Risk management guidance Show all updates Show all updates Body Content Scope and purposeThis Risk Management Guidance applies to all Government Bodies as defined in Article 1 of the Public Finances (Jersey) Law 2019 - and applies to the management of risks both to Government of Jersey and related bodies. It describes the guidance that will help operationalise the Risk Management Strategy, and it defines the approach, procedures, roles and responsibilities for managing risks associated with the Government of Jersey.The Risk Management Guidance has been designed to:align with the International Standards Organisation ISO 31000:2018enable a consistent method for managing risk and issues across the Government of Jerseyallow for flexible application across corporate, directorate and departmental and at major programme and project levelsAs outlined in the Government of Jersey Risk Management Strategy 2019, there are three distinct levels of risk management profiles across the government; Corporate, Departmental and Programme, and Directorate and project. This three tier hierarchy approach to managing risk and effective control environment is dependent on a consistent and standardised process that recognises specific ‘objectives’ at each level. This guidance includes:TierMain area of focusAt the Corporate levela focus on risks related to the Government of Jerseys’ Strategic Policies and OutcomesAt the Directorate levela focus on risks related to management of interdependencies and the delivery of service to Islanders within scope, time, budget and quality requirementsAt the Departmental/project levela focus on operational risks related to the day-to-day performance of activities serving IslandersThis guidance is intended to provide practical direction to all Government Bodies on how to comply with the intent of the Risk Management Strategy and in turn, the Public Finances Law and its supporting manual. Government staff should feel enabled, not constrained, by the guidance; it is not intended to comprehensively capture all the risk management activities across the Government of Jersey but to provide guidance and support to enhance, embed and further integrate sound risk management practices and culture across the Government of Jersey. Approvals and revisionsStaff may recommend changes to this document by referring to their appropriate direct reporting line authority. This document should be formally reviewed by the Director, Risk and Audit for its completeness, adequacy, and alignment to business imperatives (current and future) at least every year or on a more frequent basis if deemed necessary. The Executive Management Team must formally approve any amendments. Establishing risk context Our risk management commitmentThe Government of Jersey delivers a wide range of services and encounters many of the challenges faced by much larger public sector organisations. Like most organisations, we operate in an increasingly complex, rapidly changing environment. We are not immune to global political, social and economic factors.The Government of Jerseys’ vision is to build a sustainable and successful future for Jersey despite increasing demands on our services and the backdrop of uncertainty and change. We need to manage the threats to our objectives and capitalise on the opportunities that will improve our chances of success.As stated in the Risk Management Strategy, our vision for risk management is to focus on ensuring that the Government of Jersey has a consistent, pragmatic and fit-for-purpose approach for its internal risk management structure, systems, culture and capabilities, in order to effectively support the achievement of its strategic priorities over the next 12 months and beyond. It is the responsibility of everyone connected to the Government of Jersey, to play a part in understanding and practicing risk management activities as per this guidance as they undertake their daily tasks. Specific responsibilities are set out in the Risk Management Strategy. This Guidance should be read in conjunction with the Government of Jersey's Risk Management Strategy.Michael Thomas, Director of Risk and Audit AcknowledgmentsInstitute of Risk Management (IRM)International Standards Organisation ISO 31000:2018 What is risk?Wherever there is a decision or action to be taken, there is the potential for risk. There are many definitions of risk but for the purpose of this guidance the Government of Jersey (GoJ) defines risk as: “Something that might happen that could have an effect on Government of Jersey objectives”This means that risk can be seen as either a negative threat or a positive opportunity. There are some common misconceptions about what is a risk. People often confuse risk with issues, incidents and hazards.A hazard is the source or origin of the event. For example, a swimming pool filled with sharks is a hazard. It’s only when someone might fall in does it become a risk. There can be many hazards around but it is only when people, systems, property etc. are exposed to them that they become risky.Similarly there is often confusion over the difference between an issue, an incident and a risk.An incident is something that has happened; an issue is something that will or is happening. This guidance is designed to help risk managers / leads to develop an effective and efficient risk management framework that is appropriate for their Directorate, Department, Programme or Project and will work through the following questions:what do you want to achieve?what can stop you achieving your goals?how big is the risk?what is the chance of it happening?what has been done about it?This guidance also provides us with a common language for the way we talk about risk in the Government of Jersey. This enables us to simplify and standardise our approach, and ensures risks are managed and reported consistently. What is risk management?Risk Management is the culture, organisational structure and ongoing process of managing the risks to the provision of services or development of our economy. It’s about getting the right balance between innovation and change on the one hand, and the avoidance of shocks and crises on the other, in a consistent and systematic way. The benefits of effective risk management at an enterprise / corporate level, has been outlined in the Government’s Risk Strategy. Why adopt an Enterprise Risk Management approach?In day-to-day operational context, there are a number of reasons to adopt:to comply with legal and regulatory obligations as well as customer requirementsto provide senior management with assurances that significant risks have been identified and appropriate controls are in placeto help make the correct business decisions - risk management should provide sound information to support business decision makingto help ensure that business process and projects are both effective and efficientWhen implemented and maintained in accordance with these guidelines, the management of risk will enable us to:BenefitsBenefitsincrease the likelihood of achieving objectivesencourage proactive managementimprove governancebetter identify opportunities and threatscomply with relevant legal and regulatory requirements and international normsenhance health and safety performance, as well as environmental protectionestablish a reliable basis for decision making and planningbe aware of the need to identify and treat risk throughout the organisationimprove mandatory and voluntary reportingimprove stakeholder confidence and trustimprove controls and organisational resilienceeffectively allocate resources for risk treatmentimprove operational effectiveness and efficiencyimprove loss prevention and incident managementminimise lossesimprove organisational learningA key element of Enterprise Risk Management is to have a consistent approach to identifying and controlling risks through risk assessment. This is known as the process and is described in more detail in the Risk Management Process. Mandatory requirementsWe all have a part to play in the management of risk. Our level of responsibility will vary depending on our individual roles. Section 5 of the Risk Strategy document outlines at a high level the roles and responsibilities of each risk group / stakeholders. In addition to this, there are a number of mandatory reporting requirements where risk management plays a pivotal role: Governance and Assurance StatementsThe Principal Accountable Officer and Treasurer sign an Annual Governance Statement which forms part of the Annual Report and Accounts including a statement on risk management and key risks. Each Accountable Officer is personally responsible for signing an Assurance Statement, which sets out the basis on which their responsibilities have been discharged including the management of risk in their department.A self-assessment checklist for completing Departmental Annual Governance Statements is shown later in the appendix. Alignment with Corporate Strategy and Business PlanningA strategic approach to risk management aligns risks to Directorate and/or Departmental objectives. These should be aligned to the Common Strategic Policy priorities and in future to the desired outcomes stated in the Government Plan. Each Directorate/department must set out a risk management strategy that shows