Guidance

The Orange Book Management of Risk – Principles and Concepts

Updated 3 June 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/orange-book/the-orange-book-management-of-risk-principles-and-concepts

1. Introduction

In successful organisations, risk management enhances strategic planning and prioritisation, assists in achieving objectives and strengthens the ability to be agile to respond to the challenges faced. If we are serious about meeting objectives successfully, improving service delivery and achieving value for money, risk management must be an essential and integral part of planning and decision‑making. While risk practices have improved over time across government, the volatility, complexity and ambiguity of our operating environment has increased, as have demands for greater transparency and accountability for managing the impact of risks.

Part I: Management of Risk – Principles and Concepts builds on the original Orange Book to help improve risk management further and to embed this as a routine part of how we operate.

Part II: To help organisations have an effective and efficient approach to risk control, Part II provides a structure to illustrate, in principle, how existing high level control requirements can be categorised and adherence to them assured.

Public Sector organisations cannot be risk averse and be successful. Risk is inherent in everything we do to deliver high-quality services. Effective and meaningful risk management in government remains as important as ever in taking a balanced view to managing opportunity and risk. It must be an integral part of informed decision-making; from policy or project inception through implementation to the everyday delivery of public services.

At its most effective, risk management is as much about evaluating the uncertainties and implications within options as it is about managing impacts once choices are made. It is about being realistic in the assessment of the risks to projects and programmes and in the consideration of the effectiveness of the actions taken to manage these risks.

This isn’t about adding new processes; it is about ensuring that effective risk management is integrated in the way we lead, direct, manage and operate. As an integrated part of our management systems, and through the normal flow of information, an organisation’s risk management framework harnesses the activities that identify and manage the uncertainties faced and systematically anticipate and prepare successful responses. Its importance and value to success should not be underestimated.

As with all aspects of good governance, the effectiveness of risk management depends on the individuals responsible for operating the systems put in place. Our risk culture must embrace openness, support transparency, welcome constructive challenge and promote collaboration, consultation and co-operation.

We must invite scrutiny and embrace expertise to inform decision-making. We must also invest in the necessary capabilities and seek to continually learn from experience.

This updated guidance has benefited from discussions with stakeholders and practitioners across the public sector and with colleagues from the private sector. We are grateful for their time and valuable insights.

1.1 Scope

The document builds on the version published in 2020 with the addition of a new section: Part II. Like the original version, this document is applicable to all government departments and arm’s length public bodies (executive Agencies, Non Departmental Public Bodies and Non Ministerial Departments) with responsibility derived from central government for public funds.

This document may be useful to all parts of the UK public sector, as the same principles generally apply, with adjustments for context.

1.2 Purpose

This document is intended for use by everyone involved in the design, operation and delivery of efficient, trusted public services. Its primary audience is likely to be:

  • accounting officers
  • executive and non-executive members of the boards
  • Audit and Risk Assurance Committee members
  • risk practitioners
  • senior leadership
  • policy leads
  • programme and project Senior Responsible Officers (SROs)

The board of each public sector organisation should actively seek to recognise risks and direct the response to these risks. It is for each accounting officer, supported by the board, to decide how. The board and accounting officer should be supported by an Audit and Risk Assurance Committee, who should provide proactive support in advising on and scrutinising the management of key risks and the operation of efficient and effective internal controls.

Attempting to define a one-size fits-all approach to managing risks, or to standardise risk management practices, would be misguided because public sector organisations are different sizes, are structured differently and have different needs.

This document does not set out the procedure by which an organisation should design and operate risk management. Instead, this document sets out a principles-based approach that provides flexibility and judgement in the design, implementation and operation of risk management, informed by relevant standards[footnote 1] and good practice. Where relevant, the reader is directed to other standards and guidance, including related functional and professional standards and codes of practice (see Annex 6).

1.3 Comply or Explain

Part I of this document sets out main and supporting principles for risk management in government. In considering the effectiveness of risk management arrangements, assessing compliance with Corporate Governance Code[footnote 2] requirements, and overseeing the preparation of the governance statement, the board shall consider adherence with the main principles, which are mandatory requirements. The supporting principles, which are advisory, should inform their judgements. Departures may be justified if good risk management can be achieved by other means.

The main principles are the core of the document.

The way in which they are applied should be the central question for a board as it determines how it is to operate in accordance with the Corporate Governance Code[footnote 2]. Each government organisation is required either to disclose compliance or to explain their reasons for departure clearly and carefully in the governance statement accompanying their annual resource accounts. The requirement for an explanation allows flexibility, but also ensures that the process is transparent, allowing stakeholders to hold organisations and their leadership to account.

1.4 Structure

The document is structured in two parts:

Part I – Risk Management Principles Sections (A-E), based on principles that are designed to provide the “what” and the “why”, not the “how”, for the design, operation and maintenance of an effective risk management framework.

The principles can be applied within and across departments, arm’s length bodies and organisations with linked objectives, and to activity at any level of decision-making. The principles should be used to inform an organisation’s approach to risk management and its own more detailed policies, processes and procedures – the “how”. Implementing and improving the risk management framework should support an incremental approach to enhancing risk management culture, processes and capabilities over time, building on what already exists to achieve improved outcomes.

Part II – Risk Control Framework Sections

(F-G) outlines a framework to assist accounting officers and departments, arm’s length bodies and organisations in structuring their internal control and assurance activities to help meet existing high level control requirements placed on accounting officers.

Improved risk control means Government can manage higher levels of risk to achieve better outcomes for citizens and taxpayers for a given level of resource – or reduce costs for given outcomes.

1.5 Annexes

The primary roles and responsibilities are set out in each Section. The responsibilities and expectations of the board, the accounting officer and the

Audit and Risk Assurance Committee are also summarised at Annex 1.

Some explanation of, and guiding principles on, the design and operation of the “three lines model” are provided in Annex 2.

Annex 3 contains questions that may assist in assessing how the principles are applied in defining clear responsibilities, promoting the risk culture, developing capabilities and supporting the effectiveness of risk management.

Some common categories or groupings of sources of risk are provided at Annex 4. These may help consider the range of potential risks that may arise; they are not intended to be comprehensive.

Definitions and supportive concepts are provided at Annex 5 of some terms used throughout this document to explain the scope and intended meaning behind the language used.

Annex 6 contains further details of other standards and guidance referenced throughout the document.

1.6 Supplementary ‘Guides’

Linked to the Orange Book are supplementary guides which support the implementation of the concepts and principles outlined in the Orange Book.

  • Risk Appetite Guidance Note
  • Risk Management Skills & Capabilities Framework
  • Risk Reporting Good Practice Guide
  • Portfolio Risk Management Guidance

The information provided in these guidance documents are framed around the assumption that an organisation’s risk framework aligns with the Orange Book.

2. Part I: Risk Management Principles

2.1 Risk Management Framework

The Risk Management Framework supports the consistent and robust identification and management of opportunities and risks within desired levels across an organisation, supporting openness, challenge, innovation and excellence in the achievement of objectives. The Risk Control Framework addressed in Part II can be considered a subset of the Risk Management Framework. For the risk management framework to be considered effective, the following principles shall be applied:

  • Risk management shall be an essential part of governance and leadership, and fundamental to how the organisation is directed, managed and controlled at all levels.

  • Risk management shall be an integral part of all organisational activities to support decision-making in achieving objectives.

  • Risk management shall be collaborative and informed by the best available information and expertise.

  • Risk management processes shall be structured to include:

risk identification and assessment to determine and prioritise how the risks should be managed;

the selection, design and implementation of risk treatment options that support achievement of intended outcomes and manage risks to an acceptable level;

the design and operation of integrated, insightful and informative risk monitoring; and

timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities.

  • Risk management shall be continually improved through learning and experience.

2.2 Section A: Governance and Leadership

2.3 Main Principle

A - Risk management shall be an essential part of governance and leadership, and fundamental to how the organisation is directed, managed and controlled at all levels.

2.4 Supporting Principles

A1 - Each public sector organisation should establish governance arrangements appropriate to its business, scale and culture[footnote 3]. Human behaviour and culture significantly influence all aspects of risk management at each level and stage. To support the appropriate risk culture, the accounting officer should ensure that expected values and behaviours are communicated and embedded at all levels.

