Skip to main content Skip to accessibility
This website is not compatible with your web browser. You should install a newer browser. If you live in Jersey and need help upgrading call the States of Jersey web team on 440099.
Government of Jerseygov.je

Information and public services for the Island of Jersey

L'înformâtion et les sèrvices publyis pouor I'Île dé Jèrri

Risk management guidance

Scope and purpose

This Risk Management Guidance applies to all Government Bodies as defined in Article 1 of the Public Finances (Jersey) Law 2019 - and applies to the management of risks both to Government of Jersey and related bodies. It describes the guidance that will help operationalise the Risk Management Strategy, and it defines the approach, procedures, roles and responsibilities for managing risks associated with the Government of Jersey.

The Risk Management Guidance has been designed to:

  • align with the International Standards Organisation ISO 31000:2018
  • enable a consistent method for managing risk and issues across the Government of Jersey
  • allow for flexible application across corporate, directorate and departmental and at major programme and project levels

As outlined in the Government of Jersey Risk Management Strategy 2019, there are three distinct levels of risk management profiles across the government; Corporate, Departmental and Programme, and Directorate and project. This three tier hierarchy approach to managing risk and effective control environment is dependent on a consistent and standardised process that recognises specific ‘objectives’ at each level. This guidance includes:

​Tier​Main area of focus
At the Corporate level​a focus on risks related to the Government of Jerseys’ Strategic Policies and Outcomes​
At the Directorate levela focus on risks related to management of interdependencies and the delivery of service to Islanders within scope, time, budget and quality requirements​
At the Departmental/project level​a focus on operational risks related to the day-to-day performance of activities serving Islanders​

This guidance is intended to provide practical direction to all Government Bodies on how to comply with the intent of the Risk Management Strategy and in turn, the Public Finances Law and its supporting manual. Government staff should feel enabled, not constrained, by the guidance; it is not intended to comprehensively capture all the risk management activities across the Government of Jersey but to provide guidance and support to enhance, embed and further integrate sound risk management practices and culture across the Government of Jersey.

Approvals and revisions

Staff may recommend changes to this document by referring to their appropriate direct reporting line authority. This document should be formally reviewed by the Director, Risk and Audit for its completeness, adequacy, and alignment to business imperatives (current and future) at least every year or on a more frequent basis if deemed necessary. The Executive Management Team must formally approve any amendments.

Establishing risk context

Our risk management commitment

The Government of Jersey delivers a wide range of services and encounters many of the challenges faced by much larger public sector organisations. Like most organisations, we operate in an increasingly complex, rapidly changing environment. We are not immune to global political, social and economic factors.

The Government of Jerseys’ vision is to build a sustainable and successful future for Jersey despite increasing demands on our services and the backdrop of uncertainty and change. We need to manage the threats to our objectives and capitalise on the opportunities that will improve our chances of success.

As stated in the Risk Management Strategy, our vision for risk management is to focus on ensuring that the Government of Jersey has a consistent, pragmatic and fit-for-purpose approach for its internal risk management structure, systems, culture and capabilities, in order to effectively support the achievement of its strategic priorities over the next 12 months and beyond.

It is the responsibility of everyone connected to the Government of Jersey, to play a part in understanding and practicing risk management activities as per this guidance as they undertake their daily tasks. Specific responsibilities are set out in the Risk Management Strategy. 

This Guidance should be read in conjunction with the Government of Jersey's Risk Management Strategy.

Michael Thomas, Director of Risk and Audit

Acknowledgments

Institute of Risk Management (IRM)
International Standards Organisation ISO 31000:2018

What is risk?

Wherever there is a decision or action to be taken, there is the potential for risk. There are many definitions of risk but for the purpose of this guidance the Government of Jersey (GoJ) defines risk as: 

“Something that might happen that could have an effect on Government of Jersey objectives”

This means that risk can be seen as either a negative threat or a positive opportunity. There are some common misconceptions about what is a risk. People often confuse risk with issues, incidents and hazards.

A hazard is the source or origin of the event. For example, a swimming pool filled with sharks is a hazard.  It’s only when someone might fall in does it become a risk.  There can be many hazards around but it is only when people, systems, property etc. are exposed to them that they become risky.

Similarly there is often confusion over the difference between an issue, an incident and a risk.

An incident is something that has happened; an issue is something that will or is happening.

This guidance is designed to help risk managers / leads to develop an effective and efficient risk management framework that is appropriate for their Directorate, Department, Programme or Project and will work through the following questions:

  • what do you want to achieve?
  • what can stop you achieving your goals?
  • how big is the risk?
  • what is the chance of it happening?
  • what has been done about it?

This guidance also provides us with a common language for the way we talk about risk in the Government of Jersey. This enables us to simplify and standardise our approach, and ensures risks are managed and reported consistently.

What is risk management?

Risk Management is the culture, organisational structure and ongoing process of managing the risks to the provision of services or development of our economy. It’s about getting the right balance between innovation and change on the one hand, and the avoidance of shocks and crises on the other, in a consistent and systematic way. The benefits of effective risk management at an enterprise / corporate level, has been outlined in the Government’s Risk Strategy.

Why adopt an Enterprise Risk Management approach?

In day-to-day operational context, there are a number of reasons to adopt:

  • to comply with legal and regulatory obligations as well as customer requirements
  • to provide senior management with assurances that significant risks have been identified and appropriate controls are in place
  • to help make the correct business decisions - risk management should provide sound information to support business decision making
  • to help ensure that business process and projects are both effective and efficient

When implemented and maintained in accordance with these guidelines, the management of risk will enable us to:

​BenefitsBenefits​
​increase the likelihood of achieving objectivesencourage proactive management​
improve governance​better identify opportunities and threats​
comply with relevant legal and regulatory requirements and international norms​enhance health and safety performance, as well as environmental protection​
establish a reliable basis for decision making and planning​be aware of the need to identify and treat risk throughout the organisation​
improve mandatory and voluntary reporting​improve stakeholder confidence and trust​
improve controls and organisational resilience​effectively allocate resources for risk treatment​
improve operational effectiveness and efficiency​improve loss prevention and incident management​
minimise losses​improve organisational learning​

A key element of Enterprise Risk Management is to have a consistent approach to identifying and controlling risks through risk assessment. This is known as the process and is described in more detail in the Risk Management Process.

Mandatory requirements

We all have a part to play in the management of risk. Our level of responsibility will vary depending on our individual roles. Section 5 of the Risk Strategy document outlines at a high level the roles and responsibilities of each risk group / stakeholders. In addition to this, there are a number of mandatory reporting requirements where risk management plays a pivotal role:

Governance and Assurance Statements

The Principal Accountable Officer and Treasurer sign an Annual Governance Statement which forms part of the Annual Report and Accounts including a statement on risk management and key risks. Each Accountable Officer is personally responsible for signing an Assurance Statement, which sets out the basis on which their responsibilities have been discharged including the management of risk in their department.

A self-assessment checklist for completing Departmental Annual Governance Statements is shown later in the appendix.

Alignment with Corporate Strategy and Business Planning

A strategic approach to risk management aligns risks to Directorate and/or Departmental objectives. These should be aligned to the Common Strategic Policy priorities and in future to the desired outcomes stated in the Government Plan. Each Directorate/department must set out a risk management strategy that shows clearly how risk management has been embedded into their business plans.

