information needed for accounting purposes (e.g., the proper and timely entry of data into SEAS and/or EASEbuy) and for cash management purposes. The response should also take into account the controls in place within your area to ensure that only authorised personnel have access to the SEAS system.

(Guidance on SEAS and EASEbuy is available on the Intranet.)

5.3 Do you ensure that all staff that have budgetary responsibility have written delegated authority and the appropriate skills and training to discharge their responsibilities for managing public money?

Delegated financial authority (i.e., where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many divisions but where it is you should provide details of the broad arrangements e.g., set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments etc. within SEAS and the authority to purchase in EASEbuy are also separate authorities.

(General guidance on Delegated Authority is available in the SPFM. Guidance on the Scheme of Delegation is available on the Intranet.)

(Guidance on Budget and Financial Management is available on the Intranet under Financial Accountability and Assurance and Pathways Digital Learning Platform.)

5.4 Is there adequate separation of duties where required and are staff with these duties adequately trained to discharge their responsibilities in that regard and how do you ensure that this is achieved?

Yes/No               

Confidence levels will be shaped by the strength of procedures applied to activities such as authorising and processing payments and receipts or awarding grants. There may be concerns (e.g., within small units) where the rules on separation of duties cannot practically be achieved. In such circumstances the response should relate to whether the local arrangements (e.g., compensating controls) agreed with Finance are working satisfactorily.

(The requirement for appropriate separation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable and Receipts.) This covers all staff involved in the financial process. The level of knowledge and training should be related to the part played by the individual in the financial process. Individual duties should be covered in desk instructions. All staff with responsibility for entering into contracts, raising purchase orders, or issuing invoices etc. should have a knowledge of the rules relating to VAT and the ability to recover and or charge VAT.

Note that this is separate from the authority required to add/amend suppliers and make and authorise payments within SEAS or to purchase within EASEbuy.

5.5 Do you ensure that Finance (and Property where applicable) are informed of any changes to assets as they arise and that SEAS is maintained up to date to reflect the assets held in your area?

Capitalised expenditure (PPE and Intangibles) must meet the approved corporate thresholds and definitions and be supported by Asset Addition forms. Any disposal of previously capitalised assets should be recorded correctly in SEAS and supported by Asset Disposal forms. Further guidance is available from your Finance Business Partner and via the Intranet. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.

5.6 Do you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded? How do you ensure this?

Only assets for which the area is responsible need to be considered here. This will include those assets on a locally maintained inventory of valuable and attractive items. The response should consider safeguards such as those against unauthorised use or disposal.

(Guidance on Property Management and Fraud is available in the SPFM.). Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.

5.7 Do you have effective arrangements in place to ensure that you are managing and monitoring any money due to the Scottish Government and that it is collected within reasonable timescales and are procedures written with reference to the SPFM and are they reviewed and updated regularly?

Further detail on Debt recovery can be found in the Income receivable and receipts section of the SPFM.

Staff should be trained in local procedures/arrangements which should be reviewed and kept up to date. Confidence levels will be shaped by the strength of procedures surrounding:

• any relevant Statutory Authority for fees and charging and associated VAT
• appropriate accounting treatment and budgeting treatment of income, receivables, receipts, and internal transactions
• adequate segregation of duties
• credit control and the relevant monitoring and management
• debt recovery and uninvoiced income
• EC Receipts, Excess Receipts, designated receipts, NLF repayments and recoveries from the SCF

5.8 Do you have procedures in place for timeous and effective monitoring and reviewing of financial information and budgets for which you are responsible to ensure that central finance deadlines are met?

The response should reflect the following:

• measures to ensure that financial systems contain accurate and up to date information
• measures to monitor the security of financial information
• local arrangements for monitoring and reviewing operating costs and programme budgets
• measures should include regular management checks. Arrangements for reviewing budgets should be consistent with re-profiling information returned to Finance. (Guidance on Budget and Financial Management is available on the Intranet and the Learning Portal)

5.9 Do you have procedures in place to ensure that budgets are regularly reviewed throughout the year and that budget transfers are completed and authorised in line with corporate finance deadlines?

You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area.

5.10 Do you regularly review internal financial reports which report actual against budget outturn and discuss progress with your director or equivalent? How do you ensure this is achieved in line with corporate finance deadlines and what action is taken following financial review to ensure a balanced budget is achieved?

The review of the regular financial reports needs to take account of both forecast outturn positions and year-to-date actual costs against profiled budget spend.

5.11 Do you ensure that that the Subsidy Control Unit is consulted at the earliest possible stage on all proposals that may have subsidy implications? 

Guidance on Subsidy Control procedures is included in the SPFM. Further detailed guidance is available from SG's Subsidy Control Team.

5.12 Do you ensure that any grant proposals and payments comply with the guidance in the SPFM and internal guidance?

The section of the SPFM on Grant and Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes and a Model Offer Grant Letter document. SG Grant Management guidance can be found on the Intranet.

5.13 Do you ensure that any grants awarded are linked to the National Outcomes as outlined in the National Performance Framework and where applicable any Programme for Government commitments via the Model Offer Agreement, including the contribution the grant is expected to make in achieving these outcomes including how they will be monitored and evaluated?

