Risk Register & Risk Treatment Plan: Marc Seale, Chief Executive & Registrar Report To Audit Committee, (Feb 2015)

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.
0
Issue Date: 09/03/2015 Classification: Public
Risk Register & Risk Treatment Plan

Marc Seale, Chief Executive & Registrar
Report to Audit Committee, (Feb 2015)
Enc 03a - Risk Register Cover

3
DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Jan 2015 Risk Assessment
Contents Page
Contents page 4
Top 10 HCPC risks 5
Changes since last published 6
Strategic risks 7
Operations risks 8
Communications risks 10
Corporate Governance risks 11
Information Technology risks 12
Partner risks 13
Education risks 14
Project Management risks 15
Quality Management risks 16
Registration risks 17
HR risks 18
Legal risks 19
Fitness to Practise risks 20
Policy & Standards risks 21
Finance risks 22
Pensions risks 24
Information Security risks 25
Appendix i Glossary and Abbreviations 26
Appendix ii HCPC Risk Matrix 27
HCPC Risk Matrix terms detail 28
Appendix iii HCPC Strategic Objectives & Risk Appetite 29
Appendix iv HCPC Assurance Mapping 30
Enc 03a - Risk Register Risk Contents

4
THE HEALTH AND CARE PROFESSIONS COUNCIL
ASSESSM
"Top 10" Risks (High & Medium after mitigation) Historic Risk Scores
Risk owner (primary

Sept Feb Sept Feb Feb July Feb Sept Feb
Sept 2012
person responsible 2014 2014 2013 2013 Risk
2012 2011 2011 2010 2010
for assessing and Risk Risk Risk Risk Risk Risk Risk Risk Risk
managing the
Description ongoing risk) Mitigation I Mitigation II Mitigation III CURRENT RISK SCORE
ISMS /
PSA full cost recovery model places

Chief Executive & Legislative and operational
15.23 significant financial pressure on HCPC from Consider increase in fees High High High Low
Finance Director adjustments
August 2015 onwards (pre-mit 20)
Interuption to electricity supply (pre-mit 16) If site wide longer than 24

2.7 Facilities Manager Relocate to other buildings on site - High High High High High High High High High High
ISMS RISK hours invoke DR Plan
Accurate and realistic

13.3 Tribunal exceptional costs (pre-mit 25) FTP Director Quality of operational processes Quality of legal advice Medium Medium Medium Medium Medium High High High High High
forecasting
Quality of operational Dynamism and quality of

1.5 Loss of reputation (pre-mit 20) Chief Executive Quality of governance procedures Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium
procedures Comms strategy
Flood barrier protection to prevent

2.11 Basement flooding (pre-mit 16) Facilities Manager - - Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium
ingress
Rapid increase in number of allegations and

13.4 FTP Director Accurate and realistic budgeting Resource planning - Medium Medium Medium Medium Medium
resultant legal costs (pre-mit 16)
Judicial review of HCPC's implimentation of

Consultation. Stds determined by Appropriate legal advice
12.1 HSWPO including Rules, Standards & Chief Executive - Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium
PLG's. Agreement by Council. sought
Guidance (pre-mit 15)
Risks listed in order of CURRENT RISK SCORE, then PRE_MITIGATION SCORE
Enc 03a - Risk Register Top 10 HCPC Risks
5
Changes since the previous iteration of HCPC's Risk Register
Category Ref# Description Nature of change in this version

All All Update all dates to latest iteration of risk register
Project Management 8.2 Failure to regulate new profession update likelhood
8.13 Failure to build a sytem to the Education Depts requirements update likelhood
8.14 Failure to deliver a sytem to the HR & Partners Depts requirements update likelhood
8.19 Failure to build a sytem to the Registration Depts requirements New project
Failure to successfully replace the Lotus Notes system eith
8.20 New project
Microsoft Outlook
Finance 15.23 PSA fees to commence August 2015 Description updated following DH announcement
Information Security 17.1-6 Update descriptive wording of individual risks
Information Security 17.8 Failure to maintain accurate risk assessments from ISO27001 process
Add Risk Appetite to Stratgic Objectives page
Overview of Risk Management and Risk Treatment process
Throughout the year exisiting risks are continually monitored and assessed by Risk Owners against Likelihood, and Impact on HCPC,
the effectiveness of mitigations and the levels of residual risk.
Future risks are also documented, evaluated and monitored against the same criteria.
Every six months these changes and additions to risks are updated in the risk register and formally documented by the
Director of Operations or Head of Business Process Improvement, and the Top Ten Risks (High & Medium only after mitigation) are recorded.
Enc 03a - Risk Register Changes since last publishe (2)