Major projects

There is a requirement to undertake a full risk assessment for all major projects.

You can find a definition of a major project along with details of thresholds, procedures and guidance in the Public Finances Manual and supporting guidance.

Risk assessments are also strongly recommended for minor projects.

Recording risks

Each Government Directorate and associated body must maintain a risk register. This is a formal record of all risks that have been identified in relevant areas. As a minimum, Departments must maintain a Departmental risk register that is aligned to the Corporate Risk Register. It is the responsibility of Departmental Risk Leads, with agreement from their respective Director Generals and leadership teams to coordinate risk management activities for the departments / projects within their Directorates. A sample risk register is included in the appendix.

Reporting risks

It is important, whatever structure is adopted to allocate responsibilities for risk management, that a mechanism is in place for reporting risks to the leadership teams. You can find a suggested approach in the appendix.

Quarterly corporate risk management cycle link

  • Principle risks from the Corporate Risk Register cascaded down to relevant directorates by the Risk and Audit Team
  • Directorate Leadership teams own and manage relevant principle risk, in addition to specific risks that are material for their area. Risks may be further cascaded down to departmental and project level for management
  • Directorate Risk Leads collate risk information relevant to their area and update thier respective risk register. At a minimum risk leads will present key risks for discussion with their respective leadership team quarterly
  • Directorate Risk Registers are escalated to the Risk and Audit Team according to a defined and agreed schedule, for identification of common or emerging key risks that could impact the Corporate Risk profile
  • Director of Risk and Audit chair a Departmental Risk Group meeting to discuss and agree amendments to be made on the Corporate Risk Register
  • Risk and Audit Team update the Corporate Risk Register with the proposed amendments to be presented to the risk and Audit Committee and Executive Management Team for discussion and agreement on next steps
  • Risk and Audit Team produces a Strategic Risk Report containing a summary narrative of the revised Corporate Risk Profile and risk response plan for circulation to Directorate Leadership teams and relevant risk action owners

Related risk policies

Some departments will have policies that reflect risks that are specific to their department. This guidance does not try to identify all policies that apply to each department and it is recommended that you consult with your leadership teams to identify all policies applicable to your department.

There are several related government-wide risk related documents, namely the Government of Jersey Risk Management Strategy, Jersey Public Finances Law and the Public Finances Manual; consideration should also be given to specific guidance in relation to:

  • Business Continuity
  • Financial Management and Control
  • Well-being and Health
  • Information and Data Security
  • Records Management

Risk appetite and tolerance

Before identifying and assessing risks, you should consider the amount and type of risk that you can or are prepared to accept, tolerate, or be exposed to at any point in time.  This is known as risk appetite. 

There will be many different risk appetites across the organisation due to the diverse range of activities.  Working with defined risk appetites is a developing area and the Government of Jersey aims to define and develop Key Risk Indicators (KRIs) as part of its 2019 risk management activity in order to improve the tracking and monitoring of its tolerance towards risk. A consultation will be held with Leadership Teams in the near future to agree on the Government of Jersey Risk Appetite Statements and tolerances.

Risk governance, roles and responsibilities

The Government of Jersey Risk Strategy document sets out the risk management governance, roles and responsibilities of various groups and stakeholders across the Government of Jersey. Where applicable, each Department should adopt a similar structure to ensure that risks are identified and appropriately assessed in a timely manner. Leadership teams should consult with the Risk and Audit team to ensure that appropriate risk governance is in place within their respective areas.

Risk culture and leadership

All elements of the framework are underpinned by clear leadership and a positive, open, ‘no-blame’ culture that encourages colleagues to always “do the right thing”. We all have a role to play in delivering effective risk management.

Culture is ‘the way we do things around here’. A strong risk management culture is key to building trust and transparency.  An open and honest “speak up” culture that encourages the effective management of risk will deliver long term sustainable results for our organisation.

There are five components to a building a risk aware culture:

​Cultural component​Behaviours and attitude
​Strong leadership​Reinforcing the importance of risk management across strategy, projects and operations
​Involvement​Involving the right people at the right stages of the risk management process​
​Learning​Building a common level of understanding and learning from events​
​Accountability​Clear, appropriate accountability and absence of a blame culture
​Communication​Open communication on all risk management issues and lessons learnt

Together we are building a culture where:

  • everyone understands the risk they personally manage and is empowered and qualified to be accountable for them
  • doing the right thing, for customers and our business, is always paramount
  • everyone has risk management embedded in their ways of working
  • everyone is encouraged to actively identify risks and take appropriate action
  • risk is a business enabler and not a bureaucratic hindrance
  • we see risk as an opportunity when balanced with reward
  • there is no fear of escalating bad news and people feel they can use the whistleblowing policy with confidence
  • positive risk management behaviour is reinforced and rewarded

Risk management process

The risk management process is a continuous cycle. It aims to help manage threats that may hinder delivery of priorities and to maximise opportunities to deliver them.

The cycle consists of firstly, establishing some context around the environment in which Government of Jersey operates, taking into consideration the scope of our activities, our objectives and desired outcomes for Islanders as well as considering other relevant external factors. We should also consider any relevant internal factors such as the criteria, thresholds and tolerances used at a corporate and departmental level for evaluating risks, along with any relevant policies and procedures, which includes those that form part of the Enterprise Risk Management framework.

Once context has been established the process then involves, identifying, analysing and evaluating the risk based on existing controls and then treating the risks.

Risks are then recorded in a risk register to be monitored and reviewed regularly.

Every stage of the risk management process should be carried out in consultation with the appropriate people and as part of the compliance requirement; risks must be escalated and reported appropriately in a timely manner.

Diagram showing the stages of the risk management process

Figure 2 – The risk management process

Identifying risk

In order to manage risk we need to understand where those risks might exist and plan how to deal with them. This will not only make our workplace safer, it will also help us to achieve our objectives efficiently and effectively. If we can reduce the likelihood of potential problems by anticipating them, we can concentrate our efforts on providing the best possible services for Islanders.

Each department should identify the risks to its key objectives. The ideal starting point is to identify any risks to the objectives in the departmental business plans. The risks to business as usual should be included in a risk assessment, even if they are not highlighted in the business plans.

The best people to identify and control risks are those who are directly responsible for the activity. The group identifying the risks should contain the risk ‘owner’ i.e. the person who will be responsible for designing and implementing controls and who can provide early warning of difficulties.

When to identify risks

It is important that teams regularly consider and discuss risks and ensure they are captured accurately and in a timely way.  Risk identification is a dynamic, proactive and ongoing process with new and emerging risks being identified based on changes to the internal or external environment.

Examples of when to consider risk identification include:

  • consideration of risks in the course of day to day activities
  • input from objective setting, projects, business and operational planning
  • conducting a specific formal risk workshop
  • formal internal or external process review
  • particular events that could result in new or emerging risks

When thinking about risks you can look at events such as the failure of a database, criminal prosecution, increase in demand for services or a process such as the management of health and safety, financial control or client care management.

There are three key considerations for risk identification:

  1. Risks may not just be threats, but may also represent opportunities that the GoJ may wish to leverage or realise. Risks are possible future events that have not yet occurred.
  2. The identification step should not be done in isolation and should involve input from all stakeholders. This input ensures that a greater variety of risks and concerns are addressed and stakeholders are given the opportunity to engage and commit to owning risks and taking accountability for treatments.
  3. Once the risks have been identified, it is important to identify the likely causes (relating to the source of risk) of the risk event and the possible consequences arising from the risk event.