clearly how risk management has been embedded into their business plans. Major projectsThere is a requirement to undertake a full risk assessment for all major projects. You can find a definition of a major project along with details of thresholds, procedures and guidance in the Public Finances Manual and supporting guidance.Risk assessments are also strongly recommended for minor projects. Recording risksEach Government Directorate and associated body must maintain a risk register. This is a formal record of all risks that have been identified in relevant areas. As a minimum, Departments must maintain a Departmental risk register that is aligned to the Corporate Risk Register. It is the responsibility of Departmental Risk Leads, with agreement from their respective Director Generals and leadership teams to coordinate risk management activities for the departments / projects within their Directorates. A sample risk register is included in the appendix. Reporting risksIt is important, whatever structure is adopted to allocate responsibilities for risk management, that a mechanism is in place for reporting risks to the leadership teams. You can find a suggested approach in the appendix. Quarterly corporate risk management cycle linkPrinciple risks from the Corporate Risk Register cascaded down to relevant directorates by the Risk and Audit TeamDirectorate Leadership teams own and manage relevant principle risk, in addition to specific risks that are material for their area. Risks may be further cascaded down to departmental and project level for managementDirectorate Risk Leads collate risk information relevant to their area and update thier respective risk register. At a minimum risk leads will present key risks for discussion with their respective leadership team quarterlyDirectorate Risk Registers are escalated to the Risk and Audit Team according to a defined and agreed schedule, for identification of common or emerging key risks that could impact the Corporate Risk profileDirector of Risk and Audit chair a Departmental Risk Group meeting to discuss and agree amendments to be made on the Corporate Risk RegisterRisk and Audit Team update the Corporate Risk Register with the proposed amendments to be presented to the risk and Audit Committee and Executive Management Team for discussion and agreement on next stepsRisk and Audit Team produces a Strategic Risk Report containing a summary narrative of the revised Corporate Risk Profile and risk response plan for circulation to Directorate Leadership teams and relevant risk action owners Related risk policiesSome departments will have policies that reflect risks that are specific to their department. This guidance does not try to identify all policies that apply to each department and it is recommended that you consult with your leadership teams to identify all policies applicable to your department.There are several related government-wide risk related documents, namely the Government of Jersey Risk Management Strategy, Jersey Public Finances Law and the Public Finances Manual; consideration should also be given to specific guidance in relation to:Business ContinuityFinancial Management and ControlWell-being and HealthInformation and Data SecurityRecords Management Risk appetite and toleranceBefore identifying and assessing risks, you should consider the amount and type of risk that you can or are prepared to accept, tolerate, or be exposed to at any point in time. This is known as risk appetite. There will be many different risk appetites across the organisation due to the diverse range of activities. Working with defined risk appetites is a developing area and the Government of Jersey aims to define and develop Key Risk Indicators (KRIs) as part of its 2019 risk management activity in order to improve the tracking and monitoring of its tolerance towards risk. A consultation will be held with Leadership Teams in the near future to agree on the Government of Jersey Risk Appetite Statements and tolerances. Risk governance, roles and responsibilitiesThe Government of Jersey Risk Strategy document sets out the risk management governance, roles and responsibilities of various groups and stakeholders across the Government of Jersey. Where applicable, each Department should adopt a similar structure to ensure that risks are identified and appropriately assessed in a timely manner. Leadership teams should consult with the Risk and Audit team to ensure that appropriate risk governance is in place within their respective areas. Risk culture and leadershipAll elements of the framework are underpinned by clear leadership and a positive, open, ‘no-blame’ culture that encourages colleagues to always “do the right thing”. We all have a role to play in delivering effective risk management.Culture is ‘the way we do things around here’. A strong risk management culture is key to building trust and transparency. An open and honest “speak up” culture that encourages the effective management of risk will deliver long term sustainable results for our organisation.There are five components to a building a risk aware culture:Cultural componentStrong leadershipInvolvementLearningAccountabilityCommunicationCultural componentBehaviours and attitudeStrong leadershipReinforcing the importance of risk management across strategy, projects and operationsInvolvementInvolving the right people at the right stages of the risk management processLearningBuilding a common level of understanding and learning from eventsAccountabilityClear, appropriate accountability and absence of a blame cultureCommunicationOpen communication on all risk management issues and lessons learntTogether we are building a culture where: everyone understands the risk they personally manage and is empowered and qualified to be accountable for themdoing the right thing, for customers and our business, is always paramounteveryone has risk management embedded in their ways of workingeveryone is encouraged to actively identify risks and take appropriate actionrisk is a business enabler and not a bureaucratic hindrancewe see risk as an opportunity when balanced with rewardthere is no fear of escalating bad news and people feel they can use the whistleblowing policy with confidencepositive risk management behaviour is reinforced and rewarded Risk management processThe risk management process is a continuous cycle. It aims to help manage threats that may hinder delivery of priorities and to maximise opportunities to deliver them.The cycle consists of firstly, establishing some context around the environment in which Government of Jersey operates, taking into consideration the scope of our activities, our objectives and desired outcomes for Islanders as well as considering other relevant external factors. We should also consider any relevant internal factors such as the criteria, thresholds and tolerances used at a corporate and departmental level for evaluating risks, along with any relevant policies and procedures, which includes those that form part of the Enterprise Risk Management framework.Once context has been established the process then involves, identifying, analysing and evaluating the risk based on existing controls and then treating the risks.Risks are then recorded in a risk register to be monitored and reviewed regularly.Every stage of the risk management process should be carried out in consultation with the appropriate people and as part of the compliance requirement; risks must be escalated and reported appropriately in a timely manner. Figure 2 – The risk management process Identifying riskIn order to manage risk we need to understand where those risks might exist and plan how to deal with them. This will not only make our workplace safer, it will also help us to achieve our objectives efficiently and effectively. If we can reduce the likelihood of potential problems by anticipating them, we can concentrate our efforts on providing the best possible services for Islanders.Each department should identify the risks to its key objectives. The ideal starting point is to identify any risks to the objectives in the departmental business plans. The risks to business as usual should be included in a risk assessment, even if they are not highlighted in the business plans. The best people to identify and control risks are those who are directly responsible for the activity. The group identifying the risks should contain the risk ‘owner’ i.e. the person who will be responsible for designing and implementing controls and who can provide early warning of difficulties. When to identify risksIt is important that teams regularly consider and discuss risks and ensure they are captured accurately and in a timely way. Risk identification is a dynamic, proactive and ongoing process with new and emerging risks being identified based on changes to the internal or external environment.Examples of when to consider risk identification include:consideration of risks in the course of day to day activitiesinput from objective setting, projects, business and operational planningconducting a specific formal risk workshopformal internal or external process reviewparticular events that could result in new or emerging risksWhen thinking about risks you can look at events such as the failure of a