A2 - The accounting officer, supported by the board, should periodically assess whether the leadership style, opportunities for debate and human resource policies support the desired risk culture, incentivise expected behaviours and sanction inappropriate behaviours. Where they are not satisfied, they should direct and manage corrective actions and seek assurances that the desired risk culture and behaviours are promoted.

2.5 Civil Service Code and A Modern Civil Service

Our values align with both the Civil Service Code and the A Modern Civil Service vision

Civil Service Code

‘integrity’ is putting the obligations of public service above your own personal interests

‘honesty’ is being truthful and open

‘objectivity’ is basing your advice and decisions on rigorous analysis of the evidence

‘impartiality’ is acting solely according to the merits of the case and serving equally well governments of different political persuasions

A Modern Civil Service

  • Skilled
  • Innovative
  • Ambitious

A3 - The board should make a strategic choice about the style, shape and quality of risk management[footnote 4] and should lead the assessment and management of opportunity and risk. The board should determine and continuously assess the nature and extent of the principal risks (a principal risk is a risk or combination of risks that can seriously affect the performance or reputation of the organisation) that the organisation is exposed to and is willing to take to achieve its objectives – its risk appetite – and ensure that planning and decision-making reflects this assessment. Effective risk management should support informed decision-making in line with this risk appetite, ensure confidence in the response to risks and ensure transparency over the principal risks faced and how these are managed.

A4 - The board should ensure that roles and responsibilities for risk management are clear, to support effective governance and decision-making at each level with appropriate escalation, aggregation and delegation. The accounting officer should ensure that roles and responsibilities are communicated, understood and embedded at all levels. The ‘three lines model’ provides a systematic approach that may be used to help clarify the specific roles and responsibilities that are necessary for the effective management of risks within an organisation (see Annex 2).

A5 - The board should agree the frequency and scope of its discussions to review how management is responding to the principal risks and how this is integrated with other matters, including planning and performance management processes. Risk should be considered regularly as part of the normal flow of management information about the organisation’s activities and in significant decisions on strategy, major new projects and other prioritisation and resource allocation commitments. Risk management should anticipate, detect, acknowledge and respond to changes and events in an appropriate and timely manner. Risks can crystallise quickly; the board and Audit and Risk Assurance Committee should ensure that there are clear processes for bringing significant issues to its attention more rapidly when required, with agreed triggers for doing so as a part of risk reporting (see Section D).

A6 - Regular reports to the board should provide a balanced assessment of the principal risks and the effectiveness of risk management. The accounting officer, supported by the Audit and Risk Assurance Committee, should monitor the quality of the information they receive and ensure that it is sufficient to allow effective decision-making.

A7 - The accounting officer, supported by the Audit and Risk Assurance Committee, should establish the organisation’s overall approach to risk management. An effective risk management framework will differ between organisations depending on their purpose, objectives, context and complexity. The risk management framework should be periodically reviewed to ensure it remains appropriate (see Section E).

A8 - The accounting officer should designate an individual to be responsible for leading the organisation’s overall approach to risk management, who should be of sufficient seniority and should report to a level within the organisation that allows them to influence effective decision-making. They should be proactively involved with and influence governance and decision-making forums and should establish, and be supported through, effective communication and engagement with the accounting officer, senior management, the board and the chair of the Audit and Risk Assurance Committee. They should also exhibit a high level of objectivity in gathering, evaluating and communicating information and should not be unduly influenced by their own interests or by others in forming and expressing their judgements.

A9 - The accounting officer should ensure the allocation of appropriate resources for risk management, which can include, but is not limited to, people, skills, experience and competence.

A10 - The accounting officer, supported by senior management, must demonstrate leadership and articulate their continual commitment to, and the value of, risk management through developing and communicating a policy or statement to the organisation and other stakeholders, which should be periodically reviewed.

3. Section B: Integration

3.1 Main Principle

B - Risk management shall be an integral part of all organisational activities to support decision‑making in achieving objectives.

3.2 Supporting Principles

B1 - The assessment and management of opportunity and risk should be an embedded part of, and not separate from:

  • setting strategy and plans
  • evaluating options and delivering programmes, projects or policy initiatives
  • prioritising resources
  • supporting efficient and effective operations
  • managing performance
  • managing tangible and intangible assets[footnote 5]
  • delivering improved outcomes

The accounting officer, supported by senior management, should ensure that risks are transparent and considered as an integral part of appraising options, evaluating alternatives and making informed decisions.

B2 - Effective appraisal supports the assessment of the costs, benefits and risks of alternative ways to meet objectives[footnote 6]. When conducting an appraisal, consideration should be given to the identification and analysis of risks in the design and implementation of options, including: analysis of varying scenarios, sensitivity in forecasts, the objective or subjective basis of assumptions, optimism or status quo bias, dependencies and the inter-relationships between risks. This analysis and evaluation should provide the foundation to understand the risks arising through chosen options and how these will be managed, including how these will be subject to effective and on-going monitoring (see Section D).

B3 - Delivery confidence should be supported through the transparent identification of the principal risks faced and how those risks will be managed within business and financial plans.

B4 - The board, and those setting strategy and policy, should use horizon scanning and scenario planning collectively and collaboratively to identify and consider the nature of emerging risks, threats and trends. The Government Office for Science ensures that government policies and decisions are informed by the best scientific evidence and strategic long-term thinking[footnote 7]. Some other common horizon scanning issues are informed by the National Security Risk Assessment (NSRA).The NSRA is the Government’s principal tool for identifying and assessing risks to the UK over the medium-term[footnote 8].

B5 - Government has an inherent role in protecting and assuring the public, which includes taking cost-effective action to reduce risk to a tolerable level and providing accurate and timely information about risks to the public[footnote 9]. Policy leads should take explicit steps to involve the public, understand what they are concerned about and why and communicate good information about risk that is targeted to the needs of the audiences involved. Government will:

  • be open and transparent about its understanding of the nature of risks to the public and about the process it is following in handling them
  • seek wide involvement of those concerned in decision-making processes
  • act proportionately and consistently in dealing with risks to the public
  • base decisions for intervention on relevant evidence, including expert risk assessment
  • place responsibility for managing risks to those best able to control them

4. Section C: Collaboration and Best Information

4.1 Main Principle

C - Risk management shall be collaborative and informed by the best available information and expertise.

4.2 Supporting Principles

C1 - The accounting officer, supported by the Audit and Risk Assurance Committee, should establish risk management activities that cover all types and source of risk (see Annex 4) There may be many different, but aligned, risk management processes that are applied at different levels within an organisation and across those involved in the end to end delivery of public services. The management of risks and the operation and oversight of internal control should be considered and aligned across this extended enterprise. This requires collaboration and cross-organisational working through a range of public sector, private sector and third-sector partnerships. The risk management framework should be designed to support a comprehensive view of the risk profile, aggregated where appropriate, in support of governance and decision-making requirements.

4.3 Risk escalation, consolidation and aggregation

C2 - Nearly all government departments sponsor arm’s length bodies for which they take ultimate responsibility, while allowing a degree of (or sometimes considerable) independence. Effective relationships and partnership working between departments and arm’s length bodies, a mutual understanding of risk, and a proportionate approach to monitoring and reporting are critical. The principal accounting officer (The Treasury appoints the permanent head of each central government department to be its accounting officer. Where there are several accounting officers in a department, the permanent head is the principal accounting officer.) should consider the organisation’s overall risk profile, including the risk management within arm’s length bodies, who should have their own robust and aligned arrangements in place. Informative and transparent management information should enable departments and arm’s length bodies to promote transparency and understanding in achieving the effective management of risks, including the timely escalation of risks, as necessary, based on agreed criteria.

C3 - Risk management processes (see Section D) should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of experts and stakeholders. Information and perspectives should be supplemented by further enquiry as necessary, should reflect changes over time and should be appropriately evidenced. Expert risk assessment methodologies may be highly specialised and may vary depending on the context.

C4 - Those assessing and managing risks should consult with appropriate external and internal stakeholders to facilitate the factual, timely, relevant, accurate and understandable exchange of information and evidence, while considering the confidentiality and integrity of this information. Communication should be continual and iterative in supporting dialogue, providing and sharing information and promoting awareness and understanding of risks.

