Appendix C Summary: Risk Management

a. Background:
Police Scotland and the SPA have separate but aligned risk management frameworks. These follow guidance from other Forces’, Audit Scotland risk documents and the Orange Book.

b. Internal Audit Findings:
BDO was able to provide moderate assurance over the design and the operational effectiveness of controls in place.

The audit identified areas of improvement to assist Police Scotland, SPA Corporate, and SPA Forensic Services to further improve in relation to the risk management arrangements in place. The key finding relates to enhancements to the recording and assessment of the controls in place to mitigate risk. Further opportunities for improvement were identified in relation to introducing risk deep dives, the quality of risk register information, regular risk management training within SPA Corporate and SPA Forensics Services and linking cover papers to strategic risks.

The audit also found that some controls surrounding the risk management processes are well-designed and operate effectively. There are clear steps and processes in place to identify, manage and control risks. Risk appetite levels are in place and are reviewed at least annually to ensure their appropriateness within the organisation. There is also a comprehensive set of committees in place to govern the risk management work taking place.

c. Summary of Findings of the Report:
SUMMARY OF FINDINGS/AGREED ACTIONS
High 0/0
Medium 1/3
Low 4/6
TOTA: 5/9

d. SPA Considerations:
Robust and effective risk management is key to supporting successful delivery of organisational objectives. While the overall report findings are positive, we welcome the assurance gained and opportunity to address the recommendations.