WIXLIB

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0Issue Date: 09/03/2015 Classification: PublicRisk Register & Risk Treatment PlanMarc Seale, Chief Executive & RegistrarReport to Audit Committee, (Feb 2015)Enc 03a - Risk RegisterCover3

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0Issue Date: 09/03/2015 Classification: PublicJan 2015 Risk AssessmentContentsContents pageEnc 03a - Risk RegisterPage4Top 10 HCPC risks5Changes since last published6Strategic risks7Operations risksCommunications risksCorporate Governance risksInformation Technology risksPartner risksEducation risksProject Management risksQuality Management risksRegistration risksHR risksLegal risksFitness to Practise risksPolicy & Standards risksFinance risksPensions risksInformation Security risks8101112131415161718192021222425Appendix i Glossary and AbbreviationsAppendix ii HCPC Risk MatrixHCPC Risk Matrix terms detailAppendix iii HCPC Strategic Objectives & Risk AppetiteAppendix iv HCPC Assurance Mapping2627282930Risk Contents4

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0Issue Date: 09/03/2015 Classification: PublicTHE HEALTH AND CARE PROFESSIONS COUNCILASSESSM"Top 10" Risks (High & Medium after mitigation)DescriptionRisk owner (primaryperson responsiblefor assessing andmanaging theongoing risk)Sept2014RiskMitigation IMitigation II15.23PSA full cost recovery model placessignificant financial pressure on HCPC fromAugust 2015 onwards (pre-mit 20)Chief Executive &Finance DirectorConsider increase in feesLegislative and operationaladjustments2.7Interuption to electricity supply (pre-mit 16)ISMS RISKFacilities ManagerRelocate to other buildings on siteIf site wide longer than 24hours invoke DR Plan13.3Tribunal exceptional costs (pre-mit 25)FTP DirectorQuality of operational processesAccurate and realisticforecasting1.5Loss of reputation (pre-mit 20)Chief ExecutiveQuality of governance proceduresQuality of operationalprocedures2.11Basement flooding (pre-mit 16)Facilities ManagerFlood barrier protection to preventingress13.4Rapid increase in number of allegations andFTP Directorresultant legal costs (pre-mit 16)Accurate and realistic budgeting12.1Judicial review of HCPC's implimentation ofHSWPO including Rules, Standards &Guidance (pre-mit 15)Consultation. Stds determined by Appropriate legal advicePLG's. Agreement by Council.soughtChief Executive-Resource planningMitigation IIIFeb2014RiskSept2013RiskFeb2013RiskHistoric Risk ScoresFeb2012RiskSept 2012RiskCURRENT RISK kISMS ghHighQuality of legal ghHighDynamism and quality ofComms iumMediumMediumMedium-Risks listed in order of CURRENT RISK SCORE, then PRE MITIGATION SCOREEnc 03a - Risk RegisterTop 10 HCPC Risks5

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0Issue Date: 09/03/2015 Classification: PublicChanges since the previous iteration of HCPC's Risk RegisterCategoryAllProject ManagementRef#All8.2DescriptionUpdate all dates to latest iteration of risk registerFailure to regulate new professionupdate likelhood8.13Failure to build a sytem to the Education Depts requirementsupdate likelhood8.14Failure to deliver a sytem to the HR & Partners Depts requirements update likelhood8.19Failure to build a sytem to the Registration Depts requirements15.23Failure to successfully replace the Lotus Notes system eithMicrosoft OutlookPSA fees to commence August 201517.1-617.8Update descriptive wording of individual risksFailure to maintain accurate risk assessments8.20FinanceInformation SecurityInformation SecurityNature of change in this versionNew projectNew projectDescription updated following DH announcementfrom ISO27001 processAdd Risk Appetite to Stratgic Objectives pageOverview of Risk Management and Risk Treatment processThroughout the year exisiting risks are continually monitored and assessed by Risk Owners against Likelihood, and Impact on HCPC,the effectiveness of mitigations and the levels of residual risk.Future risks are also documented, evaluated and monitored against the same criteria.Every six months these changes and additions to risks are updated in the risk register and formally documented by theDirector of Operations or Head of Business Process Improvement, and the Top Ten Risks (High & Medium only after mitigation) are recorded.Enc 03a - Risk RegisterChanges since last publishe (2)6