You should think about risks in terms of cause-event-effect.

​Cause
EventEffect

What are the underlying (root) causes for the risk (for example power supply failure)​?

What event or incident would occur as a result of the cause (for example system outage)?What is the impact or consequence of the risk occurring(for example financial loss, reputational damage, legal action)?

Bowtie method

Another way to think about risk identification is using the risk Bowtie method illustrated in figure 3a below and covered in more detail in the Analysing and Evaluating risk section.

Risk bowtie diagram showing the three components of risk - cause, event and effect.

Figure 3a - The risk Bowtie

When describing risks or creating a risk statement you might find it useful to think of the 'if and then’ statement shown in figure 3b below.

For example: If a USB data stick containing sensitive data is stolen, which leads to loss of data then this may result in reputational damage and a financial impact by way of fines and compensation.

Risk bowtie diagram showing a working example of a risk caused by a stolen USB stick, leading to a data breach, resulting in paying of compensation or fines

Figure 3b -  If and then example

Describing risks can be challenging. The table below shows some examples of where risk has been described incorrectly.

​Example
Poorly described risks​

Objective​

Objective: “to get to London for a weekend break.”
Risk: “not getting to London on Friday evening.”​

Success of the objective​

“Going to London for the weekend may result in us spending more money than we intended.”​

Composite risks ​

“I might miss the plane or the plane could be cancelled or the city transfer is unavailable.”​

One-word risks​

“Fraud”, “Fire,” “Reputation”​

​Statement of fact

“There is a risk that projects may fail.”​

​Failure to…

“Failure to recruit enough staff”

“Failure to control costs”​

​Incident

“Due the server crashing” ​

​Issues

“Because we don’t have enough staff…”

“When the new legislation is introduced…”​

​Whinge

“Cuts to services are being reported by the media, who create a lot of work for us by making demands for statements and information. This costs us time and money and is a considerable inconvenience.”​

​Essay

“The introduction of new employment law will mean additional staffing costs. We are also moving to new premises and introducing a new IT system, so we are likely to overspend against budget, thus necessitating cut-backs next year, increasing scrutiny and damaging our reputation.”​

The table below shows some examples of where risk has been described correctly.

Risk language

​Cause: a definite fact
​Event: an uncertain event or set of circumstances
Effect: a direct impact on our Department objective​
​As a result of using novel hardware…​
​… unexpected system integration errors may occur…​
​… which could lead to over spending on the department.​
​Because our organisation has never done a project like this before…​
​… we might misunderstand the customer's requirements
​… which could mean our solution does not meet the quality acceptance criteria​
​We have to outsource parts of our service…​
​… so may be able to learn new practices from our selected partner…​
​… which could lead to increased efficiencies productivity and quality.​
​Because we don't have experience using this technology…​
​… we might not have the necessary skilled staff to carry out the design work…​
​… which could lead to a delay in the project while we train our staff.
​The project is planned to take place in the summer…​
​… so skilled student labour may be available to recruit…​
​… which would mean that time could be saved on all activities that take place over that period.​
​Because there are three other projects taking place in the same time frame…​
​… we may be able to utilise skilled staff as they become available from another project…​
​… which would allow us to deliver early to the customer.​

Nature of a risk can be categorised in two categories, Strategic and Operational.

Strategic risks

Strategic risks are those arising from major events which could affect the whole of the Government of Jersey e.g. major overspend or serious damage to the reputation of the Government of Jersey.  Their sources of origin include:

  • political
  • economic
  • social
  • technological
  • environmental
  • competitive
  • customer / stakeholders

Operational risks

Operational risks are those arising from the day-to-day management of activities within Departments and less likely to impact on other Departments or the Government of Jersey as a whole. Their sources of origin include:

  • professional
  • financial
  • statutory duties and responsibilities
  • physical
  • contractual
  • technological
  • environmental

The above sources of risk are expanded in the appendix. Understanding the nature of a risk will assist in providing context and help you to identify and articulate your risks in a clear manner. Nature of risk is around where the source of the risk could potentially arise and considering each of these elements against your day-to-day activities would help ensure that you have sufficiently considered the multiple aspects of risk.

Risk classification

Once you have identified a risk, it can be classified according to the nature of the attributes of the risks, such as timescale for impact, and nature of impact and/or likely magnitude of the risk. This will help drive consistency across the organisation, allow common risks to be articulated at the corporate level and help drive investment decisions. Specifically for the Government of Jersey, we are classifying risks based on types of impact a risk could have on the Government of Jersey and our ability to achieve its objectives. In general, the Government of Jersey’ risks are classified within these seven categories:

  • financial - impact on the amount of monies available to the government of Jersey; or the efficiency or effectiveness with which they can be used
  • service delivery - impact the quality or quantity of a service available to any customers / service users
  • reputational - impact on the confidence or trust Islanders (or other stakeholders) have in the Government of Jerseys commitment and ability to deliver outcomes; or their perception of the governments progress towards them
  • legal and Regulatory - impact on government to fulfil any legal or regulatory obligations it has
  • people / health and safety - impact on the health, wellbeing or safety of Government of Jersey staff or public
  • economic - direct impact on the economy of Jersey
  • environmental / social - direct impact on the community or environment of Jersey
When identifying risks a balance is needed between making a long list of hundreds of risks, which will be complex to manage, and a handful of risks being defined at too high a level to be useful. Practice and consulting with your risk experts will enable the right level to be achieved through risk classification.

Analysing and evaluating risks

Once risks are identified and classified, the next step is to get a better understanding of each risk.

Firstly, we will need to assess that risk to further understand the context, root causes and potential impacts of the risk and the current controls in place. There are various risk analysis techniques available. Suggested approach would be to use the bow-tie risk analysis method below in figures 5a and 5b.

Risk bowtie diagram showing the three components of risk - cause, event and effect.

Figure 5a - Risk Bowtie

For each risk, include the risk description in the middle of the bow-tie and then record the threats, causes or source of the risk on the left hand side of the bow tie alongside any preventative controls to stop the risk occurring. You can then record the impact or consequences of the risk on the right hand side. This helps identify the type of response you will need to lessen the risk impact.

Figure 5.b – Example of Bowtie risk evaluation

Impact or consequence

The consequence of a risk involves consideration of the effect or result of a particular event, in the context of the identified existing controls. The Government of Jersey's impact criteria have been aligned to the Government's risk categories where appropriate to ensure uniformity between the organisations’ risk ratings. Figure 6 below provides a rating impact for each category.