C5 - Communication and consultation should also assist relevant stakeholders in understanding the risks faced, the basis on which decisions are made and the reasons why particular actions are required and taken. Communication and consultation should:

  • bring together different functions and areas of professional expertise in the management of risks
  • ensure that different views are appropriately considered when defining risk criteria and when analysing risks (see Section D)
  • provide sufficient information and evidence to facilitate risk oversight and decision making
  • build a sense of inclusiveness and ownership among those affected by risk

Complicated and ambiguous risk scenarios are inherent given the dynamic and/or behavioural complexity in public service delivery, often with no simple, definitive solutions. These risks require whole- system-thinking, aligned incentives, positive relationships and collaboration, alongside relevant technical knowledge, to support multi-disciplinary approaches to their effective management.

C6 - Functions (Functions are embedded in government departments and arm’s length bodies, helping to deliver departmental objectives and better outcomes across government.) within and across organisations should play an integral part in identifying, assessing and managing the range of risks that can arise and threaten successful delivery against objectives. Function leads should provide expert judgement to advise the accounting officer to:

  • set feasible and affordable strategies and plans
  • evaluate and develop realistic programmes, projects and policy initiatives
  • prioritise and direct resources and the development of capabilities
  • identify and assess risks that can arise and impact the successful achievement of objectives
  • determine the nature and extent of the risks that the organisation is willing to take to achieve its objectives
  • design and operate internal controls in line with good practice
  • drive innovation and incremental improvements

5. Section D: Risk Management Processes

5.1 Main Principle

D - Risk management processes shall be structured to include:

  • risk Identification and assessment to determine and prioritise how the risks should be managed;

  • the selection, design and implementation of risk treatment options that support achievement of intended outcomes and manage risks to an acceptable level;

  • the design and operation of integrated, insightful and informative risk monitoring; and

  • timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities.

5.2 Risk Management Processes

5.3 Supporting Principles

D1 - The accounting officer, supported by their nominated individual responsible for leading the organisation’s overall approach to risk management, should ensure the adequate design and systematic implementation of policies, procedures and practices for risk identification and assessment, treatment, monitoring and reporting. Although risk management processes are often presented as sequential, in practice they are iterative.

5.4 Risk Identification and Assessment

D2 - Risk identification activities should produce an integrated and holistic view of risks, often organised by taxonomies or categories of risk (see Annex 4). The aim is to understand the organisation’s overall risk profile. The organisation can use a range of techniques for identifying specific risks that may potentially impact on one or more objectives. The following factors, and the relationship between these factors, should also be considered:

  • tangible and intangible sources of risk
  • changes in the external and internal context
  • uncertainties and assumptions within options, strategies, plans, etc
  • indicators of emerging risks
  • limitations of knowledge and reliability of information
  • any potential biases and beliefs of those involved

Risks should be identified whether or not their sources are under the organisation’s direct control. Even seemingly insignificant risks on their own have the potential, as they interact with other events and conditions, to cause great damage or create significant opportunity.

D3 - While each risk identified may be important, some form of measurement is necessary to evaluate their significance to support decision-making. Without a standard for comparison, it is not possible to compare and aggregate risks across the organisation and its extended enterprise. This prioritisation is supported by risk assessment[footnote 10], which incorporates risk analysis and risk evaluation.

D4 - The purpose of risk analysis is to support a detailed consideration of the nature and level of risk. The risk analysis process should use a common set of risk criteria to foster consistent interpretation and application in defining the level of risk, based on the assessment of the likelihood of the risk occurring and the consequences should the event happen (see Annex 5).

D5 - Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of evidence and the resources available. Analysis techniques can be qualitative, quantitative or a combination of these, depending on the circumstances and intended use. Limitations and influences associated with the information and evidence bases used, and/or the analysis techniques executed, should be explicitly considered. These should be correctly sourced, appraised and referenced within risk reporting to decision-makers. All business critical analytical models in government should be managed within a framework that ensures appropriately specialist staff are responsible for developing and using the models as well as their quality assurance[footnote 11].

D6 - Risk evaluation should involve comparing the results of the risk analysis with the nature and extent of risks that the organisation is willing to take – its risk appetite – to determine where and what additional action is required. Options may involve one or more of the following:

  • avoiding the risk, if feasible, by deciding not to start or continue with the activity that gives rise to the risk
  • taking or increasing the risk in order to pursue an opportunity
  • retaining the risk by informed decision
  • changing the likelihood, where possible
  • changing the consequences, including planning contingency activities
  • sharing the risk (e.g. through commercial contracts[footnote 12])

The outcome of risk evaluation should be recorded, communicated and validated at appropriate levels of the organisation. It should be regularly reviewed and revised based on the dynamic nature and level of the risks faced.

5.5 Risk treatment

D7 - Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in enhancing the achievement of objectives against the costs, efforts or disadvantages of proposed actions. Justification for the design of risk treatments and the operation of internal control is broader than solely economic considerations and should take into account all of the organisation’s obligations, commitments and stakeholder views.

D8 - As part of the selection and development of risk treatments, the organisation should specify how the chosen option(s) will be implemented, so that arrangements are understood by those involved and effectiveness can be monitored. This should include:

  • the rationale for selection of the option(s), including the expected benefits to be gained
  • the proposed actions
  • those accountable and responsible for approving and implementing the option(s)
  • the resources required, including contingencies
  • the key performance measures and control indicators, including early warning indicators
  • the constraints
  • when action(s) are expected to be undertaken and completed
  • the basis for routine reporting and monitoring

D9 - Where appropriate, contingency, containment, crisis, incident and continuity management arrangements should be developed and communicated to support resilience and recovery if risks crystallise.

5.6 Risk monitoring

D10 - Monitoring should play a role before, during and after implementation of risk treatment. Ongoing and continuous monitoring should support understanding of whether and how the risk profile is changing and the extent to which internal controls are operating as intended to provide reasonable assurance over the management of risks to an acceptable level in the achievement of organisational objectives.

D11 - The results of monitoring and review should be incorporated throughout the organisation’s wider performance management, measurement and reporting activities. Recording and reporting aims to:

  • transparently communicate risk management activities and outcomes across the organisation
  • provide information for decision-making
  • improve risk management activities
  • assist interaction with stakeholders, including those with responsibility and accountability for risk management activities

D12 - The “three lines model” sets out how these aspects should operate in an integrated way to manage risks, design and implement internal control and provide assurance through ongoing, regular, periodic and ad-hoc monitoring and review (see Annex 2). When an organisation has properly structured the “three lines model”, and they operate effectively, it should understand how each of the lines contributes to the overall assurance required and how those involved can best be integrated and mutually supportive. There should be no gaps in coverage and no unnecessary duplication of effort. Importantly, the accounting officer and the board should receive unbiased information about the organisation’s principal risks and how management is responding to those risks.

5.7 Risk Reporting

D13 - The board, supported by the Audit and Risk Assurance Committee, should specify the nature, source, format and frequency of the information that it requires. It should ensure that the assumptions and models underlying this information are clear so that they can be understood and, if necessary, challenged. Factors to consider for reporting include, but are not limited to:

  • differing stakeholders and their specific information needs and requirements
  • cost, frequency and timeliness of reporting
  • method of reporting
  • relevance of information to organisational objectives and decision-making

D14 - The information should support the board to assess whether decisions are being made within its risk appetite to successfully achieve objectives, to review the adequacy and effectiveness of internal controls, and to decide whether any changes are required to re-assess strategy and objectives, revisit or change policies, reprioritise resources, improve controls, and/or alter their risk appetite.

D15 - Clear, informative and useful reports or dashboards should promote key information for each principal risk to provide visibility over the risk, compare results against key performance/risk indicators, indicate whether these are within risk appetite, assess the effectiveness of key management actions and summarise the assurance information available. Reports should include qualitative and quantitative information, where appropriate, show trends and support early warning indicators. Understanding and decision-making should be supported through the presentation of information in summary form and the use of graphics and visualisation.

D16 - Principal risks should be subject to “deep dive” reviews by the board and/or Audit and Risk Assurance Committee, with those responsible for the management of risks and with appropriate expertise present at an appropriate frequency depending on the nature of the risk and the performance reported.