database, criminal prosecution, increase in demand for services or a process such as the management of health and safety, financial control or client care management.There are three key considerations for risk identification:Risks may not just be threats, but may also represent opportunities that the GoJ may wish to leverage or realise. Risks are possible future events that have not yet occurred.The identification step should not be done in isolation and should involve input from all stakeholders. This input ensures that a greater variety of risks and concerns are addressed and stakeholders are given the opportunity to engage and commit to owning risks and taking accountability for treatments.Once the risks have been identified, it is important to identify the likely causes (relating to the source of risk) of the risk event and the possible consequences arising from the risk event.You should think about risks in terms of cause-event-effect.CauseEventEffectWhat are the underlying (root) causes for the risk (for example power supply failure)?What event or incident would occur as a result of the cause (for example system outage)?What is the impact or consequence of the risk occurring(for example financial loss, reputational damage, legal action)? Bowtie methodAnother way to think about risk identification is using the risk Bowtie method illustrated in figure 3a below and covered in more detail in the Analysing and Evaluating risk section. Figure 3a - The risk BowtieWhen describing risks or creating a risk statement you might find it useful to think of the 'if and then’ statement shown in figure 3b below.For example: If a USB data stick containing sensitive data is stolen, which leads to loss of data then this may result in reputational damage and a financial impact by way of fines and compensation. Figure 3b - If and then exampleDescribing risks can be challenging. The table below shows some examples of where risk has been described incorrectly.ExampleObjective Success of the objective Composite risks One-word risksStatement of factFailure to…IncidentIssuesWhingeEssayExamplePoorly described risksObjective Objective: “to get to London for a weekend break.”Risk: “not getting to London on Friday evening.” Success of the objective“Going to London for the weekend may result in us spending more money than we intended.” Composite risks “I might miss the plane or the plane could be cancelled or the city transfer is unavailable.” One-word risks “Fraud”, “Fire,” “Reputation”Statement of fact “There is a risk that projects may fail.”Failure to…“Failure to recruit enough staff” “Failure to control costs”Incident“Due the server crashing” Issues“Because we don’t have enough staff…” “When the new legislation is introduced…”Whinge“Cuts to services are being reported by the media, who create a lot of work for us by making demands for statements and information. This costs us time and money and is a considerable inconvenience.”Essay“The introduction of new employment law will mean additional staffing costs. We are also moving to new premises and introducing a new IT system, so we are likely to overspend against budget, thus necessitating cut-backs next year, increasing scrutiny and damaging our reputation.”The table below shows some examples of where risk has been described correctly. Risk languageCause: a definite factEvent: an uncertain event or set of circumstancesEffect: a direct impact on our Department objectiveAs a result of using novel hardware…… unexpected system integration errors may occur…… which could lead to over spending on the department.Because our organisation has never done a project like this before…… we might misunderstand the customer's requirements… which could mean our solution does not meet the quality acceptance criteriaWe have to outsource parts of our service…… so may be able to learn new practices from our selected partner…… which could lead to increased efficiencies productivity and quality.Because we don't have experience using this technology…… we might not have the necessary skilled staff to carry out the design work…… which could lead to a delay in the project while we train our staff.The project is planned to take place in the summer…… so skilled student labour may be available to recruit…… which would mean that time could be saved on all activities that take place over that period.Because there are three other projects taking place in the same time frame…… we may be able to utilise skilled staff as they become available from another project…… which would allow us to deliver early to the customer.Nature of a risk can be categorised in two categories, Strategic and Operational. Strategic risksStrategic risks are those arising from major events which could affect the whole of the Government of Jersey e.g. major overspend or serious damage to the reputation of the Government of Jersey. Their sources of origin include:politicaleconomicsocialtechnologicalenvironmentalcompetitivecustomer / stakeholders Operational risksOperational risks are those arising from the day-to-day management of activities within Departments and less likely to impact on other Departments or the Government of Jersey as a whole. Their sources of origin include:professionalfinancialstatutory duties and responsibilitiesphysicalcontractualtechnologicalenvironmentalThe above sources of risk are expanded in the appendix. Understanding the nature of a risk will assist in providing context and help you to identify and articulate your risks in a clear manner. Nature of risk is around where the source of the risk could potentially arise and considering each of these elements against your day-to-day activities would help ensure that you have sufficiently considered the multiple aspects of risk. Risk classificationOnce you have identified a risk, it can be classified according to the nature of the attributes of the risks, such as timescale for impact, and nature of impact and/or likely magnitude of the risk. This will help drive consistency across the organisation, allow common risks to be articulated at the corporate level and help drive investment decisions. Specifically for the Government of Jersey, we are classifying risks based on types of impact a risk could have on the Government of Jersey and our ability to achieve its objectives. In general, the Government of Jersey’ risks are classified within these seven categories:financial - impact on the amount of monies available to the government of Jersey; or the efficiency or effectiveness with which they can be usedservice delivery - impact the quality or quantity of a service available to any customers / service usersreputational - impact on the confidence or trust Islanders (or other stakeholders) have in the Government of Jerseys commitment and ability to deliver outcomes; or their perception of the governments progress towards themlegal and Regulatory - impact on government to fulfil any legal or regulatory obligations it haspeople / health and safety - impact on the health, wellbeing or safety of Government of Jersey staff or publiceconomic - direct impact on the economy of Jerseyenvironmental / social - direct impact on the community or environment of JerseyWhen identifying risks a balance is needed between making a long list of hundreds of risks, which will be complex to manage, and a handful of risks being defined at too high a level to be useful. Practice and consulting with your risk experts will enable the right level to be achieved through risk classification. Analysing and evaluating risksOnce risks are identified and classified, the next step is to get a better understanding of each risk. Firstly, we will need to assess that risk to further understand the context, root causes and potential impacts of the risk and the current controls in place. There are various risk analysis techniques available. Suggested approach would be to use the bow-tie risk analysis method below in figures 5a and 5b. Figure 5a - Risk BowtieFor each risk, include the risk description in the middle of the bow-tie and then record the threats, causes or source of the risk on the left hand side of the bow tie alongside any preventative controls to stop the risk occurring. You can then record the impact or consequences of the risk on the right hand side. This helps identify the type of response you will need to lessen the risk impact. Figure 5.b – Example of Bowtie risk evaluation Impact or consequenceThe consequence of a risk involves consideration of the effect or result of a particular event, in the context of the identified existing controls. The Government of Jersey's impact criteria have been aligned to the Government's risk categories where appropriate to ensure uniformity between the organisations’ risk ratings. Figure 6 below provides a rating impact for each category. FinancialService Delivery / Operational ReputationalLegal and compliancePeople / Health & SafetyEconomicEnvironmental / Social Negligible: 1Minor: 2Moderate: 3Major: 4Catastrophic: 5FinancialLess than .25% over budgetIncrease in expenditure / loss of income <£10kBetween .25 and .5% over budgetIncrease in expenditure / loss of income between £10k to £499kBetween .5 and .75% over budgetIncrease in expenditure / loss of income between £500k to £999kBetween .75 and 1% over budgetIncrease in expenditure / loss of income between £1m to £4.99mMore than 1% over budgetIncrease in expenditure / loss of income more than £5mService Delivery / Operational Limited disruption to core public services, with no noticeable effectLittle or no impact to the public / customerMinimal programme delays with no impact on key milestonesTemporary disruption contained to single core public serviceLocalised inconvenience to the public / customerMinor programme delays with recoverable impact on milestonesIncreasingly regular disruption to one or more core public servicesImpact to the public / customer up to 1 weekRegular programme delays impacting one or more milestones Severe disruption on one or more core public servicesImpact to the public / customer up to 1 monthMajor delays resulting in significant programme overhaul Significant, lasting disruption across core servicesImpact to the public / customer more than 1 monthSignificant programme delays threatening the entire deliveryReputationalIndividual grievances with limited internal review Minimal and transient loss of customer / partner trustInternal scrutiny or investigation to prevent further escalationMinor loss in customer / partner trust that is recoverable quicklyLocal media attention resulting in external committee scrutinyDiminished customer / partner trust that is recoverable over timeLocal media attention resulting in intense public scrutinySeverely damage public / customer / partner trust National media attention causing public enquiry & outcryIrrecoverable loss of customer / partner trustLegal and complianceBreach of standards / guidelines No legal action anticipatedNegligible financial impact Breach of Policy / RegulationsOne-off claims or legal issues Minor financial impactSerious breach with investigation Ongoing legal / litigation issues Significant financial impactMajor breach resulting in fines Major legal actions / prosecutionsMajor fines with imprisonment Repeated major breachesPenalties / sanctions imposed Extensive, repeated major fines People / Health & SafetyIncident with no injury sustainedNegligible effect on public/staff wellbeing/personal safetyNo impact on staff moraleMinimal injury sustainedMinor impact on public/staff wellbeing/personal safetyLocalised staff complaintsSignificant injury sustainedShort term impact on public/ staff wellbeing/personal safetyShort term impact on staff moraleLong term disability sustainedOngoing impact on public/staff wellbeing/personal safety Major industrial actionCasualty sustainedLong term impact on public/staff wellbeing/personal safetyWidespread industrial actionsEconomicNegligible impact on local economy that can be absorbedLimited impact on economy, isolated to one or more sectorLimited impact on local economyMajor impact on economy in one or more sectorsSerious, long term impact on economy, potentially permanentEnvironmental / SocialMinimal damage to isolated infrastructure / properties No lasting detrimental impact to the environment Minimal impact on local communityMinor and localised damage to infrastructure / properties Short-term detrimental impact to the environmentNoticeable and manageable impact on local community Major, short-term damage to infrastructure / properties Long-term detrimental impact to the environmentSevere and manageable impact on local community Serious, long-term damage to infrastructure and propertiesExtensive damage to the environment Serious damage to the whole Island communityComplete destruction of core Island infrastructure Widespread and irrecoverable damage to the environmentSignificant, lasting damage to the whole Island communityFigure 6 - Impact Assessment Criteria LikelihoodAssessment of likelihood requires consideration of the potential occurrence and frequency of a risk event and its impact, in the context of the identified existing controls. figure 7 below provides the guidance on assigning likelihood to risks.LikelihoodDescriptionProbability of single eventsFrequency of eventLikelihoodRare: 1Unlikely: 2Probable: 3Likely: 4Almost certain: 5DescriptionWill only occur in exceptional circumstancesMay occur at some time but not likely to occur in the foreseeable futureMay occur at some time within the foreseeable futureWill probably occur in most circumstancesExpected to occur in most circumstancesProbability of single events<10%10% to 25%26% to 50%51% to 80%>80%Frequency of eventNot a foreseeable occurrenceCould happen once in every 5 yearsCould happen once per yearCould happen once per monthCould happen once per weekFigure 7 – Likelihood Assessment CriteriaThe Government of Jersey’s ‘risk appetite’ is established by way of criteria for existing controls, impact, likelihood and overall risk ratings. These criteria set the decision boundaries within which staff are expected to operate as they seek to deliver on objectives. These criteria enable the Government of Jersey to achieve a simple and consistent approach to decision making, in full consideration of associated impact / consequences arising from risks, the likelihood of occurrence and on the basis of due consideration of the costs and benefits of treatments.The Government of Jersey's overall risk ratings set the boundaries and expectations in relation to what level of risk the organisation is prepared to accept in the pursuit of its objectives. Figure 8 below illustrates how overall risk ratings are generated. Likelihood LikelyProbableUnlikelyRareRisk Rating Matrix NegligibleImpact Likelihood Almost certain55Medium10High15 Extreme20 Extreme25ExtremeLikely44Medium8High12High16 Extreme20ExtremeProbable33Low6 Medium9High12High15ExtremeUnlikely22Low4 Medium6 Medium8High10HighRare11Low2 Low3Low4 Medium5MediumRisk Rating Matrix 12345NegligibleMinorModerateMajorCatastrophicImpact Figure 8 – Risk Rating CriteriaRisks assessed in terms of their impact and likelihood. The impact and likelihood of each risk is assessed against predetermined measures and given a rating from 1 to 5. Impact ratings should reflect the most significant impact reasonably foreseeable. There are a number of different types of impact against which risks are assessed. The overall impact rating should be equal to the most severe of these. Treating risks Prioritising risksHaving identified and assessed a risk, you should then decide what initial or further action is needed to control it or overcome barriers to ensure you achieve your objective. In order to do this, all risks will need to be prioritised based on the level of risk that the organisation is willing to accept. The Government of Jerseys’ leadership teams must weigh the cost of various treatment plans against the consequences and likelihood related to the risk.Any risks that exceed management’ tolerance threshold should be referred immediately to the next level of management for guidance. The below table illustrates the treatment action expectations for risks: Risk RatingManagement Low(Between 1 and 3 )Managed at a service level by the action lead in the departmental wide or project risk register. Assurance will be provided to the accountable manager on the management of this risk. (Note: not normally escalated to CSB/EMT level)Medium(Between 4 and 6)Managed at a departmental level by the action lead via the departmental wide or project risk register. The accountable manager will monitor the delivery of any actions. (Note: not normally escalated to CSB/EMT level)High(Between 8 and 14 )Managed by the accountable manager. Actions prioritised and agreed with the executive owner. (Note: not normally included in the Corporate Risk Register).ExtremeBetween 15 and 25(Principal Risks )Managed on a day-to-day basis by the accountable manager and reviewed as a minimum on a monthly basis with the executive owner. Actions prioritised / agreed on a monthly basis and subject to scrutiny by the appropriate departmental leadership team / Director General. (Note – included in the Corporate Risk Register) As part of this process, you should identify which of the controls are more critical in terms of their effectiveness. It may be helpful to list controls in order of their criticality. Although those risks requiring early or closer attention have been identified, there may be other risks that are suitable for a “quick fix” and can be quickly and easily controlled.The risk assessment process is judgemental and it is important that decisions be documented for future understanding and review. It is important to keep a note of the following information for each identified risk: a unique identifier, the name of the risk, the risk description, the current controls, the risk likelihood and risk impact scores, the overall risk rating and any notes, judgments and decisions made during the process. It is also useful to keep a note of who was involved in the process and the date of the process step for later reference.The reporting schedule for risks is integrated with existing reporting processes across each directorate, department, programme or projects. A risk heat map must be submitted by the departmental risk leads to the Risk & Audit team as part of the annual risk reporting schedule. Section 3 will outline in further detail the reporting requirements from departments through to the corporate level. Responding to riskWhen determining an appropriate response to risk, you should consider