 
Negligible: 1
Minor: 2
Moderate: 3
Major: 4
Catastrophic: 5
Financial

Less than .25% over budget

Increase in expenditure / loss of income <£10k

Between .25 and .5% over budget

Increase in expenditure / loss of income between £10k to £499k

Between .5 and .75% over budget

Increase in expenditure / loss of income between £500k to £999k

Between .75 and 1% over budget

Increase in expenditure / loss of income between £1m to £4.99m

More than 1% over budget

Increase in expenditure / loss of income more than £5m

Service Delivery / Operational

Limited disruption to core public services, with no noticeable effect

Little or no impact to the public / customer

Minimal programme delays with no impact on key milestones

Temporary disruption contained to single core public service

Localised inconvenience to the public / customer

Minor programme delays with recoverable impact on milestones

Increasingly regular disruption to one or more core public services

Impact to the public / customer up to 1 week

Regular programme delays impacting one or more milestones 

Severe disruption on one or more core public services

Impact to the public / customer up to 1 month

Major delays resulting in significant programme overhaul

Significant, lasting disruption across core services

Impact to the public / customer more than 1 month

Significant programme delays threatening the entire delivery

Reputational

Individual grievances with limited internal review

Minimal and transient loss of customer / partner trust

Internal scrutiny or investigation to prevent further escalation

Minor loss in customer / partner trust that is recoverable quickly

Local media attention resulting in external committee scrutiny

Diminished customer / partner trust that is recoverable over time

Local media attention resulting in intense public scrutiny

Severely damage public / customer / partner trust 

 National media attention causing public enquiry & outcry

Irrecoverable loss of customer / partner trust

Legal and compliance

Breach of standards / guidelines

No legal action anticipated

Negligible financial impact  

Breach of Policy / Regulations

One-off claims or legal issues

Minor financial impact

Serious breach with investigation

Ongoing legal / litigation issues

Significant financial impact

Major breach resulting in fines  

Major legal actions / prosecutions

Major fines with imprisonment

 Repeated major breaches

Penalties / sanctions imposed

Extensive, repeated major fines

People /
Health & Safety

Incident with no injury sustained

Negligible effect on public/staff wellbeing/personal safety

No impact on staff morale

Minimal injury sustained

Minor impact on public/staff wellbeing/personal safety

Localised staff complaints

Significant injury sustained

Short term impact on public/ staff wellbeing/personal safety

Short term impact on staff morale

Long term disability sustained

Ongoing impact on public/staff wellbeing/personal safety

 Major industrial action

Casualty sustained

Long term impact on public/staff wellbeing/personal safety

Widespread industrial actions

EconomicNegligible impact on local economy that can be absorbedLimited impact on economy, isolated to one or more sectorLimited impact on local economyMajor impact on economy in one or more sectorsSerious, long term impact on economy, potentially permanent
Environmental / Social

Minimal damage to isolated infrastructure / properties

No lasting detrimental impact to the environment

Minimal impact on local community

Minor and localised damage to infrastructure / properties

Short-term detrimental impact to the environment

Noticeable and manageable impact on local community

Major, short-term damage to infrastructure / properties

Long-term detrimental impact to the environment

Severe and manageable impact on local community

Serious, long-term damage to infrastructure and properties

Extensive damage to the environment

Serious damage to the whole Island community

Complete destruction of core Island infrastructure

Widespread and irrecoverable damage to the environment

Significant, lasting damage to the whole Island community

Figure 6 - Impact Assessment Criteria 

Likelihood

Assessment of likelihood requires consideration of the potential occurrence and frequency of a risk event and its impact, in the context of the identified existing controls. figure 7 below provides the guidance on assigning likelihood to risks.

​Likelihood
​Rare: 1
​Unlikely: 2
​Probable: 3
​Likely: 4
​Almost certain: 5
​Description
​Will only occur in exceptional circumstances
​May occur at some time but not likely to occur in the foreseeable future
​May occur at some time within the foreseeable future
​Will probably occur in most circumstances
​Expected to occur in most circumstances
​Probability of single events
​<10%
​10% to 25%
​26% to 50%
​51% to 80%
​>80%
​Frequency of event
​Not a foreseeable occurrence
​Could happen once in every 5 years
​Could happen once per year
​Could happen once per month
​Could happen once per week

Figure 7 – Likelihood Assessment Criteria

The Government of Jersey’s ‘risk appetite’ is established by way of criteria for existing controls, impact, likelihood and overall risk ratings.  These criteria set the decision boundaries within which staff are expected to operate as they seek to deliver on objectives.

These criteria enable the Government of Jersey to achieve a simple and consistent approach to decision making, in full consideration of associated impact / consequences arising from risks, the likelihood of occurrence and on the basis of due consideration of the costs and benefits of treatments.

The Government of Jersey's overall risk ratings set the boundaries and expectations in relation to what level of risk the organisation is prepared to accept in the pursuit of its objectives. Figure 8 below illustrates how overall risk ratings are generated.

​Likelihood
​ ​
​ ​
​Almost certain
​5
​5
Medium
​10
High
​15 Extreme
​20 Extreme
​25
Extreme
​Likely
​4
​4
Medium
​8
High
12
High​
​16 Extreme
​20
Extreme
​Probable
​3
​3
Low
​6 Medium
9
High​
12
High​
15
Extreme​
​Unlikely
​2
​2
Low
​4 Medium
6 Medium​8
High​
10
High​
​Rare
​1
​1
Low
​2
Low
3
Low​
4 Medium​5
Medium​
​Risk Rating Matrix

 
 ​

​1
​2
​3
​4
​5
​Negligible
Minor​Moderate​Major​Catastrophic​
​Impact ​

Figure 8 – Risk Rating Criteria

Risks assessed in terms of their impact and likelihood. The impact and likelihood of each risk is assessed against predetermined measures and given a rating from 1 to 5. Impact ratings should reflect the most significant impact reasonably foreseeable. There are a number of different types of impact against which risks are assessed.  The overall impact rating should be equal to the most severe of these.

Treating risks

Prioritising risks

Having identified and assessed a risk, you should then decide what initial or further action is needed to control it or overcome barriers to ensure you achieve your objective.  In order to do this, all risks will need to be prioritised based on the level of risk that the organisation is willing to accept. The Government of Jerseys’ leadership teams must weigh the cost of various treatment plans against the consequences and likelihood related to the risk.

Any risks that exceed management’ tolerance threshold should be referred immediately to the next level of management for guidance. The below table illustrates the treatment action expectations for risks: 

​Risk Rating
​Management 

Low

(Between 1 and 3 )

Managed at a service level by the action lead in the departmental wide or project risk register. Assurance will be provided to the accountable manager on the management of this risk. (Note: not normally escalated to CSB/EMT level)​

Medium

(Between 4 and 6)​

Managed at a departmental level by the action lead via the departmental wide or project risk register. The accountable manager will monitor the delivery of any actions. (Note: not normally escalated to CSB/EMT level)​

High

(Between 8 and 14 )​

Managed by the accountable manager. Actions prioritised and agreed with the executive owner. (Note: not normally included in the Corporate Risk Register).​

​Extreme

Between 15 and 25

(Principal Risks )

Managed on a day-to-day basis by the accountable manager and reviewed as a minimum on a monthly basis with the executive owner. Actions prioritised / agreed on a monthly basis and subject to scrutiny by the appropriate departmental leadership team / Director General.

(Note – included in the Corporate Risk Register)


As part of this process, you should identify which of the controls are more critical in terms 

of their effectiveness.  It may be helpful to list controls in order of their criticality. Although those risks requiring early or closer attention have been identified, there may be other risks that are suitable for a “quick fix” and can be quickly and easily controlled.

The risk assessment process is judgemental and it is important that decisions be documented for future understanding and review. It is important to keep a note of the following information for each identified risk: a unique identifier, the name of the risk, the risk description, the current controls, the risk likelihood and risk impact scores, the overall risk rating and any notes, judgments and decisions made during the process. It is also useful to keep a note of who was involved in the process and the date of the process step for later reference.