Yes/No               

The Model Offer letter should detail the specific outcomes the grant is planning to achieve, and business areas should consider (where appropriate) how it will contribute to other key policies and initiatives as detailed in local guidance – guidance on grant making can be found on the intranet.

This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having.

5.14 Do you have confidence that all of your staff who are involved in the management of grants have the skills and training to allow them to manage their grants effectively?

Ensuring key staff have the right level of skills and training to ensure effective engagement with the grant management process is key. Confidence levels should be shaped by:

• staff should complete the Grants Process Training available on Pathways
• staff regularly refer to the grants guidance on the intranet before commencing any grant award
• staff involved in grant management have at minimum undertaken the SG Due Diligence-Grants Process eLearning on Pathways
• DG Grant managers are engaged with the Grants Managers network on Yammer
• your grant managers are actively sharing lessons learned within the business area from experience

5.15 Do you have procedures in place to monitor any Losses, Special Payments, and Gifts in year?

Losses, Special Payments, and Gifts should be disclosed each year. The SPFM includes guidance on Losses and Special Payments and Gifts giving guidance on the various types of Losses, special payments and gifts and the approval process. You should ensure the guidance is followed to correctly report any of these transactions.

5.16 Do you have year-end procedures in place to ensure all Annual Accounts returns are completed in a timely and accurate manner?

There are various returns due to finance as part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances (Contingent Liabilities, contingent assets), indemnities and guarantees.

Confidence levels can be shaped by:

• having an embedded finance team or person who undertakes these key processes for your area
• ensuring that those staff have the appropriate qualifications/training to undertake this activity
• the team or staff member has established clear links with the relevant finance team/FBP etc.

6. Fraud               

6.1 Are operational managers and all members of staff within your area aware of their responsibilities with regards to the prevention and detection of Fraud (including Cyber Fraud)?

Confidence levels should be shaped by:

• awareness of the relevant guidance in the section on Fraud in the SPFM which might be brought to the attention of staff periodically and other relevant local guidance – the Scottish Government (SG) has a comprehensive guide on the intranet

• the linking of induction materials to the relevant internal guidance on fraud prevention – there is a comprehensive guideon the intranet

• within the SG ensuring that staff have undertaken relevant civil service learning on fraud prevention for staff and managers accessible via Civil Service Learning 

• established Fraud Management Procedures (linked to a Counter Fraud Management Strategy) documented and accessible to staff 

• fraud being appropriately and systematically recorded and reported to Governance and Risk where applicable and the relevant Audit/Assurance Committee 

6.2 Have you had any cases of fraud or suspected fraud within your area in the last year?

Fraud cases and suspected fraud cases should be reported in accordance with the Scottish Government Fraud Guidance please highlight in your response if the fraud or suspected fraud was reported to the Fraud Response Team.  

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot or the Crimestoppers Hotline 08000 15 16 28. 

6.3 Have you identified and documented the fraud and corruption risks specific to your area, by way of fraud risk assessments, ensuring that, where needed, risks are mitigated with appropriate control activities?

Confidence levels should be shaped by: 

• exercises carried out to determine risk levels as per the section on Fraud within the SPFM 

• risk registers contain reference to fraud and corruption risks and corresponding control activity, with active monitoring of these risks 

• ensuring that control activities or improvement plans, are explicit in their targeting of fraud risks and gaps in assurance relating to fraud risk 

• fraud risks are periodically reviewed and updated in terms of increased/decreased fraud threat due to external or environmental factors affecting inherent fraud risk 

6.4 When new grant schemes or other spend programmes are being developed do you ensure you are considering whether fraud prevention measures need to be built into your plans, based on appropriate Fraud Risk assessments being in place?

Within grant schemes confidence levels should be shaped by: 

• awareness of the fraud procedures in place within prospective funding recipient’s business processes 

• ensuring appropriate due diligence checking has been undertaken on applicants to ensure they are legitimate recipients  

• appropriate criteria for determining eligible expenditure are in place 

• payment in advance of need is appropriately assessed by your finance business partner 

• throughout the grants process, decisions, key documentation, and evidence should be appropriately recorded to ensure an effective audit trail. This will ensure that you can evidence decisions made and support any internal or external review. You should use the audit trail checklist to ensure you have all the appropriate documentation to support your grant 

Within other spend confidence levels should be shaped by: 

• ensuring you are in compliance with the Scottish Procurement Policy Manual 

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot or the Crimestoppers Hotline 08000 15 16 28. 

7. Procurement

7.1 Do you ensure that the Scottish Procurement and Property Directorate (SPPD)- are consulted from the earliest possible stage on any business cases proposals that may involve procurement, commercial and/or property activity?

Guidance on the role of the Scottish Procurement and Property Directorate (SPPD), guidance on Buying Goods, Services or Works and the Security Questionnaire is available on the intranet. The need to consult SPPD might be included in induction material and local desk instructions.

SPPD must be consulted early on any novel or contentious spending proposal and any matter which includes issues of procurement and/or property propriety or regularity and in all instances where purchasing support will be needed from SPPD. For all major programmes and large funds this means involvement in the drafting of Strategic Outline Cases. For initiatives of any size  that will involve the third or private sector distributing funds on ministers' behalf, this means engaging SPPD during policy  design. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.