6. Section E: Continual Improvement

6.1 Main Principle

E - Risk management shall be continually improved through learning and experience.

6.2 Supporting Principles

E1 - The organisation should continually monitor and adapt the risk management framework to address external and internal changes. The organisation should also continually improve the suitability, adequacy and effectiveness of the risk management framework. This should be supported by the consideration of lessons based on experience and, at least annually, review of the risk management framework and the performance outcomes achieved. Annex 3 contains questions that may assist in assessing the efficient and effective operation of the risk management framework.

E2 - All strategies, policies, programmes and projects should be subject to comprehensive but proportionate evaluation[footnote 13], where practicable to do so. Learning from experience helps to avoid repeating the same mistakes and helps spread improved practices to benefit current and future work, outputs and outcomes. At the commencement, those involved and key stakeholders should identify and apply relevant lessons from previous experience when planning interventions and the design and implementation of services and activities. Lessons should be continually captured, evaluated and action should be taken to manage delivery risk and facilitate continual improvement of the outputs and outcomes. Organisation leaders and owners of standards, processes, methods, guidance, tools and training, should update their knowledge sources and communicate learning as appropriate.

E3 - Process/capability maturity models or continuum may be used to support a structured assessment of how well the behaviours, practices and processes of an organisation can reliably and sustainably produce required outcomes. These models may be used as a benchmark for comparison and to inform improvement opportunities and priorities.

E4 - As relevant gaps or improvement opportunities are identified, the organisation should develop plans and tasks and assign them to those accountable for implementation.

7. Part II: The Risk Control Framework

Part II does not introduce any additional principles. However, it does provide further granularity on ‘what’ and ‘why’ in relation to the control of risk as it is important that the principles in Part I are consistently understood in relation to this aspect of risk management. Consistent with the rest of the Orange Book this section is not intended to be prescriptive about ‘how’ organisations should control risk.

7.1 Existing accounting officer Responsibilities in relation to Risk Control

As the senior executive official in each public sector organisation, accounting officers are responsible for ensuring organisational compliance with existing rules and guidance, including Functional Standards. Each year accounting officers sign statements acknowledging their responsibilities and providing assurance on the adequacy of internal controls.

The accounting officer control responsibilities support the achievement of their organisations’ policies, aims and objectives, while safeguarding quality standards and public funds, as well as meeting high standards of public conduct.

The control frameworks in existence vary in their nature across government and are permitted to be so in accordance with broader government governance principles. In an ever-changing environment, with new risks emerging and systems and controls changing, procedures and policies must be regularly reviewed and updated to ensure that they remain fit for purpose.

The Risk Control Framework does not change accounting officer responsibilities but should make it easier for accounting officers, their management teams, functional leaders, audit and risk assurance committees, and boards to demonstrate that these responsibilities are being discharged appropriately.

7.2 Purpose of the Risk Control Framework (RCF)

To help organisations have an effective and efficient approach to risk control, the RCF provides structure to existing requirements which should help accounting officers:

  • in being confident in their control activities and
  • when prioritising control improvements.

It should also help strengthen decision making and support the management of risks taken to fulfil their duties. More effective control can allow for a higher level of risk to be taken where desired, allowing better outcomes from a given level of resource (or the same with less), leading to more effective and efficient risk management.

7.3 How the Framework was developed

In collaboration with the Government Internal Audit Agency, the Treasury Officer of Accounts reviewed the existing body of rules and guidance related to internal control and structured the list into a RCF.

After extensive consultation, the existing rules and standards were grouped into categories (the “Pillars”) and sub-sections, the aim being to simplify navigation of the existing requirements and offer consistency to the way in which adherence can be understood in different parts of an organisation.

In summer 2022, the first Head of the Government Risk Profession took custodianship of the framework and, with the support of a working group from several government organisations, developed this guidance (and the supporting assurance tool) around it – see Section G for further details.

7.4 Uses of the RCF

The RCF can be used in many different situations for different purposes including:

  • Accounting officers wishing to understand how good their organisational risk management (including internal control) is by design and in practice (relevant for the Annual Governance Statement)
  • Risk/Assurance Functions who provide assistance, oversight, advice and/or assurance to accounting officers
  • Internal Auditors (typically GIAA) seeking a consistent structure for audit planning and results reporting
  • Providing assurance for Internal Audit and Audit Risk and Assurance Committees (ARACs), on internal controls in place, and to assist in the production of the Annual Governance Statement
  • Others who seek a consistent view of internal control across government, whatever the specific approaches adopted by individual organisations, or who wish to understand the way in which risk management contributions operate in overall context

8. Section F: Structure of the Risk Control Framework

8.1 The RCF

The RCF covers all controls relevant to government organisations. This includes operational local controls, functional standards and other guidance/ codes and standards. The RCF is part of the broader risk management framework in use in Government as outlined in Part I of this book. The RCF consists of four related Pillars, each with key subcomponents, and an underpinning requirement across the entire RCF of the ‘three lines model’. Each of the related (sometimes overlapping) pillars, and the mandatory and non- mandatory requirements that sit behind them are detailed in the Assurance Tool (see Section G) but the overall framework diagram on Pg33 should be useful when considering the comprehensiveness of control related activity in organisations.

Pillar 1: Governance and Management Framework

Each organisation should have a governance framework which complies with expected standards of conduct, requirements of efficiency and transparency in delivery.

Pillar 2: Roles and Accountabilities

Roles and accountabilities should be defined and assigned to people with appropriate seniority, skills and experience. All individuals need to be clear on their roles and responsibilities in the management of their organisation’s risks and controls and discharge of duties.

Pillar 3: Strategy, Planning & Reporting

Public Sector organisations should take short, medium and longer term approaches to planning and when doing so should ensure risks to strategy and business objectives are visible and mitigated effectively. Performance and risk reporting should be designed and operated to inform and enable effective risk-based decision making.

Pillar 4: Standards, Policies & Procedures

Approvals should be given, and decisions made and implemented in a timely manner in accordance with the organisation’s governance and management framework (including financial management controls and delegations of authority), government policy and regulations and the organisation’s strategy.

Local organisational processes should have appropriate controls attached to them which reflects the scale, nature and complexity of the organisation.

Underpinning requirement

Underpinning all the pillars is effective culture and operation of the ‘three lines model’ (explained in Annex 2) including the provision of appropriate assurance.

8.2 The Risk Control Framework. Four pillars underpinned by the ‘three lines model’

The Risk Control Framework supports accounting officers in meeting their objectives and obligations.

Pillar 1: Governance & Management Framework

  • Propriety & Ethics
  • Governance Statement & AO System Statement
  • Boards
  • Arm’s Length Bodies & Joint Venture

Pillar 2: Rules & Accountabilities

  • Accounting Officer
  • All Staff
  • Functional Roles
  • Senior Responsible Owners for Major Projects

Pillar 3: Strategy, Planning & Reporting

  • Medium-term Planning
  • Annual Planning
  • Processes
  • Reporting

Pillar 4: Standards, Policies & Procedures

  • Delegations & Budgetary Control
  • Functional Standards
  • Public Sector & Wider Statutory Requirements
  • Organisational Policies & Procedures

Three Lines Model

The RCF is underpinned by effective operation of the three lines model as described in Annex 2 – the ‘Three Lines Model’ of the Orange Book, including the importance of culture and the provision of assurance provided by internal audit and third party assurance providers

8.3 Control Hierarchy Pyramid

The RCF is built from legislation, existing codes/ guidance/rules created centrally as high “entity” level controls across government.

These high-level requirements (which can be aligned to the pillars of the RCF) should inform local assessments at various levels with the potential to be aggregated.

Inside departments/other organisations, other local requirements (high level/entity codes/guidance/ rules) may exist. Where they do, they should also inform local assessments.

At local organisation unit/process/sub-process/ other levels, individual risks and controls will be identified and assessed reflecting the higher level control requirements and local control needs.