The reporting schedule for risks is integrated with existing reporting processes across each directorate, department, programme or projects. A risk heat map must be submitted by the departmental risk leads to the Risk & Audit team as part of the annual risk reporting schedule. Section 3 will outline in further detail the reporting requirements from departments through to the corporate level.

Responding to risk

When determining an appropriate response to risk, you should consider the risk response options. Risk responses need to be determined as a minimum for those risks that are considered as Extreme or high risks. Some potential questions that may help determine the correct response to risk:

  • Where have other organisations failed or capitalised? How could this relate to the Government of Jersey?
  • How can we proactively address the risk?
  • Are there known internal control weaknesses or failures?
  • What level of risk are we comfortable taking and why (Risk Appetite / Tolerance)? Will the target risk level be within the risk appetite?
  • Across the industry, what is common or good practice and how close to this do we want to be?

It is critical to document the risk response, who approved the response and the reasoning for future reference.  Where the decision is to accept a risk, a review cycle must be set to periodically review the risk to ensure that the risk response remains the best approach.

​Response options
​What
​ When ​Why​Other considerations
TolerateDo nothing and continue as planned​For unavoidable risks, or those so mild or remote as to make avoidance action disproportionate or unattractive​The ability to do anything may be limited or the cost of taking action is disproportionate to the potential benefitContingency planning (Business Continuity/ Disaster Recovery plans) could be used to handle the impacts should the risk materialised​
Treat​Introduce control procedures to increase the chance of success ​For risks that can be reduced or eliminated by prevention or other control action​​Minimise negative impact, maximise opportunityInvestment costs of introducing new control procedures / actions
Transfer Share the exposure of risk with insurance or contractor ​Where another party can take on some or all of the risk more economically or more effectively ​Alternative organisations may be more capable of effectively managing the risk​ The relationship with a third party needs to be carefully managed as it may not be possible to fully transfer all risks and some aspects might remain e.g. reputational
Terminate Withdraw from the activity, where possibleFor intolerable risks for the Government of Jersey  Some risks will only be treatable or containable by terminating the activity This option is particularly important for hazard risks or in project management if it the projected cost/ benefit are in jeopardy
Take the opportunity
Take the risk but monitor and review on a regular basisThe Government of Jersey may embrace some risks, accepting their downside perhaps with controls in the expectation of beneficial outcomes Avoiding all risk can be as irresponsible as disregarding risk                      Preventative controls must be considered and put in place to ensure the benefit continues to outweigh the costs

What is a control?

Where a selected response action means that it requires certain element of control, you need to make informed decisions and decide on the appropriate activities (controls) to ensure that our risks are proactively and adequately managed.

A control is a means of reducing the likelihood of a risk occurring or minimising the impact should it occur. The are four types of control that can be applied shown in the table 10 below.

​Control type
​Desired effect on the risk
​Example

Preventative​

Controls designed to limit the possibility of an undesirable outcome being realised​

computer passwords, security guards​

Corrective ​

Controls designed to limit the scope for loss and reduce undesirable outcomes​

data back-ups​

Directive​

Controls designed to support achievement of a particular outcome. These are based on giving directions on how to ensure losses do not occur.​

polices, blueprints, training​

Detective​

Controls designed to identify where a risk has materialised. These controls are only acceptable when it is possible to accept that a loss or damage has occurred.​

bank reconciliations, security cameras​

The type of control(s) you apply is dependent on the nature of the risk. The controls need to be proportionate to the risk. When designing controls it is important to work with people knowledgeable about the risk area to ensure appropriate control(s) are designed.  This may mean working with people outside of your business area or experts or with the Risk & Audit Team. Every control action has an associated cost and it is important that the control action offer value for money.

Some Principal Risks will have a government wide risk programme which will require strong alignment on the overall approach to risk controls and expectations e.g. Data Privacy.  Engaging with the relevant stakeholders to determine the scope expected is required. The Departmental Risk Group will be able to provide best sharing practices or knowledge across the other departments.

Control elements

In general, there are five elements of control and you should use professional judgement to define which of the five elements set out below is relevant to the risks you have identified and the actions needed to control each risk.

​Control element
​Actions

Governance​

All risks identified as a extreme or high risk must have a defined oversight from the leadership teams that will oversee the management of the risk and the actions required.  Clear documentation of roles and responsibilities for extreme or high risks is required e.g. a Responsible, Accountable, Consulted, Informed, (RACI) table, setting out their purpose, accountabilities and membership.​

Policies​

Policies may be appropriate to set out the minimum control expectations for the management of a specific risk or set of risks. Policies should be clearly written, communicated and made readily accessible to those who need to follow and adhere to them.​

Procedures and Guidelines​

Procedures and or guidelines establish a systematic process for executing policy requirements. These should be clearly written, simple to follow and unambiguous. The process documented in the procedure or guideline must be tested to ensure it can be followed and is effective.  Procedures and guidelines should be periodically reviewed to ensure currency.​

Communications and Training​

Regular communication and consultation is an important part of a successful risk management framework and needs to be in place across all the stages of risk management. The Risk and Audit Team and other compliance functions are available to support you in defining what is needed. You should be proactively engaging with relevant groups in the wider organisation e to ensure fit for purpose controls are applied e.g. Departmental Risk Group, Insurance, Internal Audit, Business Continuity, etc.​

Investigation and Sanctions​

Investigations and disciplinary action is the final component in the delivery of the control phase.  It is important that you escalate concerns you have about risks and compliance through appropriate channels e.g. your manager or Risk Owners. There are disciplinary consequences of Policy non-compliance. For those found to be non-compliant with legal, regulatory or the Government of Jersey's Policy requirements there may be an investigation and action will be taken as appropriate. ​

The Risk Bowtie model shows where controls either reduce the likelihood (preventive) or impact (detective). It is important to note that controls introduced on the left hand side of the bowtie are considered more efficient in terms of cost and more effective as they are aimed at preventing the risk from happening as shown in figure 9a and 9b.

Risk Bowtie Showing Control Placement

Figure 9a - Bowtie showing control placement

Suggested controls might include:

​Likelihood
​Impact
Contract conditions​Business continuity plans​
Process controls and inspections​Contractual agreement​
Project management​Fraud control planning ​
Preventative maintenance ​Good public relations​
Effective internal controls ​Minimising exposure to the source of risk​
Supervision​Crisis management​
​Structured training programme
Insurance​


Bowtie Showing ControlsFigure 9b - Bowtie showing control

Things to note when documenting controls:

  • describe controls clearly to avoid ambiguity. Any obstacles or barriers that might arise and affect them should be explored along with early warning indicators
  • Record controls in the order of their critically impacting upon the achievement of the outcome for ease of identification
  • Make clear the target dates for completion of aspects of control, reporting of progress etc. made clear record them where possible

Some risks might seem too difficult to tackle because they are controversial, political, too big or too specialist. These should not be avoided but dealt with in a positive but proportionate way by considering factors such as the opportunity to improve them, ease of improvement, cost of improvement and breadth of community affected. Consult with the Risk and Audit team or other relevant departments when in doubt.

Risk monitoring and review

Few risks remain static and it is important to know and understand what is happening. This can be achieved through regularly monitoring progress and formally reviewing risks in order:

  • gain assurance that progress is being made towards controlling risks and the effectiveness of controls
  • monitor changes to the risk profile brought about by circumstances and business priorities

As part of the three Lines of Defence model adopted by the Government of Jersey, monitoring of risks must be performed by line management, by control functions and by internal audit. Assurance is informed by monitoring, reporting, KPIs, management information and auditing activities.