6
RISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015
Strategic
Risk owner (primary

person responsible for Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS assessing and managing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description the ongoing risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014
HCPC fails to deliver SI Sec 6.2

1 Strategic 1.1
& Health Bill
Council 5 1 5 Delivery of HCPC Strategy Publication of Annual Report - Low Low
Links to 7.1-7.4, 18.1, 8.1-8.3,

10.4, 10.5, 11.4, 15.9
Unexpected change in UK
Strategic 1.2
legislation
Chief Executive 5 2 10 Relationship with Government depts Enviromental scanning - Low Low
Links to 2.2, 15.14

Incompatible SI Sec 6.2 & Health Monitoring of EU directives e.g. Professional Membership of Alliance of UK Health
Strategic I 1.3
Bill and EU legislation
Chief Executive 1 3 3 Qualifications Directive Regulators on Europe (lobby group)
- Low Low
Failure to maintain a relationship HCPC Chair and Chief Executive relationship

Strategic 1.4
with PSA (formerly CHRE)
Chief Executive & Chair 5 1 5 with PSA
Communications - Low Low
Dynamism and quality of

Strategic I 1.5 Loss of reputation Chief Executive & Chair 5 4 20 Quality of governance procedures Quality of operational procedures
Comms strategy
Medium Medium
Implimentation of scheme for

Failure to abide by current Equality & Diversity working
Strategic 1.6
Equality & Diversity legislation
Chief Executive 4 2 8 Equality & Diversity scheme employees Implimentation of scheme
group
Low Low
for partners
Strategic 1.7 Failure to maintain HCPC culture Chief Executive 5 2 10 Behaviour of all employees Induction of new employees Internal communication Low Low
Enc 03a - Risk Register Strategic Risks

7
Operations
Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014
Inability to occupy premises or Invoke Disaster Recovery/Business Continuity Commercial combined insurance cover
2 Operations I 2.1
use interior equipment
Facilities Manager 4 2 8 plan (fire, contents, terrorism etc)
- Low Low
Rapid increase in registrant Scaleable business processes and scalable IT Influence the rate at which new
Operations 2.2
numbers
Chief Executive and EMT 3 5 15 systems to support them professions are regulated
- Low Low
Links to 1.2, 13.4
ISO 9001 Registration, process maps, well Hire temporary employees to clear service Detailed workforce plan to
Operations 2.3 Unacceptable service standards Director of Operations 5 4 20 documented procedures & BSI audits backlogs match workload.
Low Low
Links to 9.1, 10.4
Inability to communicate via

Use of other media including Website, Collection of >80% income
Operations 2.4 postal services (e.g. Postal Facilities Manager 3 3 9 newsletter & email and courier services
Invoke Disaster Recovery Plan
fees by DD
Medium Medium
strikes)
Public transport disruption leading Facilities Manager & Contact employees via Disaster Recovery Plan Make arrangements for employees to
Operations 2.5
to inability to use Park House Head Bus Proc 4 5 20 process work at home if possible
- Low Low
Inability to accommodate HCPC

Operations I 2.6
employees
Facilities Manager 4 3 12 Ongoing Space planning Additional premises purchase or rented - Low Low
Links to 5.2
If site wide longer than 24 hours invoke

Operations I 2.7 Interruption to electricity supply Facilities Manager 4 4 16 Relocate to other buildings on site
DR Plan
- High High
Operations Interruption to gas supply Facilities Manager 1 2 2 Temporary heaters to impacted areas Low Low
2.8
Temporarily reduce headcount to align
Operations
2.9
Interruption to water supply Facilities Manager 2 2 4 Reduce consumption
with legislation
Invoke DR plan if over 24 hrs Low Low
Diverse routing for the physical

Telephone system failure causing Support and maintenance contract for Backup of the configuration for both the telephone lines from the two
Operations 2.10
protracted service outage
Director of IT 4 3 12 hardware and software of the ACD and PABX ACD and PABX exchanges with different media
Low Low
types
Operations I 2.11 Basement flooding Facilities Manager 4 4 16 Flood barrier protection to prevent ingress - - Medium Medium
Significant disruption to UK
transport network by
Invoke Disaster
environmental extremes e.g . Director of Operations & Use of video or teleconferencing facility to
Operations 2.12
snow, rain, ash; civil unrest or Head Bus Proc 3 2 6 Use of alternate networks
achieve corum
Recovery/Business Continuity Low Low
plan
industrial acton; disrupts planned
external activities
2.14
Chief Executive & Health & Safety Training, policies and Personal Injury & Travel
Operations (formerl Health & Safety of employees
Facilities Manager
5 4 20 procedures
H&S Assessments
insurance
Low Low
y11.5)
Links to 4.9, 6.3
Enc 03a - Risk Register Operations