8.4 Compatibility with Part I: Risk Management Principles

The RCF does not affect the principles in Part I of the Orange Book but is intended to provide greater clarity on elements of control. Categories (pillars) and sub-categories (blocks) of the RCF can relate to one or more components of the Orange Book and this mapping is illustrated in the diagram on page 35 which should help when users wish to consider controls through either the Part II (RCF) categories or the Part I principles. There could be several reasons why organisations might wish to use both dimensions of this matrix (including occasionally a hybrid of the two) and some examples are listed below.

Examples of using Principles.

  • Many organisations measure risk management embeddedness and/or maturity using the five main principles of the Orange Book. In undertaking measurement of current state or for the purposes of being clear on what is expected in the future, the RCF categories and components bring greater granularity on the extent to which controls reflect what is supposed to be in place. This brings greater credibility and granularity to the current state or future state assessments and the plan for moving from one to the other

  • The Orange Book adopts a “Comply or Explain” approach and some organisations might find it easier to summarise their activity by Orange Book components in order to demonstrate adherence with it even where the work itself is organised using some or all of the RCF framework categories

Examples of using RCF categories

  • Some non-executive directors or others may be more familiar (from previous roles and organisations) with internal control arrangements than with the broader risk management principles in Part I. As a result, they may feel more comfortable understanding the current control environment using the RCF structure. However, understanding that they also need to comply or explain with Orange Book principles, they will want to know that content can be “translated”.

  • Internal Audit and other assurance services might be planned and delivered around the categories used in the RCF. Management ability to communicate capability using the same RCF framework can help cohesion with agreed assessment and improvement priorities

Mapping of RCF to Orange Book Principles

  Government and Leadership Integration Collaboration & Best Info RM Processes Continual Improvement
Propriety & Ethics X        
Governance statement and accounting officer statement X        
Boards X X X X  
ALBs and Joint Venture X   X X X
Accounting officer X     X  
All staff       X  
Functional Roles X     X  
Senior responsible owners for major project X   X X  
Medium term planning X X   X  
Annual planning   X   X  
Processes       X X
Reporting X   X X  
Delegations and budgetary control X X      
Functional standards         X
Public sector and wider statutory requirements         X
Organisational policies X       X
Systems for Three line model X     X  
Assurance mapping       X  
Internal Audit X        
Third party assurance     X X  

9. Section G: Assurance

9.1 Using the RCF for Assurance

Co-ordinating a fit-for-purpose approach to assurance supports organisations in establishing a clear and comprehensive picture of the greatest risks to the achievement of their objectives, service delivery improvements and value for money.

Management will seek assurance over the design, application, and effectiveness of controls in place in their business areas to manage risk to appetite/ tolerance – delivering objectives and meeting obligations. The aim is to have confidence that the controls in place are the right ones to effectively manage principal risks and achieve compliance with standards and that they are operating effectively. This activity underpins the annual governance statement as well as driving audit planning and reporting.

Such assurance can be structured by using the RCF. Whichever methods are used for assurance mapping and delivery, the RCF can bring cohesion to the activity undertaken.

This section does not set out the procedure by which organisations should design and operate their assurance activities. It sets out an approach that allows for flexibility and judgement in the design, implementation and operation of assurance activities, informed by relevant standards, guidance and good practice.

9.2 Types of Requirements Meriting Assurance

Whichever approach to assurance mapping is undertaken, the RCF helps bring structure to existing business requirements which need to be addressed somewhere in the assurance being mapped. These existing requirements broadly fall under one of the following categories:

  • Functional Standards (mandatory/non-mandatory)
  • Other Central Government guidance, codes of conduct, procedures
  • Additional requirements local to the organisation

There may also be other requirements not included in the above which may require assurance.

Compliance with each of these types of standards should be proportionate to the nature of individual requirements and organisations.

9.3 Functional Standards

A functional standard succinctly defines what should normally happen within the scope of a function, using consistent language and agreed definitions.

UK Government Functional Standards set expectations for the management of functional work and the functional model across government. Functions are positioning these standards as the primary reference documents for improved and consistent ways of working, to help achieve objectives more effectively and efficiently. The standards serve to help accounting officers fulfil their duties.

Accounting officers should champion the standards as drivers of coherence, consistency and continuous improvement, and use them to trigger conversations about the action needed in organisations to improve the way functional work is done and to support the enduring principles and requirements set out in Managing Public Money[footnote 4].

Organisations can tailor how they meet the standards in practice, depending on business need. The standards are written to take account of the different ways in which different organisations manage the work. For example, they are deliberately neutral about roles and terminology, so that organisations can tailor job titles and the naming of documentation, methods, procedures and processes to the type of work being done.

Compliance should be proportionate and appropriate to the functional work done, and the level of prevailing risk.

Other Central Government guidance, codes of conduct, guidance and procedures

They can also include mandatory and/or non-mandatory components and need to be given equal importance in assurance mapping and delivery.

9.4 Additional requirements local to the organisation

These are requirements set by organisational leaders for use within their organisation. They are not requirements from central government. They can also include mandatory and/or non-mandatory components and need to be given appropriate attention in assurance mapping and delivery, locally.

9.5 RCF Assurance Tool

A spreadsheet tool has been created by the Risk Centre of Excellence team (RCoE) which provides various levels of assurance questions for use when assessing adherence with the items underpinning the categories and components in the RCF. In some cases, the assurance questions are provided by the owners of the standard/ guidance but where this is not yet available, the RCoE has developed a series of questions to assist accounting officers and their organisations.

Recognising that one size does not fit all organisations, the tool is intended to be useful to assist assurance teams and practitioners in understanding the scope of existing requirements rather than supply a definitive list of questions. The aim is to provide a ‘guiding hand’ through management assurance processes leading to the annual governance statement, and in doing so, also assist audit planning and reporting.

The structure of the Assurance Tool is as follows:

  • There are high-level risk management assurance questions relating to Part I of the Orange Book – listed in the Questions To Ask annex 3
  • High level questions for each component of the RCF
  • Detailed questions informed by systematically collected evidence linked to key guidance/ good practice codes/standards
  • A map of how the underlying standards/ requirements/guidance relate to each component in the RCF

The assurance tool containing these questions is available from the RCoE.

9.6 The Use of Other IT Systems

Various different systems are used for the purposes of assurance mapping and related risk and internal control assessment. Some are spreadsheet-based using reporting/visualisation tools and others are bespoke risk and control assessment and/ or auditing systems. Organisations should use whatever is most suitable for them. The RCoE’s assurance tool makes information available to organisations in Excel format which can be used as required.

9.7 Assurance Mapping

“Assurance mapping is a mechanism for linking assurance from various sources to the risks that threaten the achievement of an organisation’s outcomes and objectives. They can be at various levels, dependent upon the scope of the mapping” – HMT “Assurance Frameworks” 2012[footnote 17].

Assurance mapping should be undertaken to ensure appropriate nature, coverage and depth of assurance being planned, which typically relates directly to the degree of confidence organisations can have in their control environment.

Good (effective and efficient) assurance mapping helps improve the effectiveness and efficiency of risk management more broadly.

There are different approaches to assurance mapping in use across government and this guidance does not set a preferred approach for this activity as it is for accounting officers to decide what works best for their organisation. The reasons for the differences can include:

  • the nature of activities
  • the risk level of organisational activities
  • the levels of control confidence needed
  • the availability of data
  • the approaches to different types of standards/requirements

Although the assurance ultimately undertaken might be similar regardless of the approach taken to mapping, it could result in significant differences to planned assurance. Nevertheless, this document does not mandate a particular approach to assurance mapping across government although it is intended that the RCF will be a useful way to bring common language to assurance activity.

The following guidance is intended to be of assistance to organisations as they continue to develop their approach and contains examples of good practice approaches currently being used.

9.8 Example approaches to assurance mapping

The main approaches to assurance mapping in use in government are:

  • Principal risk based
  • Process based
  • Control based
  • Risk Assurance

These different approaches are not always mutually exclusive and they can overlap to different degrees and combinations can be used to find the most effective and efficient way of assurance mapping in an organisation.

9.9 Overview of Principal risk‑based approaches to mapping

This approach uses an assessment of risk to the most important drivers of strategic business success, and maps assurance onto those strategic risks/drivers.

Each strategic risk is addressed in turn and options considered for the degree and source of assurance.