7.2 Do you have sufficient access to staff with Delegated Purchasing Authority (DPA) to meet your business needs?

DPA is the authority from the Director of Procurement and should on a personal basis to permit permanent SG members of staff to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract and active management of the contract after award. This is separate from financial authority and the authority to make purchases on EASEbuy.

Please confirm how many staff in your area have DPA and if the number does meet your business needs. 

(Guidance on DPA is available on the intranet).

7.3 Do you have contracts in place for all purchases of goods, services and works in your division whether bespoke contracts for your area or corporate contracts available for use across the Scottish Government?

Divisions should understand if their procurement spend is covered by contract and should be aware of the Scottish Government contract register. Contracts can only be placed by officers with Delegated Purchasing Authority (see 7.2 above)

7.4 Is all procurement activity within your area undertaken in accordance with the Procurement Policy Manual and all policy initiatives announced in Scottish Procurement Policy Notes (SPPNs) issued by the Scottish Procurement and Property Directorate?

Evidence should be provided by staff with DPA to assure Division Heads that all procurement activity has been conducted with the Procurement Policy Manual. Specific guidance on the operation of the electronic Purchasing Card and the EASEbuy System is available for staff making purchases using ePC. Does your business area have a system in place to ensure staff are aware of the latest and any other significant Scottish Public Procurement Notes SPPN’s (Cyber Security, Climate Change)?

7.5 Does your area’s use of external consultants comply with the Scottish Government Consultancy Procedures? This includes using the consultancy account codes on the Purchase Orders that are created in the purchasing system.

Expenditure for contracts for consultancy below £10,000 in value need to be approved at Deputy Director level. Expenditure for consultancy contracts between £10,000 and £50,000 need to be approved at Director General level. Above £50,000 submissions for approval must be endorsed by the relevant Director General and expenditure must be approved by the Cabinet Secretary for Finance and Economy. If there have been no such cases during the period, then please provide a nil response.

Consultancy expenditure must be coded against the account codes stated in the Consultancy Procedures.

Management checks on consultancy expenditure on SEAS should be carried out to ensure approval was sought at the appropriate approval level prior to purchase.

7.6 Is the number of staff authorised and trained to act as purchasing system requisitioners and approvers consistent with your division’s needs?

Staff who are authorised as purchasing system requisitioners and approver need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. Details of available training are provided on the EASEbuy training page.

7.7 Do you ensure that staff with electronic Purchasing Cards (ePCs) are fully aware of their responsibilities to monitor compliance and meet the ePC policy?

Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers.

(Guidance on ePC is available on the intranet.)

7.8 Do you ensure that staff are complying with the prompt payment of suppliers’ process to meet the 10-day payment commitment?

Relevant guidance regarding the prompt payment of suppliers’ policy must be brought to the attention of staff periodically and/or in reviewing training requirements.

7.9 Do you have in place appropriate arrangements in your area to ensure effective contract management enabling delivery of both technical and commercial requirements?

Staff managing contracts should have the knowledge and skills to deliver both the technical and commercial conditions of the contract. Staff can seek guidance or arrange for Contract Management services to be delivered by the SPPD Contract Management Team. Additional guidance is also available on the Procurement Journey.

In addition, Staff responsible for construction projects should be aware of the guidance provided within the Client Guide to Construction Projects and can seek guidance from the CPPU Team.

8. Human resources

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your HR Business Partner on activity such as:

• regular workforce planning discussions with HR Business Partners and Finance Business Partners to monitor and manage workforce numbers and cost against ET agreed projections for the current financial year and future years to March 2027
• keeping baselining/skills information of workforce up to date and encouraging completion of diversity data on corporate systems
• identifying any roles/skills that are a single point of failure and establishing a response (i.e., succession planning)
• adherence to corporate processes (including through the Resource Assurance Committee approvals process in FY23/24) and timescales regarding recruitment
• actions to increase diversity through recruitment and succession planning (e.g., completing mandatory Inclusive Recruitment learning, Diverse Panels, and carefully considering how and where to advertise vacancies)
• what evidence do you draw on to inform action, including for example: Workforce planning returns, Directors Quarterly MI (Management Information) pack, Workforce Monitoring Dashboards, People and Finance DG Assurance metrics, diversity monitoring information on the D +  I Dashboard

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right skills now and for the future.

Confidence levels will be shaped by working with your HR Business Partner on activity such as:

• having personal and divisional learning/development/capability plans (including relevant professions) reflecting corporate priorities, local business needs and the diverse needs of your workforce and ensuring that time is available for staff to take part in development activities
• having high quality and mandatory individual diversity objectives which contribute to building a diverse and inclusive culture, and embed Divesity and Inclusion (D&I) in business delivery
• all staff involved in recruitment should have completed mandatory inclusive recruitment eLearning on Pathways.
• attending quarterly all DG staff, D&I events
• effective processes, including regular career conversations, for identifying and developing talent
• the role of line managers in SG’s HR policies is well understood and the application of best People Management practice is highly valued, supported and openly recognised
• adherence to corporate processes regarding performance management (i.e., monthly conversations, In Year Reviews and End Year Reviews and development discussions)
• evidencing where you draw from to inform positive action, e.g.: updated guidance available on the intranet on learning approaches 
• regularly reviewing pathways reporting to help review mandatory learning (e.g., Inclusive Culture for all staff learning on Pathways)
• Promotion and use of the Employee Passport and regular review of workplace adjustments to ensure they continue to meet staff and business needs
• (for DG's and Directors) completing annual Director succession planning exercise and holding quarterly SMT Talent meetings
• Establishing effective hybrid working patterns for teams, applying current hybrid expectations and priniciples and drawing on the learning resources available

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure a workplace culture for individuals to bring their whole selves to work, to thrive and be successful.