The Government of Jersey’s Executive Management Team will routinely review, monitor and on key business risks which have the potential to impact the achievement of the Government’s objectives.

Risks are rarely static. They are a ‘point in time’ assessment and thus need to be monitored and reviewed on a regular basis.

Monitoring and reviewing risks and treatment plans, will ensure risks are managed effectively.  Monitoring involves periodic consideration of the current situation to confirm that risk identification and analysis are still accurate. Ongoing review is essential to ensure that risk management remains relevant and priority treatments are on track.

Factors that may affect the likelihood and consequences may change, as may factors that affect the suitability or cost of treatment options. In the occurrence of a significant event this may trigger a point in time review of a particular risk or number of risks.

When monitoring and reviewing risks you need to be clear about how this is to be undertaken.  It may help to develop a set of questions, for example:

  • are the key risks still relevant? 
  • have some risks become issues?
  • has anything occurred, which could impact upon them? 
  • has the risk appetite or tolerance levels changed?
  • are the controls in place effective?
  • have risk scores changed and if so, are they decreasing or increasing?
  • if risk profiles are increasing, what further controls might be needed?
  • if risk profiles are decreasing, can controls be relaxed?

Where objectives have not been achieved or are not on course to be achieved the cause(s)should be investigated to inform and improve the risk assessment process.  At the next formal review of the risk, its rating should again be considered.  At this stage, you may wish to review your risk appetite or tolerance levels to ensure they remain appropriate.

The review and monitoring process should be integrated into existing organisational and business planning processes so that it adds value and supports the successful achievement of objectives and not just seen as a “bolt on”.

Reporting and escalation of risks

Risk reporting

The updated risk register should be considered by each service or department’s leadership team at least quarterly.

Any serious threats to achievement of objectives should be brought to the attention of the Executive Management Team.

A summary of serious risks to a department’s achievement of its objectives should be brought to the attention of that department’s minister in its quarterly ministerial report.

You can find samples of Risk Reporting and Risk Assessment in the appendix.

Escalating risks

There will be occasions when risks should be shared with managers that are more senior.  These will automatically include risks that exceed your tolerance thresholds.  Risks that are rated as Extreme or High, i.e. with a combined score of 16+, should also be referred up to the next level of management for advice on the appropriate level of control.

Management teams should have in place a process, which allows for risks at any level to be escalated upwards to enhance their level of control.

Where a risk is escalated to a more senior level, it should be considered along with all other risks at this new level and possibly included within the higher-level risk register.

Using a system for escalating risks allows senior managers to better target their attention and resources towards key activities.

Risk register

Risk registers provide an immediate record of all the identified risks, key controls and their status resulting from their assessment in terms of likelihood and impact across a wider pool of risks.

When a risk is recorded, it should be given a reference number. This reference number should remain with the risk to provide an audit trail.

Risks registers should be monitored by management teams. Risks included in the departmental risk registers should be closely monitored by the leadership teams and risk management should be a standing item on the leadership team meeting agendas.

The critical risks that can affect GoJ as a whole should be recorded in the Corporate Risk Register, which is monitored by the Executive Management Team.

You can see a sample risk register in the appendix.

Near miss reporting

A near miss is an unplanned event that did not result in injury, illness, or damage – but had the potential to do so. Only a fortunate break in the chain of events prevented an injury, fatality or damage; in other words, a miss that was nonetheless very near.

A faulty process or management system is invariably the root cause for the increased risk that leads to the near miss and should be the focus of improvement.

In terms of Health and Safety all employees have a duty to:
“Always report any accidents, near misses, or hazardous situations they notice (including accidents and near misses)”

Early warning indicators

The sooner you know something is not going to plan, or if circumstances look likely to impede your objectives, the quicker you will be able to take corrective action and get back on target or amend your course of action / priorities to reflect changing circumstances.  

Early warning indicators are used as a way of measuring change in local critical areas so that if pre-defined levels (tolerance levels or appetite) are reached, corrective action will be triggered.  To be effective they need to be monitored regularly and the findings presented in such a way that the information can be quickly assimilated.

Early warning indicators are also called key risk indicators they should be specific to the risk and should not be confused with Key performance Indicators.   

Indicators should be reviewed and updated to ensure they remain appropriate.

When establishing an indicator you should establish from the outset what information is to be collected, the reporting frequency and trend or tolerance thresholds.

Early warning indicators can be applied to strategic and operational risks.   For operational risks they can be set to measure activity such as: 

  • achievement of service quality levels
  • achievement of volume targets
  • achievement of time targets
  • achievement of revenue targets
  • levels of safety incidents or injury
  • achievement of key milestones
  • delivery of planned activities on time and on budget

Points to consider when establishing / reviewing indicators:

  • are all critical business systems clearly defined?
  • do early warning indicators exist for critical business systems?
  • do early wanting indicators exist for programmes and projects?
  • do early warning indicators exist for operational activities?
  • is there a balanced set of indicators, including financial indicators?
  • are indicators examined by decision makers with the authority to take corrective action on a regular cycle?
  • are the results of monitoring early warning indicators presented in a concise, consistent manner so that the impact of the information is readily understood?
  • are the indicators updated to reflect changes within the activity?
  • are the indicators inward and outward looking?

Early warning indicators can also be used to identify opportunities.

Support and further information

Third parties and partnerships

Guidance on managing risks with third parties/partnerships is under development. For more information email erm@gov.je

Links with other risk management groups

There are a number of risk management groups and forums in the Government of Jersey.

For more information email erm@gov.je

Response planning

Even with effective controls to prevent risks, some risks will inevitably materialise. By ensuring we develop business continuity plans for responding to risks we can significantly reduce their impact and ensure that any disruption to our services is minimised.

For more information email erm@gov.je

Contact for additional support

  • Contact your Risk Champion, or Line Manager
  • Visit the Government of Jersey’s Risk Management intranet site on MyStates

For specific questions on this Guidance or support with risk related issues, contact the Risk and Audit Team. A targeted training programme is currently under development and will be made available to all Government personnel.