Judgement is used to consider the options for levels and sources of assurance given the absolute or relative exposure to each strategic risk. Although the mapping begins with consideration of each risk, it will typically involve consideration of controls in place to address each risk and can thus be partially anchored to the controls which may or may not be shared controls impacting other risks.

Often, reports will show the findings from the assurance work against each risk along with the score showing the level of assurance provided for each risk. This can lead to adjustments in assurance mapping for subsequent periods when the level of assurance can be increased or decreased (or the supplier changed) to maximise efficiency and effectiveness.

A simplistic illustration of this with ‘x’ showing illustratively how assurance might be mapped is below.

APPROACH ASSURANCE PROVIDED FROM
Principal Risks 1st line 2nd line 3rd line Other
Risk A x   x  
Risk B x x    
Risk C   x x x

9.10 Overview of Process based approaches to mapping

Using an otherwise similar approach to that outlined for the principal risks the process-based approach uses a prioritised list of business processes and maps assurance onto those processes (and/or subprocesses).

APPROACH ASSURANCE PROVIDED FROM
Business Process 1st line 2nd line 3rd line Other
Process A   x x  
Process B x x   x
Process C x   x x

9.11 Overview of Control based approaches to mapping

Using an otherwise similar approach to that outlined for the principal risks the control-based approach uses an assessment of the most important controls in an organisation and maps assurance onto those controls.

APPROACH ASSURANCE PROVIDED FROM
  Key Controls 1st line 2nd line 3rd line Other  
  Controls A   x x    
  Controls B x x   x  
  Controls C x   x x  

9.12 Overview of Risk assurance approach

With this approach, the risk management process (as applied to the part of the business in scope) is the basis for mapping assurance work. This is more akin to the assurance of Part I of the Orange Book but is included in this section for completeness.

APPROACH ASSURANCE PROVIDED FROM
Risk Management Activity 1st line 2nd line 3rd line Other
Identification x x   x
Assessment x x x  
Control x x x  
Reporting x x x  
Other x     x

9.13 Generic tips for Assurance Mapping

Whichever approach (or combination of approaches) to mapping is adopted by organisations, the following generic tips should be useful to consider:

  • Start with strategic: Focusing first on aspects of most strategic importance will help calibrate further, less-strategic assurance work
  • Leverage existing information: Existing risk and control information (including owners and links to business processes etc) should already have been captured in risk registers and other documents and this should be useful when planning assurance work
  • Effectiveness and Efficiency: Address the effectiveness and efficiency of the assurance being planned to include the level of assurance and the sources of it (which might be of varying quality and otherwise result in gaps/overlaps)
  • Engagement: Undertake lots of engagement to explain the approach/process and its importance
  • What good looks like: Ensure to state what good controls look like and the quality of evidence required
  • Relevance: Keep questions relevant and at high level – don’t try and address all detailed compliance aspects unless you really need to
  • Refresh: Review and update each year as things do change (however keep large scale changes to minimum to allow processes to embed)
  • Visualise: Use of colour coding and other visualisation techniques are helpful as provides visual overview which makes it easier for people to understand what is important
  • Subject Matter Experts (SMEs): SME input is vital, aim to build good relationships with them. Ensure they understand key messages on controls to cascade through organisation
  • Appropriate mix: There are different types of assurance that may have different strengths and may be best used in different ways. The Audit and Risk Assurance Committee can play a key role in seeking an optimum mix of assurance
  • Proportionality and Pragmatism: In practical terms assurance should be manageable and suitable for the nature, scale and complexity of the operations being reviewed.

10. Annex 1: Roles and Responsibilities – Board, accounting officer and Audit and Risk Assurance Committee

10.1 Board

The board of each public sector organisation, informed and advised by their Audit and Risk Assurance Committee, should:

  • lead the assessment and management of risk and take a strategic view of risks in the organisation
  • ensure that there are clear accountabilities for managing risks and that officials are equipped with the relevant skills and guidance to perform their assigned roles effectively and efficiently
  • ensure that roles and responsibilities for risk management are clear to support effective governance and decision-making at each level with appropriate escalation, aggregation and delegation
  • determine and continuously assess the nature and extent of the principal risks that the organisation is willing to take to achieve its objectives – its “risk appetite” – and ensure that planning and decision-making appropriately reflect this assessment
  • agree the frequency and scope of its discussions on risk to review how management is responding to the principal risks and how this is integrated with other matters considered by the board, including business planning and performance management processes
  • specify the nature, source, format and frequency of the information that it requires
  • ensure that there are clear processes for bringing significant issues to its attention more rapidly when required, with agreed triggers for doing so
  • use horizon scanning to identify emerging sources of uncertainty, threats and trends
  • assure itself of the effectiveness of the organisation’s risk management framework
  • assess compliance with the Corporate Governance Code[2] and include explanations of any departures within the governance statement of the organisation’s annual report and accounts

10.2 Accounting officer

The accounting officer of each public sector organisation, supported by the Audit and Risk Assurance Committee, should:

  • periodically assess whether the organisational values, leadership style, opportunities for debate and learning, and human resource policies support the desired risk culture, incentivise expected behaviours and sanction inappropriate behaviours
  • ensure that expected values and behaviours are communicated and embedded at all levels to support the appropriate risk culture
  • designate an individual to be responsible for leading the organisation’s overall approach to risk management, who should be of sufficient seniority and should report to a level within the organisation that allows them to influence effective decision-making
  • establish the organisation’s overall approach to risk management
  • establish risk management activities that cover all types of risk and processes that are applied at different organisational levels
  • ensure the design and systematic implementation of policies, procedures and practices for risk identification, assessment, treatment, monitoring and reporting
  • consider the organisation’s overall risk profile, including risk management within arm’s length bodies and the extended enterprise
  • demonstrate leadership and articulate their continual commitment to and the value of risk management through developing and communicating a policy or statement to the organisation and other stakeholders, which should be periodically reviewed
  • ensure the allocation of appropriate resources for risk management, which can include, but is not limited to people, skills, experience and competence
  • monitor the quality of the information received and ensure that it is of a sufficient quality to allow effective decision-making
  • ensure that risk is considered as an integral part of appraising option choices, evaluating alternatives and making informed decisions

  • be provided with expert judgements through functions to advise on:

    • the feasibility and affordability of strategies and plans
    • the evaluation and development of realistic programmes, projects and policy initiatives
    • prioritisation of resources and the development of capabilities
    • the design and operation of internal control in line with good practice and the nature and extent of the risks that the organisation is willing to take to achieve its objectives
    • driving innovation and incremental improvements
  • clearly communicate their expectation that risk management activities are coordinated and that information is shared among across the ‘lines of defence’ where this supports the overall effectiveness of the effort and does not diminish any of the ‘lines’ key functions

10.3 Audit and Risk Assurance Committee[footnote 14]

Leading the assessment and management of risk is a role for the board. The Audit and Risk Assurance Committee should support the board in this role.

It is essential that the Audit and Risk Assurance Committee:

  • understands the organisation’s business strategy, operating environment and the associated risks, taking into account all key elements of the organisation as parts of an “extended enterprise”
  • understands the role and activities of the board (or equivalent senior governance body) in relation to managing risk
  • discusses with the board its policies, attitude to and appetite for risk to ensure these are
  • appropriately defined and communicated so that management understands these parameters and expectations
  • understands the risk management framework and the assignment of responsibilities
  • critically challenges and reviews the risk management framework, without second guessing management, to evaluate how well the arrangements are actively working in the organisation
  • critically challenges and reviews the adequacy and effectiveness of control processes in responding to risks within the organisation’s governance, operations, compliance and information systems

Assurance should be obtained on risks across the organisational group. The group should focus on assurances over the management of cross organisational governance, risk and control arrangements to supplement departmental or entity level assurances. Similarly, assurance should also encompass services outsourced to external providers, including shared service arrangements, and risks that cross organisational boundaries, for example, in major projects.

11. Annex 2: The Three Lines Model

Everyone in an organisation has some responsibility for risk management. The ‘three lines model’ provides a simple and effective way to help delegate and coordinate risk management roles and responsibilities within and across the organisation.

The model is not intended as a blueprint or organisational design, but may provide a flexible structure that can be implemented in support of the risk management framework. Functions within each of the ‘line roles’ may vary from organisation to organisation and may operate differently.