Confidence levels will be shaped by working with your HR Business Partner on activity such as:

• ensure your teams are familiar with and following the probation policy - this includes solid objectives; induction; employee passports; engagement with workplace adjustments services as required; monthly conversations and interim/end probation reviews (access HR early where concerns arise)
• having induction processes for those new to the role or grade and investing time mentoring and coaching new staff
• reviewing on-time completion and recording of both the probation process (where applicable) and performance appraisals
• role modelling of the Civil Service Code and inclusive leadership, including completion of mandatory learning, declaration and management of outside interests and recording of gifts and hospitality
• adhering to corporate processes regarding attendance management (in particular ensuring absences are opened and closed on the system given the pay impact), grievance conduct and performance management (noting separate guidance for Senior Civil Servants and probationers)
• conducting monthly conversations that focus on performance and wellbeing, signposting staff diversity networks as a source of peer support
• regularly review people management and leadership capability within your team and encourage continuous development
• accessing toolkits and resources (available on Pathways) to support and develop line management and leadership
• using MI to identify and take action where absence rates or reasons raise concerns
• having in place, and effectively assessing, meaningful mandatory diversity and inclusion objectives at all levels to support employer outcomes  using the D + I objective framework to support this. Mainstreaming relevant actions from the Diversity and Inclusion Strategy action plan 
• adhering to flexible working policy and leave policy
• understanding employees’ individual needs using and promoting the employee passport to identify, implement and/or access corporate support to put in place workplace adjustments to enable everyone, and particularly disabled staff, to fulfil their potential by removing barriers stopping them perform at their best while working at home  and in the workplace
• encouraging people to complete their diversity information on corporate systems at a business level and using corporate data produced to effectively advance diversity and inclusion
• what evidence you draw on to inform positive action, e.g. People Survey results, Directors MI pack, Diversity Packs, Attendance Management Monthly Reports

9. Equality and diversity

9.1 Are all new, revised or strategically significant policies/activities/projects in your area assessed, in line with legislative requirements, for their impact on people with one or more of the Protected Characteristics listed in the Equality Act 2010 at the earliest possible stage in the policy development process?

This question relates to the leadership responsibility under the statutory Public Sector Equality Duty (PSED), and the specific duty to assess and review policies and practices. Policy should be understood broadly to embrace the full range of policies, provisions, criteria, functions, practices, and activities undertaken by the Scottish Government. You are expected to ensure that, in line with legislative requirements, new or revised policies and practices in your area are assessed for their impact on people with one or more of the protected characteristics in the Equality Act 2010. These are age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; sex; and sexual orientation. Going beyond statutory obligation, the First Minister and the Permanent Secretary have made clear their ambition for equality and human rights to be embedded in everything SG does.

In terms of process, assessment would typically be done through the EQIA process. Guidance on EQIAs is available on the intranet. Relevant deputy director (or equivalent is required to sign off on EQIAs, and in signing off they are required to ensure the impact of applying the policy has been sufficiently assessed against the three needs of the equality duty and EQIA is robust and addressing all relevant equality issues. In answering, you should be able to demonstrate that you have in place appropriate arrangements for identifying and monitoring EQIA application and for prioritisation of EQIA within policy and practice development and review. This also includes an assurance that DD sign-off for situations that are assessed as 'no EQIA is required' are reviewed  and evaluated as correct

9.2 Are you confident that all staff in your division have the capacity and capability to embed equality within the policies or programmes they are working on?

This question seeks to find out if SG staff have the capacity and capability to deliver on equality obligations. In answering this question, you should consider whether staff have had sufficient time, information, training, guidance, and support to enable that aim to be realised, considering for example if:

• they have an appropriate ‘stretch’ Diversity Objective
• they have good awareness of equality issues; an understanding of the need for good quality impact assessment and how this relates to the development of policy or practices (evidence may include confirmation of training at induction and ongoing training and capacity building updated via appropriate continuous professional development)
• they know about and use relevant sources of data such as the SG equality evidence finder and relevant employee data
• they know about and engage with equality advocacy groups and that completed EQIAs evidence the use of evidence from engagement in shaping policy
• for internal policy and employee-related policies/practices, they are drawing on employee lived experience and insights gathered for example through the People Survey
• they have sufficient time, which is reflected in their business objectives, to consider equality matters in developing and delivery policy and/or relevant activity

• they understand the need to ensure that EQIAs in the business area they have responsibility for, should be kept under review and that they are able to demonstrate that this is happening

Equality guidance and tools are available on the intranet. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area.

9.3 Are you confident that any procedures in place to ensure that equality considerations are embedded into all policies/activities/projects in your area are delivering improved outcomes for people with protected characteristics?