Appendix

Sources of strategic risk

Definition: Risks that may be potentially damaging to the achievement of the Government of Jersey Objectives

​PESTLE expanded
Description​

Political ​

Associated with the failure to deliver government policy, or to meet the local administration’s commitment.​

Economic​

Affecting the ability of the Government to meet its financial commitments.  These include internal budgetary pressures, inadequate insurance cover, external macro level economic changes (e.g. interest rates, inflation etc.) or the consequences of proposed investment decisions.​

Social​

Relating to the effects of changes in demographic, residential or socio-economic trends on the Government’s ability to deliver its objectives.​

Technological​

Associated with the capacity of the Government to deal with the pace / scale of technological change, or its ability to use technology to address changing demands.  They may also include the consequences of internal technological failure on the Government’s ability to deliver its objectives. ​

Environmental ​

Relating to the environmental consequences of progressing the Government’s strategic objectives for example in terms of energy, efficiency, pollution, recycling, landfill requirements, emissions etc.​

Competitive​

Affecting the competitiveness of the service in terms of quality or cost and or its ability to deliver value for money.​

Customer or Stakeholder

Associated with the failure to meet the current and changing needs and expectations of customers and citizens.​

Sources of operational risk

operational risks are those risks that may be encountered in the day to day provision of services

​Source
​Description
​Examples of nature risk

Professional​

Associated with the particular nature of each profession​

Inefficient/ineffective management processes. Lack of business continuity plan. Inability to implement change. Non achievement of value for money. Lack of control over changes to service provision. Bad management of partnership working. Inadequate consultation with service users. Failure to manage and retain service. Failure to communicate effectively with contracts employees. Poor management of externally funded projects​

Financial​

Associated with financial planning and control and the adequacy of insurance arrangements​

Failure to prioritise, allocate appropriate. Ineffective/inefficient processing of documents budgets and monitor. Missed opportunities for income/grants. Inadequate control over expenditure. Inadequate insurance cover. Inadequate control over income​

Legal​

Related to possible breaches of legislation​

Not meeting statutory duties/deadlines. Failure to implement legislative change. Failure to comply with legal directives on. Misinterpretation of legislation. Procurement of works, supplies and services. Exposure to liability claims e.g. motor Breach of confidentiality/Data Protection Laws, accidents, wrongful advice​

Physical​

Related to fire, security, accident prevention, health, and safety​

Violence or aggression. Loss of physical assets Non-compliance with Health & Safety legislation. Criminal damage to assets e.g. Vandalism. Injury at work. Failure to maintain and upkeep land. Loss of intangible assets and property​

Contractual​

Associated with the failure of contractors to deliver services of products to the agreed cost and specification​

Non-compliance with procurement policies. Poor selection of contractor. Over reliance on key contractors or suppliers. Poor contract specification, deficiencies. Failure of outsourced provider to deliver. Inadequate contract terms & conditions. Failure to monitor contractor. Quality issues​

Technological​

Relating to reliance on operational equipment (e.g. IT systems or equipment) or machinery​

Failure of big technology related project. Breach of security of networks and data. Crash of IT systems affecting service delivery. Failure to comply with IT Security Policy. Lack of disaster recovery plans. Bad management of intranet or website​

Environmental​

Relating to pollution, noise or energy efficiency of ongoing service operation​

Impact of Planning policies. Noise, contamination and pollution. Crime and disorder implications. Inefficient use of energy and water. Incorrect storage or disposal of waste. Damage caused by trees, tree roots etc.​

People Services​

Associated with staffing issues e.g. recruitment or  retention, sickness management, change management, stress related risk analysis​

Capacity issues. Failure to comply with employment law. Over reliance on key officers. Poor recruitment or selection processes. Failure to recruit or retain qualified staff. Lack of training. Lack of employee motivation or efficiency. Lack of succession planning​


Sample risk register

Below are the baseline fields required for reporting in departmental risk registers, so that risks can be consistently reported using data captured at a departmental level and aggregated into the corporate risk register where appropriate.

​Document Control
Details​
Title​​Title of the register
Author​​Author of the register typically the department lead for risk or project manager
Date register compiled​​Date of issue
Issue number​​Unique issue number
File reference​​The location at which the document can be found on the network


​Register Content
Risk Reference or ID No.
Unique number or identifier to identify the risk ​
Impact on strategic priority​
Link the risk to strategic objectives i.e.
  1. Put children first
  2. Improving islanders wellbeing and mental health
  3. Creating a sustainable and vibrant economy
  4. Reducing inequality and improving the standard of living
  5. Protect and value our environment
Risk Description​Summary description of the risk which will be readily understood by all of the business leaders or project team on completion of the identification process and 12 months later​
Existing controls​Details of any effective controls this includes any programmes of work​
Current RAG status of related programmes​Reflecting the current RAG status from Perform​
Likelihood score​Assessment of how likely the risk is to happen - the probability can be recorded as a percentage, a category or both​
Impact score​Impact can be measured in terms of cost, duration, quality or any other business or project objectives using the GoJ impact rating​
Risk Score​Likelihood x Impact​
Risk Actions​Further actions or controls not yet in place, but are planned to mitigate the risk​
​Action owner
The individual responsible for implementing the risk response action under the direction of the risk manager​
​Changes since last EMT presentation
Material changes to the risk profile or controls that should be highlighted since the last EMT risk presentation​


Managing business risk assessment

Managing business risk example

This example is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity.

Self certification annual governance statement

​Self certification
Yes​​No
Does the department have in place a risk strategy?​
Has a full risk assessment been carried out in respect of all major capital projects?​
Has the department identified risks against its key objectives?  
Has ownership of key risks been allocated to appropriate individuals so that responsibility and authority for implementing control actions is clear?
Has the department identified the full range of risks specific to their business?
Has a consistent framework for categorising and evaluating risks been developed? 
Has the department assessed the level of acceptable risk for each of its objectives?
Has the department been able to demonstrate how it is managing risks classified as “important” or “immediate action”?   
Have suitable responses to risk been identified? 
Has a mechanism been put in place for reporting key risk issues?  
Are appropriate mechanisms in place to ensure the effectiveness of risk management is reviewed?
Are there procedures in place to ensure that the risk strategy is kept up to date and a process in place to allow for an appropriate review of risks?



Worked example of risk assessment

Example 

The risk of a customer / staff potentially slipping and injuring themselves in customer centre.

You are scoring on the likelihood and the impact of an injury involving a customer potentially slipping on the customer service centre.  The risk assessment process requires you to assume the most usual outcome.  Looking at the Risk Criteria is relevant to include the use of the criteria for Safety, Legal & Regulatory and Reputation. 

Safety: The floor surface is not damaged and cleaning and operational routines are correct, but there are a large number of customers and the most frequent cause of injury is slipping. You determine the likelihood of this injury is “likely” (score 3 on the risk scoring criteria for Safety figure 6)