Neither governance bodies nor senior management are considered to be among the ‘lines’ in this model. They are the primary stakeholders served by the ‘line roles’, as they collectively have responsibility and accountability for setting the organisation’s objectives, defining strategies to achieve those objectives, and establishing roles, structures and processes to best manage the risks in achieving those objectives successfully.

11.1 First line Roles

Under the ‘first line role’, management have primary ownership, responsibility and accountability for identifying, assessing and managing risks. Their activities create and/or manage the risks that can facilitate or prevent an organisation’s objectives from being achieved.

The first line ‘own’ the risks and are responsible for execution of the organisation’s response to those risks through executing internal controls on a day-to-day basis and for implementing corrective actions to address deficiencies.

Through a cascading responsibility structure, managers design, operate and improve processes, policies, procedures, activities, devices, practices, or other conditions and/or actions that maintain and/or modify risks and supervise effective execution. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, variations in or inadequate processes and unexpected events, supported by routine performance and compliance information.

11.2 Second line Roles

The second line role consists of functions and activities that monitor and facilitate the implementation of effective risk management practices and facilitate the reporting of adequate risk related information up and down the organisation. The second line should support management by bringing expertise, process excellence, and monitoring alongside the first line to help ensure that risks are effectively managed.

The second line should have a defined and proportionate approach to ensure requirements are applied effectively and appropriately.

This would typically include compliance assessments or reviews carried out to determine that standards (in addition to professional standards, functional standards guide people working in and with the UK government. They exist to create a coherent and mutually understood way of doing business across organisational boundaries, and to provide a stable basis for assurance, risk management, and capability improvement.), expectations, policy and/or regulatory considerations are being met in line with expectations across the organisation.

Where they exist, Assurance Teams (typically from the second line as third line assurance is provided by Internal Audit) usually:

  • Lead and coordinate the assurance mapping and delivery activity, including consolidating and reporting results to committees
  • Agree and refine wording of questions to be used locally each year, with help from Subject Matter Experts (SME), specifying ‘what good looks like’ locally in terms of controls and evidence
  • Set the rating mechanisms and formatting requirements to be used for assurance findings
  • Pursue areas requiring improvements, ensuring actions taken e.g., development of management information (such as reports on staff undertaking mandated training)
  • Attend challenge meetings with Director Generals (DGs) and other senior business leaders
  • Undertake other duties as appropriate for their organisation

11.3 Third line roles

Internal audit form the organisation’s “third line role”. An independent internal audit function[footnote 15] will, through a risk-based approach to its work, provide an objective evaluation of how effectively the organisation assesses and manages its risks, including the design and operation of the “first and second lines of defence”. It should encompass all elements of the risk management framework and should include in its potential scope all risk and control activities. Internal audit may also provide assurance over the management of cross-organisational risks and support the sharing of good practice between organisations, subject to considering the privacy and confidentiality of information.

11.4 External assurance

Sitting outside of the organisation’s own risk management framework and the three lines model, are a range of other sources of assurance that support an organisation’s understanding and assessment of its management of risks and its operation of controls, including:

  • external auditors, chiefly the National Audit Office (NAO) (Some executive NDPBs may have private sector external auditors (either appointed by the relevant Secretary of State or by the Body’s Executive) with a reporting line directly to the Secretary of State or to the body rather than through NAO to Parliament.), who have a statutory responsibility for certification audit of the financial statements
  • value for money studies undertaken by the NAO, which Parliament use to hold government to account for how it spends public money
  • the Infrastructure and Projects Authority (IPA), who arrange and manage independent expert assurance reviews of major government projects that provide critical input to HM Treasury business case appraisal and financial approval points

Other sources of independent external assurance may include independent inspection bodies, external system accreditation reviews/certification (e.g. ISO), and HM Treasury/Cabinet Office/ Parliamentary activities that support scrutiny and approval processes.

11.5 Coordination, cooperation and communication

These three line roles have a common objective: to help the organisation achieve its objectives with effective management of risks. They often deal with the same risk and control issues. The accounting officer and the board should clearly communicate their expectation that information be shared and activities co-ordinated across each of the ‘lines’ where this does not diminish the effectiveness or objectivity of any of those involved.

Careful coordination is necessary to avoid unnecessary duplication of efforts, while assuring that all significant risks are addressed appropriately. Coordination may take a variety of fforms depending on the nature of the organisation and the specific work done by each party. It is likely to be helpful to adopt a common ‘language’ or set of definitions across the ‘lines model’ to ease understanding, for example, in defining risk categories, risk criteria and what is an acceptance level of control or a significant control weakness.

Internal audit and external audit should work effectively together to the maximum benefit of the organisation and in line with international[footnote 16] and public sector standards.

12. Annex 3: Questions to Ask

12.1 Governance and Leadership

  1. How is the desired risk culture defined, communicated, and promoted? How is this periodically assessed?

  2. How do human resource policies and performance systems encourage and support desired risk behaviours and discourage inappropriate risk behaviours?

  3. How has the nature and extent of the principal risks that the organisation is willing to take in achieving its objectives been determined and used to inform decision- making? Is this risk appetite tailored and proportionate to the organisation?

  4. How are the board and other governance forums supported to consider the management of risks, and how is this integrated with discussion on other matters?

  5. How effective are risk information and insights in supporting decision-making, in terms of the focus and quality of information, its source, its format and its frequency?

  6. How are authority, responsibility and accountability for risk management and internal control defined, co-ordinated and documented throughout the organisation?

  7. How is the designated individual responsible for leading the overall approach to risk management positioned and supported to allow them to exercise their objectivity and influence effective decision-making?

  8. How are the necessary skills, knowledge and experience of the organisation’s risk practitioners assessed and supported?

  9. How has the necessary commitment to risk management been demonstrated?

12.2 Integration

  1. How are risks considered when setting and changing strategy and priorities?

  2. How are risks transparently assessed within the appraisal of options for policies, programmes and projects or other significant commitments?

  3. How are emerging risks identified and considered?

  4. How are risks to the public assessed and reflected within policy development and implementation?

  5. How are National Risk Register risks, that are particularly pertinent to the organisation, recognised in risk assessments and discussions?

12.3 Collaboration and Best Information

  1. How is an aggregated view of the risk profile informed across the organisation, arm’s length bodies and the extended enterprise supporting the delivery of services?

  2. How are the views of external stakeholders gathered and included within risk considerations?

  3. How does communication and consultation assist stakeholders to understand the risks faced and the organisation’s response?

  4. How is function and professional expertise used to inform strategies, plans, programmes, projects and policies?

  5. How do expert functions and professions inform the identification, assessment and management of risks and the design and implementation of controls?

  6. How are functional standards communicated and their adherence monitored across the organisation?

12.4 Risk Management Processes

  1. How are risk taxonomies or categories used to facilitate the identification of risks within the overall risk profile?

  2. How are risk criteria set to support consistent interpretation and application in assessing the level of risk? How effective are these in supporting the understanding and consideration of the likelihood and consequences of risks?

  3. How are limitations and influences associated with the information and evidence used with risk assessments highlighted?

  4. How are interdependencies between risks or possible combinations of events (‘domino’ risks) identified and assessed?

  5. How dynamic is the assessment of risks and the consideration of mitigating actions to reflect new or changing risks or operational efficiencies?

  6. How are exposures to each principal risk assessed against the nature and extent of risks that the organisation is willing to take in achieving its objectives – its risk appetite – to inform options for the selection and development of internal controls?

  7. How are decisions made in balancing the potential benefits of the design and implementation of new or additional controls with the costs, efforts and any disadvantages of different control options?

  8. How are contingency arrangements for high impact risks designed and tested to support continuity, incident and crisis management and resilience?

  9. How is the nature, source, format and frequency of the information required to support monitoring of risk management and internal control defined and communicated?

  10. How are new and changing principal risks highlighted and escalated clearly, easily and more rapidly when required?

  11. How comprehensive, informative and coordinated are assurance activities in helping achieve objectives and in supporting the effective management of risks?

  12. How do disclosures on risk management and internal control contribute to the annual report being fair, balanced and understandable?

12.5 Continual Improvement

  1. How are policies, programmes and projects evaluated to inform learning from experience? How are lessons systematically learned from past events?