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0Issue Date: 09/03/2015 Classification: PublicTHE HEALTH AND CARE PROFESSIONS COUNCILRISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015StrategicRefCategory1StrategicISMSRisksRef #DescriptionHCPC fails to deliver SI Sec 6.2& Health BillRisk owner (primaryperson responsible for Impact before Likelihood beforeassessing and managing mitigations Jan mitigations Janthe ongoing risk)20152015Risk Score Impact xLikelihoodCouncil515Chief Executive5210Links to 2.2, 15.14Incompatible SI Sec 6.2 & HealthChief ExecutiveBill and EU legislation131.4Failure to maintain a relationshipwith PSA (formerly CHRE)Chief Executive & Chair51.5Loss of reputationChief Executive & ChairStrategic1.6Failure to abide by currentEquality & Diversity legislationStrategic1.71.1Mitigation IMitigation IIMitigation IIIRISK score afterMitigation Jan2015RISK score afterMitigation Jul2014Delivery of HCPC StrategyPublication of Annual Report-LowLowRelationship with Government deptsEnviromental scanning-LowLow3Monitoring of EU directives e.g. ProfessionalQualifications DirectiveMembership of Alliance of UK HealthRegulators on Europe (lobby group)-LowLow15HCPC Chair and Chief Executive relationshipwith PSACommunications-LowLow5420Quality of governance proceduresQuality of operational proceduresMediumMediumChief Executive428Equality & Diversity schemeImplimentation of scheme forEquality & Diversity workingemployees Implimentation of schemegroupfor partnersLowLowFailure to maintain HCPC culture Chief Executive5210Behaviour of all employeesInduction of new employeesLowLowLinks to 7.1-7.4, 18.1, 8.1-8.3,10.4, 10.5, 11.4, 15.9StrategicStrategic1.2IStrategicStrategicEnc 03a - Risk RegisterI1.3Unexpected change in UKlegislationDynamism and quality ofComms strategyInternal communicationStrategic Risks7

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0Issue Date: 09/03/2015 Classification: PublicTHE HEALTH AND CARE PROFESSIONS COUNCILRISK ASSESSMENT & RISK TREATMENT PLAN Jan ationsRef #DescriptionRisk owner (primaryperson responsible forassessing andImpact before Likelihood beforemanaging the ongoing mitigations Jan mitigations Jan2015risk)2015Mitigation IIIRISK score afterMitigation Jan20158Invoke Disaster Recovery/Business ContinuityplanCommercial combined insurance cover(fire, contents, terrorism etc)-LowLow515Scaleable business processes and scalable ITsystems to support themInfluence the rate at which newprofessions are regulated-LowLow5420ISO 9001 Registration, process maps, welldocumented procedures & BSI auditsHire temporary employees to clear service Detailed workforce plan tobacklogsmatch workload.LowLow339Use of other media including Website,newsletter & email and courier servicesInvoke Disaster Recovery PlanMediumMedium2.1Inability to occupy premises oruse interior equipmentFacilities Manager422.2Rapid increase in registrantnumbersChief Executive and EMT3Director of OperationsFacilities ManagerRisk Score Impact xLikelihoodMitigation IMitigation IIRISK score afterMitigation Jul2014Links to 1.2, 13.4Operations2.3Unacceptable service standardsLinks to 9.1, 10.4Operations2.4Inability to communicate viapostal services (e.g. Postalstrikes)Operations2.5Public transport disruption leading Facilities Manager &to inability to use Park HouseHead Bus Proc4520Contact employees via Disaster Recovery Plan Make arrangements for employees toprocesswork at home if possible-LowLowInability to accommodate HCPCemployeesLinks to 5.2Facilities Manager4312Ongoing Space planningAdditional premises purchase or rented-LowLowInterruption to electricity supplyFacilities Manager4416Relocate to other buildings on siteIf site wide longer than 24 hours invokeDR Plan-HighHighInterruption to gas supplyFacilities Manager122Temporary heaters to impacted areasLowLowInterruption to water supplyFacilities Manager224Reduce ollection of 80% incomefees by erationsI2.10Telephone system failure causingDirector of ITprotracted service outage4312Support and maintenance contract forhardware and software of the ACD and PABX2.11Basement flooding4416Flood barrier protection to prevent ingress2.12Significant disruption to UKtransport network byenvironmental extremes e.g .Director of Operations &snow, rain, ash; civil unrest orHead Bus Procindustrial acton; disrupts plannedexternal activities32654202.14(formerl Health & Safety of employeesy11.5)Facilities ManagerChief Executive &Facilities ManagerTemporarily reduce headcount to alignwith legislationInvoke DR plan if over 24 hrsLowLowBackup of the configuration for both theACD and PABXDiverse routing for the physicaltelephone lines from the twoexchanges with different mediatypesLowLow-MediumMediumLowLowLowLow-Use of alternate networksInvoke DisasterUse of video or teleconferencing facility toRecovery/Business Continuityachieve corumplanHealth & Safety Training, policies andproceduresH&S AssessmentsPersonal Injury & TravelinsuranceLinks to 4.9, 6.3Enc 03a - Risk RegisterOperations8

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0Issue Date: 09/03/2015 Classification: PublicTHE HEALTH AND CARE PROFESSIONS COUNCILRISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015OperationsRefCategoryOperationsEnc 03a - Risk RegisterISMSRisksRef #2.15Risk owner (primaryperson responsible forassessing andImpact before Likelihood beforemanaging the ongoing mitigations Jan mitigations Jan2015risk)2015DescriptionDirector of FTP, DirectorExpenses abuse by Partners not of Education, Head ofpreventedRegistration, PartnerManager12Risk Score Impact xLikelihood2Mitigation IMitigation IIClear and appropriate Partner Expenses policy Sign off by "user" departmentsMitigation IIIPlanned travel supplier onlypolicy in near futureRISK score afterMitigation Jan2015RISK score afterMitigation Jul2014LowLowOperations9