 
Negligible: 1
Minor: 2
Moderate: 3
Major: 4
Catastrophic: 5
Financial

Less than .25% over budget

Increase in expenditure / loss of income <£10k

Between .25 and .5% over budget

Increase in expenditure / loss of income between £10k to £499k

Between .5 and .75% over budget

Increase in expenditure / loss of income between £500k to £999k

Between .75 and 1% over budget

Increase in expenditure / loss of income between £1m to £4.99m

More than 1% over budget

Increase in expenditure / loss of income more than £5m

Service Delivery / Operational

Limited disruption to core public services, with no noticeable effect

Little or no impact to the public / customer

Minimal programme delays with no impact on key milestones

Temporary disruption contained to single core public service

Localised inconvenience to the public / customer

Minor programme delays with recoverable impact on milestones

Increasingly regular disruption to one or more core public services

Impact to the public / customer up to 1 week

Regular programme delays impacting one or more milestones 

Severe disruption on one or more core public services

Impact to the public / customer up to 1 month

Major delays resulting in significant programme overhaul

Significant, lasting disruption across core services

Impact to the public / customer more than 1 month

Significant programme delays threatening the entire delivery

Reputational

Individual grievances with limited internal review

Minimal and transient loss of customer / partner trust

Internal scrutiny or investigation to prevent further escalation

Minor loss in customer / partner trust that is recoverable quickly

Local media attention resulting in external committee scrutiny

Diminished customer / partner trust that is recoverable over time

Local media attention resulting in intense public scrutiny

Severely damage public / customer / partner trust 

 National media attention causing public enquiry & outcry

Irrecoverable loss of customer / partner trust

Legal and compliance

Breach of standards / guidelines

No legal action anticipated

Negligible financial impact  

Breach of Policy / Regulations

One-off claims or legal issues

Minor financial impact

Serious breach with investigation

Ongoing legal / litigation issues

Significant financial impact

Major breach resulting in fines  

Major legal actions / prosecutions

Major fines with imprisonment

 Repeated major breaches

Penalties / sanctions imposed

Extensive, repeated major fines

People /
Health & Safety

Incident with no injury sustained

Negligible effect on public/staff wellbeing/personal safety

No impact on staff morale

Minimal injury sustained

Minor impact on public/staff wellbeing/personal safety

Localised staff complaints

Significant injury sustained

Short term impact on public/ staff wellbeing/personal safety

Short term impact on staff morale

Long term disability sustained

Ongoing impact on public/staff wellbeing/personal safety

 Major industrial action

Casualty sustained

Long term impact on public/staff wellbeing/personal safety

Widespread industrial actions

EconomicNegligible impact on local economy that can be absorbedLimited impact on economy, isolated to one or more sectorLimited impact on local economyMajor impact on economy in one or more sectorsSerious, long term impact on economy, potentially permanent
Environmental / Social

Minimal damage to isolated infrastructure / properties

No lasting detrimental impact to the environment

Minimal impact on local community

Minor and localised damage to infrastructure / properties

Short-term detrimental impact to the environment

Noticeable and manageable impact on local community

Major, short-term damage to infrastructure / properties

Long-term detrimental impact to the environment

Severe and manageable impact on local community

Serious, long-term damage to infrastructure and properties

Extensive damage to the environment

Serious damage to the whole Island community

Complete destruction of core Island infrastructure

Widespread and irrecoverable damage to the environment

Significant, lasting damage to the whole Island community

Figure 6 - Impact Assessment Criteria.

Note: Your reasoning is that your experience shows that most injuries are not serious, even though it is possible that some injuries could result in fracture. Therefore the impact of the injury is “moderate” (multiple minor injuries to more than one person) so the Safety risk category results in a score of 2.

The Safety risk rating is the combination of these two scores (2 x 3 = 6) which equals a medium risk (amber).

Legal & Regulatory: We also need to assess the scores for Legal and Regulatory. Your reasoning is that because the floor condition was good and controls were in place to minimise the risk materialising then although legal action might be possible,  the likelihood would be “less than likely” (score 2). For the same reason the impact of any legal action would be “moderate” (it would result in a penalty or compensation award at the low end of the range – score 2 on the risk scoring criteria). The risk rating is the combination of these two scores (2 x 2 = 4) which equals a low risk (green).

Reputation:  We also need to assess the scores for Reputation. Your reasoning is that because this is one store given determination of multiple potential injuries to more than one person (as above) that there is likely to be local media coverage. You therefore score 2 ‘Less than Likely’ for Likelihood and 2 ‘Moderate’ for impact.

The Reputation risk rating is therefore (2 x 2 = 4) which equals a low risk (green).

When prioritising the risk if more than one risk criteria is used, use the highest of the scores assessed in this process. 

In this case Safety risk rating of 2 x 3 = 6.  Plot, 2 for impact and 3 for likelihood on the heat map. 

Government of Jersey Risk Management Strategy

Glossary of terms

​Term
Definition

Benefits  ​

The measurable improvement resulting from an outcome perceived as an advantage by one or more stakeholders ​

Business Continuity Plan​

 A plan for the fast and efficient resumption of essential business operations by directing recovery actions of specific recovery teams ​

Business risk​

A threat to the achievement of a business objective / benefit ​

Consequence​

The outcome of an even​

Contingency​

An action or arrangement that can be put into place to minimise the impact of a risk should it occur​

Control or control measures​

Any action, procedure or operation undertaken to contain a risk to an acceptable level​

Corporate Governance​

The method by which an organisation directs and controls its functions and relates to its community ​

Key Risk Indicator (KRI)​

A measure to identify a trend ​

Hazard​

A description of the source of the risk i.e. the event or situation that gives rise to the risk also known as source of risk​

​Identifying risks 

The process by which events that could affect the achievement of objectives, are analysed and described and listed​

​Impact

Impact is the result of a particular threat or opportunity actually occurring ​

​Issue

An event or concern that has occurred or is taking place and should be addressed (as opposed to a risk which has not yet, or might not occur)​

​Likelihood

This is the evaluated likelihood of a particular  threat of opportunity actually happening​

​Mitigation plan

A strategy that decreases risk by lowering the likelihood of a risk event occurring or reducing the impact of the risk should it occur​

​Objective

Something worked towards or striven for, a goal​

​Operational risks

Risks associated with the day-to-day issues that an organisation might face as it delivers its services​

​Opportunity

An uncertain event that could have a favourable impact on objectives or benefits​

​Outcome

The result of change, normally affecting real world behaviour or circumstances. Outcomes are desired when a change is conceived.  Outcomes are achieved as a result of the activities undertaken to effect the change​

​Periodic review

A review that occurs at specified regular time intervals​

​Project risks

Risks associated with a specific activity, which has defined goals, objectives, requirements, a life cycle, a beginning and an end​

​Proximity of risk

The time factor of a risk i.e. the occurrence of risks will be due at particular times, and the severity of their impact will vary depending on when they occur​

​Responsible manager

Manager who has responsibility for taking specified action​

​Risk

An uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives.  This could be an opportunity as well as a threat​

​Risk appetite

The level of residual risk that the Government of Jersey is prepared to accept, tolerate or be exposed to at any point in time​

​Risk evaluation

The process of understanding the net effect of the identified threats and opportunities on an activity when aggregated together​

​Risk identification

Determination of what could pose a risk; a process to describe and list sources of risk, both threats and opportunities​

​Risk management

The culture, organisational structure and ongoing processes for the management of risk​

​Risk prioritisation
matrix

The number of levels of likelihood and impact chosen against which to measure the risk and identify methods of management of the risk​

​Risk owner

A role or individual responsible for the management and control of all aspects of individual risks, and has authority to implement the measures required. May also be known as Accountable Manager​

​Risk perception

The way in which a risk is viewed based on a set of values or concerns​

​Risk profile

Describes the types of risk faced by an organisation and its exposure to these risks​

​Risk source

A description of the source of the risk i.e. the event or situation that gives rise to the risk​

​Risk register

A record of all identified risks relating to an area of activity which includes their status and mitigating controls​

​Risk strategy

The overall organisational approach to risk management​

​Risk tolerance

The threshold of risk exposure, which with appropriate approvals, can be exceeded but which when exceeded will trigger some form of response e.g. reporting the situation to senior management for action​

​Strategic risks

Risks concerned with where the organisation wants to go, how it plans to get there and how it can ensure survival.  A risk which should it occur, will have a significant impact upon the Governments objectives​

​Terminate

A risk response to a threat.  A deliberate decision to stop an activity which generates a risk​

​Threat

An uncertain event that could have a negative impact on objectives or benefits​

​Tolerate

A response to a threat. A deliberate decision to retain the threat​

​Transfer

A risk response for a threat whereby a third party takes on the responsibility for an aspect of the threat​

​Treat

A risk response to a threat. Proactive actions are taken to reduce the threat​


Back to top
rating button