This question relates to the extent to which policies and programmes are delivering meaningful outcomes for the people whose lives the Scottish Government is seeking to improve, which includes those with one or more protected characteristics under the Equality Act 2010.

Specifically, EQIAs must consider impacts based on the three tests of the Public Sector Equality Duty (PSED) it is required to address:

• do policies, practices or programmes contribute to reducing or eliminating discrimination for individuals with one or more protected characteristics - this means reducing disadvantage or less favourable treatment
• do policies, practices or programmes advance equality of opportunity for individuals with one or more protected characteristic - this means understanding and meeting diverse needs, increasing participation of underrepresented groups and, ensuring reasonable/workplace adjustments are implemented
• does policies, practices or programmes foster good relations between those who share a protected characteristics and those who do not - this means tackling prejudice and promoting understanding

In answering you should consider and reflect the evidence (both quantitative and qualitative) demonstrating improvement in your area and the narrative of how policies and programmes in your area demonstrate active due regard to all three needs of the PSED.

9.4 Are you confident that any schemes operated by your division for funding the work of external stakeholders meet statutory equality requirements and therefore delivers improved outcomes for people with protected characteristics?

This question relates to the extent to which funding for partners’ activities and projects (or core funding for partners designated as intermediaries) aligns to statutory requirements under the Equality Act 2010. Where a private or voluntary organisation provides a ‘public function’ it is then subject to the general equality duty. A public function refers to activities that are carried out on behalf of the State not similar in kind to services that could be performed by private people. Public functions can also be carried out by private or voluntary organisations, for example when a private company manages a prison or when a voluntary organisation takes on responsibilities for child protection. In answering this question, you should set out how you are ensuring this is the case in addition to 9.1 and 9.3.

10. Information

10.1 Does your division demonstrate best practice information governance and management including compliance with relevant legislation? 

Have you ensured information held in assets complies with the Public Records (S) Act 2011 and the SG records management plan and policy?

The General Data Protection Regulation and Data Protection Act 2018 came into force in May 2018. Have you:

• registered your information assets that contain personal data, and reviewed your existing assets
• reviewed the legal basis for any personal data processing and especially where you are using the lawful bases of ‘consent’ or ‘legitimate Interest’
• updated any privacy notices
• updated any contracts with third parties that include personal data processing
• documented any personal data sharing in a data sharing agreement
• conducted a Data Protection Impact Assessment (aka Privacy Impact Assessment) where required
• made sure your staff know what to do if a security incident involving personal data takes place
• identified any personal data processing for law enforcement purposes covered by part 3 of the Data Protection Act 2018 Guide to Law Enforcement Processing
• Guide to law enforcement processing
• identified any personal data being processed outside of the UK
• directorates should therefore assure themselves they are confident that all information within their areas is managed appropriately and in line with current policies and procedures 

10.2 Are access control mechanisms in place for each system? 

Access control mechanisms for each system are documented by IAOs. Control Mechanisms are in place for physical access and access to information. Location of information assets are registered on the Information Asset Register. Have you:

• met with system operators to ensure that they are securely managing the systems
• role based access is being managed and only authorised persons have access
• backup and security patching are up to date
• system incidents are being reported to you as system owner

10.3 Has your Information Asset Owner been trained in the role and is this training up to date? 

IAOs (usually Deputy Directors but certainly head of division) are responsible for ensuring that their information assets are recorded on the corporate Information Asset Register (IAR) and managed in line with data protection regulations. Guidance can be found on the IAR pages on the intranet. See guidance on “What is an Information Asset?” in the IAO Handbook. information Asset Owner Risk management responsibilities are covered in the IAO handbook Information asset register and in the IAO training that can be booked on the intranet. 

10.4 Do any supporting staff have an awareness of the role and responsibilities of an IAO and have they been trained in information handling? 

Staff are available and appropriately knowledgeable to discharge these roles and have undergone or are undergoing appropriate training. For core SG the SIRO is DG Organisational Development and Operations, non-core bodies will have their own SIRO. 

Guidance on mandatory roles can be found on the intranet. 

Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the intranet. 

Where a Deputy IAO is assisting the IAO, have they been trained and understand the role? Please see question 10.16 below.

Deputy Information Asset Owner Role training is on pathways.

IAOs must ensure that their information assets are reviewed annually for necessity, and lawful basis and consider, where consent or legitimate interest is in use, that these remain proportionate. Data protection impact assessments should be reviewed for continued relevance and continued security both within SG and with suppliers if used.

All staff should have read and understood the relevant policies and guidance (such as DPA, IT Code of Conduct, and Records Management).

Where information assets are managed by external suppliers, IAOs should satisfy themselves that appropriate security and data handling processes set out at procurement time remain in place.

 The mandatory risk management training is now in place:

Pathways has an e-learning course made up of five modules that cover the key aspects of our risk framework. This course is mandatory for all colleagues. There is a course for Band A employees and another for Band B - SCS employees.

Information Asset Owner Risk management responsibilities are covered in the IAO handbook Information asset register and in the IAO training that can be booked on the intranet.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored, or otherwise processed. Have you:

• processes to identify and report data breaches
• considered reporting near misses to facilitate improvement
• assessed incidents and know that a serios incident resulting in a risk to individuals may need reported with 72 hours to ICO

The security incident reporting tool can be found on the the intranet.