  2. How is risk management maturity periodically assessed to identify areas for improvement? Is the view consistent across differing parts or levels of the organisation?

  3. How are improvement opportunities identified, prioritised, implemented and monitored?

13. Annex 4: Example Risk Categories

  • Strategy risks – Risks arising from identifying and pursuing a strategy, which is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans or objectives due to a changing macro-environment (e.g. political, economic, social, technological, environment and legislative change).

  • Governance risks – Risks arising from unclear plans, priorities, authorities and accountabilities, and/or ineffective or disproportionate oversight of decision-making and/or performance.

  • Operations risks – Risks arising from inadequate, poorly designed or ineffective/ inefficient internal processes resulting in fraud, error, impaired customer service (quality and/or quantity of service), non-compliance and/or poor value for money.

  • Legal risks – Risks arising from a defective transaction, a claim being made (including a defence to a claim or a counterclaim) or some other legal event occurring that results in a liability or other loss, or a failure to take appropriate measures to meet legal or regulatory requirements or to protect assets (for example, intellectual property).

  • Property risks – Risks arising from property deficiencies or poorly designed or ineffective/ inefficient safety management resulting in non-compliance and/or harm and suffering to employees, contractors, service users or the public.

  • Financial risks – Risks arising from not managing finances in accordance with requirements and financial constraints resulting in poor returns from investments, failure to manage assets/liabilities or to obtain value for money from the resources deployed, and/or non-compliant financial reporting.

  • Commercial risks – Risks arising from weaknesses in the management of commercial partnerships, supply chains and contractual requirements, resulting in poor performance, inefficiency, poor value for money, fraud, and/or failure to meet business requirements/objectives.

  • People risks – Risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability, industrial action and/or non-compliance with relevant employment legislation/HR policies resulting in negative impact on performance.

  • Technology risks – Risks arising from technology not delivering the expected services due to inadequate or deficient system/ process development and performance or inadequate resilience.

  • Information risks – Risks arising from a failure to produce robust, suitable and appropriate data/ information and to exploit data/information to its full potential.

  • Security risks – Risks arising from a failure to prevent unauthorised and/or inappropriate access to the estate and information, including cyber security and non-compliance with General Data Protection Regulation requirements.

  • Project/Programme risks – Risks that change programmes and projects are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost and quality.

  • Reputational risks – Risks arising from adverse events, including ethical violations, a lack of sustainability, systemic or repeated failures or poor quality or a lack of innovation, leading to damages to reputation and or destruction of trust and relations.

Failure to manage risks in any of these categories may lead to financial, reputational, legal, regulatory, safety, security, environmental, employee, customer and operational consequences.

14. Annex 5: Definitions and Supportive Concepts

Governance[footnote 2] is the system by which organisations are directed and controlled. It defines accountabilities, relationships and the distribution of rights and responsibilities among those who work with and in the organisation, determines the rules and procedures through which the organisation’s objectives (objectives can have different aspects and categories – covering efficient and effective operations, financial and non-financial reporting, and compliance with laws and regulations – and can be applied at different levels) are set, and provides the means of attaining those objectives and monitoring performance. This includes establishing, supporting and overseeing the risk management framework.

Risk Management is the co-ordinated activities designed and operated to manage risk and exercise internal control within an organisation.

Risk is the effect of uncertainty on objectives. Risk is usually expressed in terms of causes, potential events, and their consequences:

  • A cause is an element which alone or in combination has the potential to give rise to risk
  • An event is an occurrence or change of a set of circumstances and can be something that is expected which does not happen or something that is not expected which does happen. Events can have multiple causes and consequences and can affect multiple objectives
  • the consequences should the event happen – consequences are the outcome of an event affecting objectives, which can be certain or uncertain, can have positive or negative direct or indirect effects on objectives, can be expressed qualitatively or quantitatively, and can escalate through cascading and cumulative effects

14.1 Stating risks: causes, events and consequences

RISK
Cause 1 Event Consequence 1
Cause 2 Event Consequence 2
Cause 3 Event Consequence 3
CAUSE EVENT CONSEQUENCE
Poor supplier relationship management Failure to plan for a third party supplier and market failure Service failure
Poor assurance mechanisms As above Substantial management time needed to fight fires
Failure to monitor financial stability As above Increased costs
Failure to resource business continuity options planning As above Damage to confidence of service users, staff and other stakeholders
CAUSE EVENT CONSEQUENCE
Failure to plan and prioritise effectively Failure to manage within departmental finances Overspends
Poor financial reporting process As above Funding pressures
Lack of financial skills and capabilities among staff As above Failure to plan for the long term
Poor financial culture As above Failure to deliver our organisational objectives

In stating risks, care should be taken to avoid stating consequences that may arise as being the risks themselves, i.e. identifying the symptoms without their cause(s). Equally, care should be taken to avoid defining risks with statements that are simply the converse of the objectives, i.e. failure to achieve the intended output/outcome.

Organisations typically assess consequences using a combination of criteria, which commonly include financial, reputational, legal, regulatory, safety, security, environmental, employee, customer and operational effects. The criteria used should be dynamic and should be periodically reviewed and amended, as necessary. Scales should allow meaningful differentiation for ranking and prioritisation purposes based on assigning values to each risk using the defined criteria.

When assigning a consequence rating to a risk, the rating for the highest, most credible worst-case scenario should be assigned.

The risk analysis process defines the level of risk, based on the assessment of the likelihood of the risk occurring and the consequences should the event happen. Likelihood is the assessment of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).

Risk analysis should also consider:

  • sensitivity and confidence levels, based on the information available
  • complexity and connectivity
  • time-related factors and volatility
  • the effectiveness of existing internal control

Internal Control is the dynamic and iterative framework of processes, policies, procedures, activities, devices, practices, or other conditions and/or actions that maintain and/or modify risk. Internal controls permeate and are inherent in the way the organisation operates and are affected by cultural and behavioural factors.

Where additional action is required to bring the levels of risk within the nature and extent that the organisation is willing to take to achieve its objectives, the organisation should select, develop and implement options for addressing risk through preventive, directive, detective, and/or corrective controls that manage risks to an acceptable level. These might be manual or automated. This involves an iterative process of:

  • planning and implementing internal control
  • assessing the effectiveness of internal control
  • deciding whether the nature and extent of the remaining risk after the implementation of internal controls is acceptable
  • if not acceptable, reassessing options and taking further action where appropriate

Internal control, even if carefully designed and implemented, might not produce the intended or expected outcomes. Internal control can also introduce new risks that need to be managed.

Assurance is a general term for the confidence that can be derived from objective information over the successful conduct of activities, the efficient and effective design and operation of internal control, compliance with internal and external requirements, and the production of insightful and credible information to support decision- making. Confidence diminishes when there are uncertainties around the integrity of information or of underlying processes.

15. Annex 6: References

  1. BS ISO 31000:2018(E) – Risk management – Guidelines 

  2. Corporate governance code for central government departments  2 3

  3. Managing Public Money - Section 4 Governance and management 

  4. Managing Public Money – Annex 4.3 Risk  2

  5. Budget 2018: 2.18 The Balance Sheet Review and Getting smart about intellectual property and intangible assets 

  6. Central Government Guidance on Appraisal and Evaluation – The Green Book 

  7. The Future Toolkit provides guidance on horizon scanning and outlines how scenarios can be used to further investigate emerging risks 

  8. The National Security Risk Assessment (NSRA) is the Government’s principal tool for identifying and assessing risks to the UK over the medium-term. It is owned by the Resilience Directorate in the Economic and Domestic Secretariat of the Cabinet Office. 

  9. The Principles of Managing Risks to the Public 

  10. ISO 31010:2009 is a supporting standard for BS ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment 

  11. Guidance on producing quality analysis for government – The Aqua Book 

  12. The Outsourcing Playbook - Central Government Guidance on Outsourcing Decisions and Contracting 

  13. Guidance for evaluation – The Magenta Book 

  14. HMT Assurance Frameworks 2012 

  15. HM Treasury Audit and Risk Assurance Committee Handbook, March 2016 

  16. Public Sector Internal Audit Standards 

  17. International Standards on Auditing – ISA 315 and 610 

Back to top