the risk response options. Risk responses need to be determined as a minimum for those risks that are considered as Extreme or high risks. Some potential questions that may help determine the correct response to risk:Where have other organisations failed or capitalised? How could this relate to the Government of Jersey?How can we proactively address the risk? Are there known internal control weaknesses or failures? What level of risk are we comfortable taking and why (Risk Appetite / Tolerance)? Will the target risk level be within the risk appetite?Across the industry, what is common or good practice and how close to this do we want to be?It is critical to document the risk response, who approved the response and the reasoning for future reference. Where the decision is to accept a risk, a review cycle must be set to periodically review the risk to ensure that the risk response remains the best approach.Response optionsWhat When WhyOther considerationsTolerateDo nothing and continue as plannedFor unavoidable risks, or those so mild or remote as to make avoidance action disproportionate or unattractiveThe ability to do anything may be limited or the cost of taking action is disproportionate to the potential benefitContingency planning (Business Continuity/ Disaster Recovery plans) could be used to handle the impacts should the risk materialisedTreatIntroduce control procedures to increase the chance of success For risks that can be reduced or eliminated by prevention or other control actionMinimise negative impact, maximise opportunityInvestment costs of introducing new control procedures / actionsTransfer Share the exposure of risk with insurance or contractor Where another party can take on some or all of the risk more economically or more effectively Alternative organisations may be more capable of effectively managing the risk The relationship with a third party needs to be carefully managed as it may not be possible to fully transfer all risks and some aspects might remain e.g. reputational Terminate Withdraw from the activity, where possibleFor intolerable risks for the Government of Jersey Some risks will only be treatable or containable by terminating the activity This option is particularly important for hazard risks or in project management if it the projected cost/ benefit are in jeopardyTake the opportunity Take the risk but monitor and review on a regular basisThe Government of Jersey may embrace some risks, accepting their downside perhaps with controls in the expectation of beneficial outcomes Avoiding all risk can be as irresponsible as disregarding risk Preventative controls must be considered and put in place to ensure the benefit continues to outweigh the costs What is a control?Where a selected response action means that it requires certain element of control, you need to make informed decisions and decide on the appropriate activities (controls) to ensure that our risks are proactively and adequately managed. A control is a means of reducing the likelihood of a risk occurring or minimising the impact should it occur. The are four types of control that can be applied shown in the table 10 below. Control typeDesired effect on the riskExamplePreventativeControls designed to limit the possibility of an undesirable outcome being realisedcomputer passwords, security guardsCorrective Controls designed to limit the scope for loss and reduce undesirable outcomesdata back-upsDirectiveControls designed to support achievement of a particular outcome. These are based on giving directions on how to ensure losses do not occur.polices, blueprints, trainingDetectiveControls designed to identify where a risk has materialised. These controls are only acceptable when it is possible to accept that a loss or damage has occurred.bank reconciliations, security camerasThe type of control(s) you apply is dependent on the nature of the risk. The controls need to be proportionate to the risk. When designing controls it is important to work with people knowledgeable about the risk area to ensure appropriate control(s) are designed. This may mean working with people outside of your business area or experts or with the Risk & Audit Team. Every control action has an associated cost and it is important that the control action offer value for money.Some Principal Risks will have a government wide risk programme which will require strong alignment on the overall approach to risk controls and expectations e.g. Data Privacy. Engaging with the relevant stakeholders to determine the scope expected is required. The Departmental Risk Group will be able to provide best sharing practices or knowledge across the other departments. Control elementsIn general, there are five elements of control and you should use professional judgement to define which of the five elements set out below is relevant to the risks you have identified and the actions needed to control each risk.Control elementActions Governance All risks identified as a extreme or high risk must have a defined oversight from the leadership teams that will oversee the management of the risk and the actions required. Clear documentation of roles and responsibilities for extreme or high risks is required e.g. a Responsible, Accountable, Consulted, Informed, (RACI) table, setting out their purpose, accountabilities and membership. Policies Policies may be appropriate to set out the minimum control expectations for the management of a specific risk or set of risks. Policies should be clearly written, communicated and made readily accessible to those who need to follow and adhere to them. Procedures and Guidelines Procedures and or guidelines establish a systematic process for executing policy requirements. These should be clearly written, simple to follow and unambiguous. The process documented in the procedure or guideline must be tested to ensure it can be followed and is effective. Procedures and guidelines should be periodically reviewed to ensure currency. Communications and Training Regular communication and consultation is an important part of a successful risk management framework and needs to be in place across all the stages of risk management. The Risk and Audit Team and other compliance functions are available to support you in defining what is needed. You should be proactively engaging with relevant groups in the wider organisation e to ensure fit for purpose controls are applied e.g. Departmental Risk Group, Insurance, Internal Audit, Business Continuity, etc. Investigation and Sanctions Investigations and disciplinary action is the final component in the delivery of the control phase. It is important that you escalate concerns you have about risks and compliance through appropriate channels e.g. your manager or Risk Owners. There are disciplinary consequences of Policy non-compliance. For those found to be non-compliant with legal, regulatory or the Government of Jersey's Policy requirements there may be an investigation and action will be taken as appropriate. The Risk Bowtie model shows where controls either reduce the likelihood (preventive) or impact (detective). It is important to note that controls introduced on the left hand side of the bowtie are considered more efficient in terms of cost and more effective as they are aimed at preventing the risk from happening as shown in figure 9a and 9b. Figure 9a - Bowtie showing control placementSuggested controls might include:LikelihoodImpactContract conditionsBusiness continuity plansProcess controls and inspectionsContractual agreementProject managementFraud control planning Preventative maintenance Good public relationsEffective internal controls Minimising exposure to the source of riskSupervisionCrisis managementStructured training programmeInsurance Figure 9b - Bowtie showing controlThings to note when documenting controls:describe controls clearly to avoid ambiguity. Any obstacles or barriers that might arise and affect them should be explored along with early warning indicatorsRecord controls in the order of their critically impacting upon the achievement of the outcome for ease of identificationMake clear the target dates for completion of aspects of control, reporting of progress etc. made clear record them where possibleSome risks might seem too difficult to tackle because they are controversial, political, too big or too specialist. These should not be avoided but dealt with in a positive but proportionate way by considering factors such as the opportunity to improve them, ease of improvement, cost of improvement and breadth of community affected. Consult with the Risk and Audit team or other relevant departments when in doubt. Risk monitoring and reviewFew risks remain static and it is important to know and understand what is happening. This can be achieved through regularly monitoring progress and formally reviewing risks in order:gain assurance that progress is being made towards controlling risks and the effectiveness of controlsmonitor changes to the risk profile brought about by circumstances and business prioritiesAs part of the three Lines of Defence model adopted by the Government of Jersey, monitoring of risks must be performed by line management, by control functions and by internal audit. Assurance is informed by monitoring, reporting, KPIs, management