Incidents would relate to cases where information (both personal and non-personal) may have been accidentally exposed, lost or made unavailable regardless of whether this has resulted in harm to individuals. 

IAOs are aware of and follow the corporate process in place to report, manage and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers. Managers have a responsibility to ensure that all staff and suppliers are aware of their responsibilities to safeguard Government information.

The approved corporate system (i.e., electronic Record and Document Management system (eRDM)), is used as the approved repository for corporate information and ensures we manage it in line with the arrangements set out in our records management plan (RMP) and Information Management Strategy.

All staff in the SG should be using the approved corporate information system (eRDM) to store their corporate business documents.

 There may be procedures which are specific in your business areas regarding how you manage your information for example some information may need to be restricted to adhere to information laws or other types of legislation. Your retention timelines may differ from the standard and enhanced restrictions may be required due to sensitivity of topic.

One of the recommendations of the corporate review of our information management was the creation of an SG Information Management Strategy to ensure everyone in the Scottish Government understands their roles and responsibilities when managing and using information.

Good information and record management isn’t just about filing it is a requirement of the law. The following are key information laws which apply to the Scottish Government and each of us managing information and records on its behalf:

• Public Records (Scotland) Act 2011
• Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR)
• Freedom of Information (Scotland) Act 2002 (FOISA) and the Environmental Information (Scotland) Regulations 2004 (EIRs)
• Inquiries Act 2005

There are a number of key roles that should be in place to ensure adequate management of Information. More information on these roles is detailed below.

Information Asset Owner

This is an existing role and is usually at Head of Division/Unit level.

Information Management Support Officer (IMSO)

This is also an existing role, and they are the first point of contact about guidance on the use of our electronic record and document management (eRDM) system.

Deputy Information Asset Owner (DIAO)

This is a new role which has been highly recommended to encourage, develop and maintain high standards, robust policies and procedures whilst ensuring compliance in knowledge and information management practices within divisions. They will act as a deputy to the IAO and would also provide liaison with IMSOs and the iTECS Knowledge and Information Shared Services Unit [KISS].

DG Information Governance Officer (DG IGO)

This is a recommended new role to act on behalf of the DG to champion the Information Management (IM) agenda across the DG.

Directorate Information Governance Officer (Dir IGO)

This is a recommended new role to act on behalf of the Director to champion the Information Management (IM) agenda across the Directorate.

There are a number of training resources available around information management and all colleagues should be aware of these.

SG Core staff have access to training surrounding ERDM, Records Management, Information Strategy, Data Protection etc.

Information is one of the Scottish Government’s most valuable assets and needs to be proportionately protected against loss or compromise. The IT security policy has been written to provide a mechanism to establish procedures to protect the confidentiality, integrity, and availability of our information. It does not in any way amend the requirements placed upon the Scottish Government by the Freedom of Information (Scotland) Act 2002 in relation to the disclosure of official information.

11. Health and safety

11.1 Do you have an appointed and trained Health and Safety Liaison Officer?

Health and Safety Liaison Officers perform key health and safety functions which help managers discharge their own responsibilities. In particular, local health and safety inductions and first point of contact for Display Screen Equipment queries.

11.2 Are all of your staff aware of the facility to request home working equipment to support Hybrid Working?

Health and safety when working from home should be used for requests. Guidance on Home Working equipment and set up is on the intranet.

11.3 Has all mandatory health and safety training been undertaken by all your staff?

For all Scottish Government staff there are a number of Mandatory training courses which need to be completed:
 

• Health and Safety – Display Screen Equipment (to be completed by everyone with each significant change)
• Health and Safety – Driver Safety Awareness (to be completed yearly if you drive on official business)
• Health and Safety – Fire Safety (to be completed yearly by everyone)
• Health and Safety – Manual Handling (to be completed once if required for your role)
• Health and Safety Understanding (to be completed once by all Scottish Government employees)

Managers are encouraged to stay connected with staff who are working from home.

Risk Assessment Teams (appointed by Deputy Directors) to:

• review and amend generic risk assessments, and generate new assessments as required
• communicate findings to all affected staff
• keep assessments under review

12. Sponsored bodies

Please complete for all of the bodies you sponsor answering each question separately and highlight key points of interest (good or bad).

Guidance can be found in the NDPB Sponsorship Guidance Notes. 

A list of public bodies in Scotland is available on the National Public Bodies Directory. Additional information can be obtained from Public Bodies Unit if necessary.

The National Performance Framework (NPF) is Scotland’s wellbeing framework and was refreshed in 2018. The next NPF review is due to commence in 2023. The NPF is intended to inform discussion, collaboration and planning of policy and services across Scotland, encompassing the public sector, businesses, civil society, and communities. It broadly sets the strategic direction for non-reserved policy areas, which should be aligned to the NPF and National Outcomes, including the work of Public Bodies.

It also represents a closer partnership approach with local government to the delivery of services in Scotland. The approach to setting, reviewing, and reporting on progress to achieving the National Outcomes, is set out in the Community Empowerment Act 2015. Supporting documents such as the corporate plan, business plan, and framework documents should be in place to enable the sponsor team to develop a shared understanding of the joint priorities to contribute towards the National Outcomes, and to ensure that individual bodies’ corporate communications (including annual report) and engagement strategies fully reflect these.