information and auditing activities. The Government of Jersey’s Executive Management Team will routinely review, monitor and on key business risks which have the potential to impact the achievement of the Government’s objectives.Risks are rarely static. They are a ‘point in time’ assessment and thus need to be monitored and reviewed on a regular basis.Monitoring and reviewing risks and treatment plans, will ensure risks are managed effectively. Monitoring involves periodic consideration of the current situation to confirm that risk identification and analysis are still accurate. Ongoing review is essential to ensure that risk management remains relevant and priority treatments are on track. Factors that may affect the likelihood and consequences may change, as may factors that affect the suitability or cost of treatment options. In the occurrence of a significant event this may trigger a point in time review of a particular risk or number of risks.When monitoring and reviewing risks you need to be clear about how this is to be undertaken. It may help to develop a set of questions, for example:are the key risks still relevant? have some risks become issues?has anything occurred, which could impact upon them? has the risk appetite or tolerance levels changed?are the controls in place effective?have risk scores changed and if so, are they decreasing or increasing?if risk profiles are increasing, what further controls might be needed?if risk profiles are decreasing, can controls be relaxed?Where objectives have not been achieved or are not on course to be achieved the cause(s)should be investigated to inform and improve the risk assessment process. At the next formal review of the risk, its rating should again be considered. At this stage, you may wish to review your risk appetite or tolerance levels to ensure they remain appropriate.The review and monitoring process should be integrated into existing organisational and business planning processes so that it adds value and supports the successful achievement of objectives and not just seen as a “bolt on”. Reporting and escalation of risks Risk reportingThe updated risk register should be considered by each service or department’s leadership team at least quarterly.Any serious threats to achievement of objectives should be brought to the attention of the Executive Management Team.A summary of serious risks to a department’s achievement of its objectives should be brought to the attention of that department’s minister in its quarterly ministerial report.You can find samples of Risk Reporting and Risk Assessment in the appendix. Escalating risksThere will be occasions when risks should be shared with managers that are more senior. These will automatically include risks that exceed your tolerance thresholds. Risks that are rated as Extreme or High, i.e. with a combined score of 16+, should also be referred up to the next level of management for advice on the appropriate level of control. Management teams should have in place a process, which allows for risks at any level to be escalated upwards to enhance their level of control.Where a risk is escalated to a more senior level, it should be considered along with all other risks at this new level and possibly included within the higher-level risk register. Using a system for escalating risks allows senior managers to better target their attention and resources towards key activities. Risk registerRisk registers provide an immediate record of all the identified risks, key controls and their status resulting from their assessment in terms of likelihood and impact across a wider pool of risks.When a risk is recorded, it should be given a reference number. This reference number should remain with the risk to provide an audit trail. Risks registers should be monitored by management teams. Risks included in the departmental risk registers should be closely monitored by the leadership teams and risk management should be a standing item on the leadership team meeting agendas. The critical risks that can affect GoJ as a whole should be recorded in the Corporate Risk Register, which is monitored by the Executive Management Team. You can see a sample risk register in the appendix. Near miss reportingA near miss is an unplanned event that did not result in injury, illness, or damage – but had the potential to do so. Only a fortunate break in the chain of events prevented an injury, fatality or damage; in other words, a miss that was nonetheless very near.A faulty process or management system is invariably the root cause for the increased risk that leads to the near miss and should be the focus of improvement.In terms of Health and Safety all employees have a duty to:“Always report any accidents, near misses, or hazardous situations they notice (including accidents and near misses)” Early warning indicatorsThe sooner you know something is not going to plan, or if circumstances look likely to impede your objectives, the quicker you will be able to take corrective action and get back on target or amend your course of action / priorities to reflect changing circumstances. Early warning indicators are used as a way of measuring change in local critical areas so that if pre-defined levels (tolerance levels or appetite) are reached, corrective action will be triggered. To be effective they need to be monitored regularly and the findings presented in such a way that the information can be quickly assimilated. Early warning indicators are also called key risk indicators they should be specific to the risk and should not be confused with Key performance Indicators. Indicators should be reviewed and updated to ensure they remain appropriate. When establishing an indicator you should establish from the outset what information is to be collected, the reporting frequency and trend or tolerance thresholds. Early warning indicators can be applied to strategic and operational risks. For operational risks they can be set to measure activity such as: achievement of service quality levelsachievement of volume targets achievement of time targets achievement of revenue targets levels of safety incidents or injuryachievement of key milestonesdelivery of planned activities on time and on budgetPoints to consider when establishing / reviewing indicators: are all critical business systems clearly defined? do early warning indicators exist for critical business systems? do early wanting indicators exist for programmes and projects? do early warning indicators exist for operational activities? is there a balanced set of indicators, including financial indicators?are indicators examined by decision makers with the authority to take corrective action on a regular cycle?are the results of monitoring early warning indicators presented in a concise, consistent manner so that the impact of the information is readily understood?are the indicators updated to reflect changes within the activity?are the indicators inward and outward looking?Early warning indicators can also be used to identify opportunities. Support and further information Third parties and partnershipsGuidance on managing risks with third parties/partnerships is under development. For more information email erm@gov.je Links with other risk management groups There are a number of risk management groups and forums in the Government of Jersey.For more information email erm@gov.je Response planningEven with effective controls to prevent risks, some risks will inevitably materialise. By ensuring we develop business continuity plans for responding to risks we can significantly reduce their impact and ensure that any disruption to our services is minimised. For more information email erm@gov.je Contact for additional supportContact your Risk Champion, or Line ManagerVisit the Government of Jersey’s Risk Management intranet site on MyStatesFor specific questions on this Guidance or support with risk related issues, contact the Risk and Audit Team. A targeted training programme is currently under development and will be made available to all Government personnel. Appendix Sources of strategic riskDefinition: Risks that may be potentially damaging to the achievement of the Government of Jersey ObjectivesPESTLE expandedDescription Political Associated with the failure to deliver government policy, or to meet the local administration’s commitment. Economic Affecting the ability of the Government to meet its financial commitments. These include internal budgetary pressures, inadequate insurance cover, external macro level economic changes (e.g. interest rates, inflation etc.) or the consequences of proposed investment decisions. Social Relating to the effects of changes in demographic, residential or socio-economic trends on the Government’s ability to deliver its objectives. Technological Associated with the capacity of the Government to deal with the pace / scale of technological change, or its ability to use technology to address changing demands. They may also include the consequences of internal technological failure on the Government’s ability to deliver its objectives. Environmental Relating to the environmental consequences of progressing the Government’s strategic objectives for example in terms of energy, efficiency, pollution, recycling, landfill