The Scottish Parliament Budget Review Group (SPBRG) has also recommended that Public Bodies should consistently set out how they plan to contribute towards specific National Outcomes in the NPF in their published corporate and business plans, and report on their contribution to National Outcomes through their annual reports, to support parliamentary scrutiny of their activities and public spending. This means providing public information about the strategic direction and operational delivery of public bodies and how this aligns to National Outcomes and the NPF. This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having.

Governance Structures, processes, systems, and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual. 

You should be able to confirm that Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Support Unit, your Finance Business Partner (or equivalent) and the Directorate for Internal Audit and Assurance. Details of the steps taken to monitor these areas should also be provided.

Guidance on the role of the sponsoring team is set out in the framework documents for Executive NDPBs, Executive Agencies, NMOs and Advisory NDPBs which are available to download.

The four main functions of public body Boards are:

• to ensure that the body delivers its functions in accordance with Ministers’ policies and priorities
• to provide strategic leadership
• to ensure financial stewardship
• to hold the Chief Executive and senior management team to account

Boards should ensure that they maximise opportunities to develop and attract diverse candidates that meet the body’s needs and legislative requirements, See the Succession Planning Guidance for Public Body Boards (as published in February 2017) and the Gender Representation on Public Boards (GRPB) guidance. Confidence levels should be shaped by whether:

• have you carried out a skills audit
• have you taken steps to build a diverse talent pipeline (shadowing, mentoring, outreach events to support public appointment vacancies). 

Guidance given states:

• designate a person on the board, or have a nominations committee, to take the lead on board appointments
• map current skills in the board and the skills needed in the future, within the context of the public body’s strategic plan and the board’s role
• draw up a timeline of when individual board members’ and chairs’ appointments come to an end or are up for renewal and identify action that can be taken to attract a diverse range of candidates (provide shadowing, mentoring, co-opt potential talent)
• provide opportunities to develop prospective board members, particularly for people from groups that are under-represented on your board
• take specific and measurable actions to attract women and meet the Gender Representation Objective - See Guidance here

Sponsorship should always be considered a strategic activity, based on strong relationships characterised by openness, trust, respect and mutual support. The objective is to find ways of working with bodies that engage and empower them in a shared vision and understanding of the strategic environment, while ensuring proportionate arrangements are in place to safeguard public funds and incentivise performance.

Executive Team and Ministers have an agreed approach which has at its core supportive, trusting relationships at a senior level; an appropriate place for the SG in the accountability chain – Ministers holding Chairs to account for the actions of Boards, Boards holding Executives to account for performance - and ensuring proportionate arrangements to safeguard public funds and incentivise performance; and a greater focus on strengthening the Boards and Accountable Officers of public bodies through induction and on-going support.

As part of this Ministers also agreed revised pay policy and procurement controls. The importance of sponsorship and the relationships between sponsors and public bodies is seen as being crucial in empowering public bodies to deliver outcomes.

Sponsorship Teams and Public bodies should be aware of formal responsibilities they hold over the stewardship of public funds considering; SPFM, Audit Committee Handbook, The Public Sector Internal Audit Standards (PSIAS), Financial Reporting Manual (FReM), and the relevant NDPB Model Framework Document, Budget Allocation and Monitoring Letters. Other requirements relevant to Sponsorship Teams and Public Bodies include:

• sponsorship teams and public bodies should work closely in overseeing the management and use of public monies,
• Model Framework Documents should cover the arrangements for funding the body and the conditions attached to the use of those funds
• the Accountable Officer and the Board should ensure that the public body has in place appropriate systems to support their financial responsibilities
• ensure appropriate systems in place for managing risks and that these are escalated appropriately
• check that systems are in place for internal and external audit, an audit committee is in operation and that arrangements are in place for producing a statement on internal control
• ensure that arrangements are in place for the body to provide regular high quality budget monitoring and forecast information as required by Financial Management Directorate and with support from Finance Business Partners (or equivalent) review annual accounts
• co-operate with any enquiries initiated by the Auditor General for Scotland or by the Public Audit and Post Legislative Scrutiny Committee of the Scottish Parliament

There are various returns due to finance part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances.

Sponsored bodies should all be meeting the Fair Work First criteria, providing:

• payment of at least the real living wage
• appropriate channels for effective voice, such as trade union recognition
• investment in workforce development
• no inappropriate use of zero hours contracts
• action to tackle the gender pay gap and create a more diverse and inclusive workplace
• payment of the real Living Wage

• offer flexible and family friendly working practices for all workers from day one of their employment
• oppose the use of fire and rehire practice

Effective voice is central to Fair Work and all employers should demonstrate their commitment to including their staff in workplace decisions, and work in positive partnership with trades unions. Employers should also pay at least the real Living Wage, and you may wish to check if the body is an accredited Living Wage employer. Have they got an invest in youth plan with stretching targets to recruit and develop young people (e.g., recruiting Apprentices)? Do they run an employee engagement survey and act on the results? Do they use procurement policies to encourage Fair Work, including payment of the living wage and inclusive employment in their supply chain? 

Please provide information which will highlight the actions your sponsored body has been doing to support workplace equality, inclusion and diversity.