requirements, emissions etc. Competitive Affecting the competitiveness of the service in terms of quality or cost and or its ability to deliver value for money. Customer or Stakeholder Associated with the failure to meet the current and changing needs and expectations of customers and citizens. Sources of operational riskoperational risks are those risks that may be encountered in the day to day provision of servicesSourceDescriptionExamples of nature riskProfessionalAssociated with the particular nature of each professionInefficient/ineffective management processes. Lack of business continuity plan. Inability to implement change. Non achievement of value for money. Lack of control over changes to service provision. Bad management of partnership working. Inadequate consultation with service users. Failure to manage and retain service. Failure to communicate effectively with contracts employees. Poor management of externally funded projectsFinancialAssociated with financial planning and control and the adequacy of insurance arrangementsFailure to prioritise, allocate appropriate. Ineffective/inefficient processing of documents budgets and monitor. Missed opportunities for income/grants. Inadequate control over expenditure. Inadequate insurance cover. Inadequate control over incomeLegalRelated to possible breaches of legislationNot meeting statutory duties/deadlines. Failure to implement legislative change. Failure to comply with legal directives on. Misinterpretation of legislation. Procurement of works, supplies and services. Exposure to liability claims e.g. motor Breach of confidentiality/Data Protection Laws, accidents, wrongful advicePhysicalRelated to fire, security, accident prevention, health, and safetyViolence or aggression. Loss of physical assets Non-compliance with Health & Safety legislation. Criminal damage to assets e.g. Vandalism. Injury at work. Failure to maintain and upkeep land. Loss of intangible assets and propertyContractualAssociated with the failure of contractors to deliver services of products to the agreed cost and specificationNon-compliance with procurement policies. Poor selection of contractor. Over reliance on key contractors or suppliers. Poor contract specification, deficiencies. Failure of outsourced provider to deliver. Inadequate contract terms & conditions. Failure to monitor contractor. Quality issuesTechnologicalRelating to reliance on operational equipment (e.g. IT systems or equipment) or machineryFailure of big technology related project. Breach of security of networks and data. Crash of IT systems affecting service delivery. Failure to comply with IT Security Policy. Lack of disaster recovery plans. Bad management of intranet or websiteEnvironmentalRelating to pollution, noise or energy efficiency of ongoing service operationImpact of Planning policies. Noise, contamination and pollution. Crime and disorder implications. Inefficient use of energy and water. Incorrect storage or disposal of waste. Damage caused by trees, tree roots etc.People ServicesAssociated with staffing issues e.g. recruitment or retention, sickness management, change management, stress related risk analysisCapacity issues. Failure to comply with employment law. Over reliance on key officers. Poor recruitment or selection processes. Failure to recruit or retain qualified staff. Lack of training. Lack of employee motivation or efficiency. Lack of succession planning Sample risk registerBelow are the baseline fields required for reporting in departmental risk registers, so that risks can be consistently reported using data captured at a departmental level and aggregated into the corporate risk register where appropriate.Document ControlDetailsTitleTitle of the registerAuthorAuthor of the register typically the department lead for risk or project managerDate register compiledDate of issueIssue numberUnique issue numberFile referenceThe location at which the document can be found on the network Register ContentRisk Reference or ID No.Unique number or identifier to identify the risk Impact on strategic priorityLink the risk to strategic objectives i.e.Put children firstImproving islanders wellbeing and mental healthCreating a sustainable and vibrant economyReducing inequality and improving the standard of livingProtect and value our environmentRisk DescriptionSummary description of the risk which will be readily understood by all of the business leaders or project team on completion of the identification process and 12 months laterExisting controlsDetails of any effective controls this includes any programmes of workCurrent RAG status of related programmesReflecting the current RAG status from PerformLikelihood scoreAssessment of how likely the risk is to happen - the probability can be recorded as a percentage, a category or bothImpact scoreImpact can be measured in terms of cost, duration, quality or any other business or project objectives using the GoJ impact ratingRisk ScoreLikelihood x ImpactRisk ActionsFurther actions or controls not yet in place, but are planned to mitigate the riskAction ownerThe individual responsible for implementing the risk response action under the direction of the risk managerChanges since last EMT presentationMaterial changes to the risk profile or controls that should be highlighted since the last EMT risk presentation Managing business risk assessment Managing business risk exampleThis example is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity. Self certification annual governance statementSelf certificationYesNoDoes the department have in place a risk strategy?Has a full risk assessment been carried out in respect of all major capital projects?Has the department identified risks against its key objectives? Has ownership of key risks been allocated to appropriate individuals so that responsibility and authority for implementing control actions is clear? Has the department identified the full range of risks specific to their business? Has a consistent framework for categorising and evaluating risks been developed? Has the department assessed the level of acceptable risk for each of its objectives? Has the department been able to demonstrate how it is managing risks classified as “important” or “immediate action”? Have suitable responses to risk been identified? Has a mechanism been put in place for reporting key risk issues? Are appropriate mechanisms in place to ensure the effectiveness of risk management is reviewed? Are there procedures in place to ensure that the risk strategy is kept up to date and a process in place to allow for an appropriate review of risks? Worked example of risk assessmentExample The risk of a customer / staff potentially slipping and injuring themselves in customer centre.You are scoring on the likelihood and the impact of an injury involving a customer potentially slipping on the customer service centre. The risk assessment process requires you to assume the most usual outcome. Looking at the Risk Criteria is relevant to include the use of the criteria for Safety, Legal & Regulatory and Reputation. Safety: The floor surface is not damaged and cleaning and operational routines are correct, but there are a large number of customers and the most frequent cause of injury is slipping. You determine the likelihood of this injury is “likely” (score 3 on the risk scoring criteria for Safety figure 6) FinancialService Delivery / Operational ReputationalLegal and compliancePeople / Health & SafetyEconomicEnvironmental / Social Negligible: 1Minor: 2Moderate: 3Major: 4Catastrophic: 5FinancialLess than .25% over budgetIncrease in expenditure / loss of income <£10kBetween .25 and .5% over budgetIncrease in expenditure / loss of income between £10k to £499kBetween .5 and .75% over budgetIncrease in expenditure / loss of income between £500k to £999kBetween .75 and 1% over budgetIncrease in expenditure / loss of income between £1m to £4.99mMore than 1% over budgetIncrease in expenditure / loss of income more than £5mService Delivery / Operational Limited disruption to core public services, with no noticeable effectLittle or no impact to the public / customerMinimal programme delays with no impact on key milestonesTemporary disruption contained to single core public serviceLocalised inconvenience to the public / customerMinor programme delays with recoverable impact on milestonesIncreasingly regular disruption to one or more core public servicesImpact to the public / customer up to 1 weekRegular programme delays impacting one or more milestones Severe disruption on one or more core public servicesImpact to the public / customer up to 1 monthMajor delays resulting in significant programme overhaul Significant, lasting disruption across core servicesImpact to the public / customer more than 1 monthSignificant programme delays threatening the entire deliveryReputationalIndividual grievances with limited internal review Minimal and transient loss of customer / partner trustInternal scrutiny or investigation to prevent further escalationMinor loss in customer / partner trust that is recoverable quicklyLocal media attention resulting in external committee scrutinyDiminished customer / partner trust that is recoverable over timeLocal media attention resulting in intense public scrutinySeverely damage public / customer / partner trust National media attention causing public enquiry & outcryIrrecoverable loss of customer / partner trustLegal and complianceBreach of standards / guidelines No legal action anticipatedNegligible financial impact Breach of Policy / RegulationsOne-off claims or legal issues Minor financial impactSerious breach with investigation Ongoing legal / litigation issues Significant financial impactMajor breach resulting in fines Major legal actions / prosecutionsMajor fines with imprisonment Repeated major breachesPenalties / sanctions imposed Extensive, repeated major fines People / Health & SafetyIncident with no injury sustainedNegligible effect on public/staff wellbeing/personal safetyNo impact on staff moraleMinimal injury sustainedMinor impact on public/staff wellbeing/personal safetyLocalised staff complaintsSignificant injury sustainedShort term impact on public/ staff wellbeing/personal safetyShort term impact on staff moraleLong term disability sustainedOngoing impact on public/staff wellbeing/personal safety Major industrial actionCasualty sustainedLong term impact on public/staff wellbeing/personal safetyWidespread industrial actionsEconomicNegligible impact on local economy that can be absorbedLimited impact on economy, isolated to one or more sectorLimited impact on local economyMajor impact on economy in one or more sectorsSerious, long term impact on economy, potentially permanentEnvironmental / SocialMinimal damage to isolated infrastructure / properties No lasting detrimental impact to the environment Minimal impact on local communityMinor and localised damage to infrastructure / properties Short-term detrimental impact to the environmentNoticeable and manageable impact on local community Major, short-term damage to infrastructure / properties Long-term detrimental impact to the environmentSevere and manageable impact on local community Serious, long-term damage to infrastructure and propertiesExtensive damage to the environment Serious damage to the whole Island communityComplete destruction of core Island infrastructure Widespread and irrecoverable damage to the environmentSignificant, lasting damage to the whole Island communityFigure 6 - Impact Assessment Criteria.Note: Your reasoning is that your experience shows that most injuries are not serious, even though it is possible that some injuries could result in fracture. Therefore the impact of the injury is “moderate” (multiple minor injuries to more than one person) so the Safety risk category results in a score of 2.The Safety risk rating is the combination of these two scores (2 x 3 = 6) which equals a medium risk (amber).Legal & Regulatory: We also need to assess the scores for Legal and Regulatory. Your reasoning is that because the floor condition was good and controls were in place to minimise the risk materialising then although legal action might be possible, the likelihood would be “less than likely” (score 2). For the same reason the impact of any legal action would be “moderate” (it would result in a penalty or compensation award at the low end of the range – score 2 on the risk scoring criteria). The risk rating is the combination of these two scores (2 x 2 = 4) which equals a low risk (green).Reputation: We also need to assess the scores for Reputation. Your reasoning is that because this is one store given determination of multiple potential injuries to more than one person (as above) that there is likely to be local media coverage. You therefore score 2 ‘Less than Likely’ for Likelihood and 2 ‘Moderate’ for impact. The Reputation risk rating is therefore (2 x 2 = 4) which equals a low risk (green).When prioritising the risk if more than one risk criteria is used, use the highest of the scores assessed in this process. In this case Safety risk rating of 2 x 3 = 6. Plot, 2 for impact and 3 for likelihood on the heat map. Government of Jersey Risk Management Strategy Glossary of termsTermBenefits Business Continuity PlanBusiness riskConsequenceContingencyControl or control measuresCorporate GovernanceKey Risk Indicator (KRI)HazardIdentifying risks ImpactIssue Likelihood Mitigation planObjectiveOperational risksOpportunityOutcomePeriodic reviewProject risksProximity of riskResponsible managerRiskRisk appetiteRisk evaluationRisk identificationRisk managementRisk prioritisationmatrixRisk ownerRisk perceptionRisk profileRisk sourceRisk registerRisk strategyRisk toleranceStrategic risksTerminateThreatTolerateTransferTreatTermDefinitionBenefits The measurable improvement resulting from an outcome perceived as an advantage by one or more stakeholders Business Continuity Plan A plan for the fast and efficient resumption of essential business operations by directing recovery actions of specific recovery teams Business riskA threat to the achievement of a business objective / benefit ConsequenceThe outcome of an evenContingencyAn action or arrangement that can be put into place to minimise the impact of a risk should it occurControl or control measuresAny action, procedure or operation undertaken to contain a risk to an acceptable levelCorporate GovernanceThe method by which an organisation directs and controls its functions and relates to its community Key Risk Indicator (KRI)A measure to identify a trend HazardA description of the source of the risk i.e. the event or situation that gives rise to the risk also known as source of riskIdentifying risks The process by which events that could affect the achievement of objectives, are analysed and described and listedImpactImpact is the result of a particular threat or opportunity actually occurring Issue An event or concern that has occurred or is taking place and should be addressed (as opposed to a risk which has not yet, or might not occur)Likelihood This is the evaluated likelihood of a particular threat of opportunity actually happeningMitigation planA strategy that decreases risk by lowering the likelihood of a risk event occurring or reducing the impact of the risk should it occurObjectiveSomething worked towards or striven for, a goalOperational risksRisks associated with the day-to-day issues that an organisation might face as it delivers its servicesOpportunityAn uncertain event that could have a favourable impact on objectives or benefitsOutcomeThe result of change, normally affecting real world behaviour or circumstances. Outcomes are desired when a change is conceived. Outcomes are achieved as a result of the activities undertaken to effect the changePeriodic reviewA review that occurs at specified regular time intervalsProject risksRisks associated with a specific activity, which has defined goals, objectives, requirements, a life cycle, a beginning and an endProximity of riskThe time factor of a risk i.e. the occurrence of risks will be due at particular times, and the severity of their impact will vary depending on when they occurResponsible managerManager who has responsibility for taking specified actionRiskAn uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. This could be an opportunity as well as a threatRisk appetiteThe level of residual risk that the Government of Jersey is prepared to accept, tolerate or be exposed to at any point in timeRisk evaluationThe process of understanding the net effect of the identified threats and opportunities on an activity when aggregated togetherRisk identificationDetermination of what could pose a risk; a process to describe and list sources of risk, both threats and opportunitiesRisk managementThe culture, organisational structure and ongoing processes for the management of riskRisk prioritisationmatrixThe number of levels of likelihood and impact chosen against which to measure the risk and identify methods of management of the riskRisk ownerA role or individual responsible for the management and control of all aspects of individual risks, and has authority to implement the measures required. May also be known as Accountable ManagerRisk perceptionThe way in which a risk is viewed based on a set of values or concernsRisk profileDescribes the types of risk faced by an organisation and its exposure to these risksRisk sourceA description of the source of the risk i.e. the event or situation that gives rise to the riskRisk registerA record of all identified risks relating to an area of activity which includes their status and mitigating controlsRisk strategyThe overall organisational approach to risk managementRisk toleranceThe threshold of risk exposure, which with appropriate approvals, can be exceeded but which when exceeded will trigger some form of response e.g. reporting the situation to senior management for actionStrategic risksRisks concerned with where the organisation wants to go, how it plans to get there and how it can ensure survival. A risk which should it occur, will have a significant impact upon the Governments objectivesTerminateA risk response to a threat. A deliberate decision to stop an activity which generates a riskThreatAn uncertain event that could have a negative impact on objectives or benefitsTolerateA response to a threat. A deliberate decision to retain the threatTransferA risk response for a threat whereby a third party takes on the responsibility for an aspect of the threatTreatA risk response to a threat. Proactive actions are taken to reduce the threat