As an example, they could be a disability confident employer, carer positive employer, IYP Gold award employer and a Stonewall Top 100 employer. They should be ambitious about diversity and inclusion and be able to demonstrate this through workplace practices.

All employers should make use of the Fair Work resources available, including the Fair Work First guidance, Employer Support Tool and resources from the CIPD.

Systems should be in place to ensure all business cases are assessed.

For all Major Investments as defined in the Scottish Public Finance Manual: a Risk Potential Assessment Form, available from Portfolio, Programme and Project Assurance Hub, should be completed and submitted to the SG’s Portfolio, Programme and Project Assurance Hub

For investment in projects containing an IT or digital elements:

• integrated Assurance and Approval Plans should be completed for projects by your sponsored body
• projects should be registered on the Project Register, held by the Digital Assurance Office
• further advice can be found on the Technology Assurance Framework or by emailing Digital Assurance Office

For construction and infrastructure projects:

Processes should be in place to ensure that policies for fraud response are consistent with SG guidance, including a review of current fraud response activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies.

For wider legal and corporate context on this requirement, refer to:

• Guidance on Protecting Scotland’s Future Chapter 1 
• A Fairer, Greener Scotland: Programme for Government 2023-24 - gov.scot (www.gov.scot) – setting out Scotland's ambitions in relation to contribution to climate change, and to restore nature and enhance our climate resilience, in a just and fair way

To understand and support embedding climate considerations through procurement, including key corporate enablers, along with lessons that can be leveraged for other funding flows, including grants, please refer to:

• Scottish Procurement Policy Note Taking account of climate and circular economy considerations in public procurement: SPPN 3/2022 which:
  • highlights that public bodies ‘should’ use their public procurement spend to support climate and circular economy ambitions, clarifying expectations
  • aligns climate change reporting duties and current procurement policy and legislation to avoid duplication of effort; and
  • provides practical support and guidance on how to do so

Further source of support include:

• Sustainable Procurement Tools – these tools have been designed to help public sector organisations identify and address how they can optimise the economic, social, and environmental outcomes of their procurement activity
• training, hosted within the Sustainable Procurement Tools platform, includes access to Climate Literacy eLearning, which comprises of three modules: The Climate Challenge; Responding to the Challenge; and Taking Action - the demand led product is designed to encourage and assist public bodies to take account of climate and circular economy in their procurement activity

Organisations should build into their contract management activities sufficient checks to ensure suppliers are meeting their contractual obligations.

The purpose of Contract and Supplier Management is to work closely with suppliers and internal customers to:

• minimise the total cost of ownership
• to maximise Supply Chain efficiencies throughout the life of the contract

Further details on Contract and Supplier Management and associated Managing and Improving Performance principles can be found on the Procurement Journey: Contract and Supplier Management | Procurement Journey.

For example, do you ensure your sponsored body appropriately plans strategic property matters and consults Property and Construction Division as early as possible in accordance with the SPFM guidance when required etc. Where appropriate, further guidance and support on property matters is available from Property and Construction Division and should be contacted as early as possible in the process.

Guidance can be found here in sections on property and best value on the SPFM.

For example, do you ensure a comprehensive options appraisal is carried out, detailing the pros and cons of any option being considered, including the financial requirement to be within budgets as well as the business need, to support any proposal? How will you ensure that all options to reduce the estate and its cost are reviewed and leases are ended when they expire or when break options arise unless an exception is approved in advance for exceptional circumstances? Are you ensuring progress is being made by your sponsored body towards a Net Zero estate?

Guidance can be found here in sections on property and best value on the SPFM.

13. Compliance 

13.1 Do you have processes in place to ensure compliance with applicable existing, new, and updated policies, procedures, laws, and regulations – including those referred to separately in this Checklist e.g. the SPFM and any other required Impact assessments outlined on the intranet (Saltire) in relation to Policy Development?

13.2 Do you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements?

13.3 Are your staff appropriately trained and aware of their Data Protection and information security responsibilities?

13.4 Do you have processes in place to ensure compliance with legislative requirements for all statutory and non-statutory Impact Assessments listed on the intranet (Saltire) at the earliest possible stage in the development of all new, revised or strategically significant policies/activities/projects in your area?

13.5 Do you have appropriate arrangements in place to ensure staff are appropriately trained or are aware how to ensure delivery of all impact assessments with confidence and to a high standard?

14. Review

14.1 How confident are you about the robustness of your arrangements for reviewing and improving the effectiveness and efficiency of controls in your area, and are you satisfied that controls in your area support your objectives?

You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.2 How confident are you that you have a comprehensive picture (e.g., through an Assurance Map) of the sources of evidence underpinning your assessment of controls?

You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.3 Where objectives, risks and controls in your area have been subject to independent review, how confident are you that recommendations arising from these reviews have been acted on in a timely fashion?

You should provide details of any key weaknesses identified and the steps taken to resolve these. How confident are you that you and your staff are sufficiently aware of the types of independent review (e.g., Internal Audit, independent assurance and Gateway Review, ICT Assurance Review, Digital Scotland Service Standard, review by external consultants) to support your assurance, and of how to access them?

14.4 Based on the assurances you have of whether your objectives, risk management and internal controls are being met and operating successfully, are there any key areas that would benefit from independent review?

15. Other Issues