8
Operations
Risk owner (primary

Director of FTP, Director
Expenses abuse by Partners not of Education, Head of Planned travel supplier only
Operations 2.15
prevented Registration, Partner
1 2 2 Clear and appropriate Partner Expenses policy Sign off by "user" departments
policy in near future
Low Low
Manager
Enc 03a - Risk Register Operations

9
Communications
Risk owner (primary

Delivery of aspects of communications

workplan, specifically public information
Failure to inform public Article 3
3 Communications 3.1
(13)
Director of Comms 5 1 5 Delivery of communications strategy. campaigns, multi media advetising, - Low Low
distribution of public information materials,
and web.
Loss of support from Key Stake Delivery of aspects of communications

Delivery of communications strategy, Quality of Operational
Communications 3.2 holders including professional Director of Comms 5 3 15 supporting the HCPC strategy
work plan, specifically stakeholder
procedures
Low Low
bodies, employers or government activities
Links to 1.5
Inability to inform stakeholders

Communications 3.3
following crisis
Director of Comms 4 1 4 Invoke Disaster Recovery Plan Up to date Comms DR plan available - Low Low
Delivery of aspects of communications

workplan, specifically, Meet the HCPC
Failure to inform Registrants Quality of Operational
Communications 3.4
Article 3 (13)
Director of Comms 5 1 5 Delivery of communications strategy events, campaigns, Registrant Newsletter,
procedures
Low Low
Profesional media and conference
attendance . Publications and web.
Publication of material not Adherence to operational plans (Social

Communications 3.5
approved for release
Director of Comms 4 2 8 Delivery of communications plan
Media planner)
- Low Low
Enc 03a - Risk Register Communications

10
Corporate Governance
Risk owner (primary

assessing and Impact before Risk Score = RISK score after
ISMS managing the ongoing mitigations Jan Likelihood before Impact x RISK score after Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 mitigations Jan 2015 Likelihood Mitigation I Mitigation II Mitigation III Mitigation Jan 2015 2014
Director of Council & Regular meetings, agendas and clear lines of

Corporate Well researched and drafted decision Attendance by external professionals
4
Governance
4.1 Council inability to make decisions Committee Services, & 3 1 3 accountability between Council and
papers at meetings as required
Low Low
Chair committees
Links to 4.4
Disclosure of members' interests to the
Corporate Council members conflict of Annual reminder to update Register of
Governance
4.2
interest
Chair 4 4 16 Secretariat and ongoing Council & committee
Interests
Member induction and training Low Low
agenda item
Poor decision-making eg Well-researched & drafted decision papers,

Corporate Chair's involvement in the induction and Attendance by external professionals,
Governance
4.3 conflicting advice or conflicting Chair 4 1 4 Clear lines of accountability and scheme of
relevant training of members as required.
Low Low
advice and decisions delegation
Adequate processes notifying Council &

Failure to meet
Corporate Director of Council & Clear communication of expectations of committee members of forthcoming
Governance
4.4 Council/Committee quorums /
Committee Services 4 3 12 Council members' duties upfront meetings prior to meeting icluding
Low Low
failure to make quorate decisions
confirmation of attendance
Links to 4.1
Corporate Removal under Sch 1, Para 9(1)(f) of
Governance
4.5 Members' poor performance Chair 4 1 4 Appointment against competencies Annual appraisal of Council members
the HSWPO 2001
Low Low
Corporate Power to remove the Chair under Sch 1,

Governance
4.6 Poor performance by the Chair Council 5 1 5 Appointment against competencies
Article 12(1) C of the HSWPO 2001
- Low Low
Corporate Poor performance by Chief Performance reviews and regular "one to

Governance
4.7
Executive
Chair 5 1 5 ones" with the Chair
Contract of Employment - Low Low
Improper financial incentives

Corporate Chair and Chief Induction training re:adherence to
Governance
4.8 offered to Council
Executive 4 2 8 Gifts & Inducements policy Council member code of conduct
Nolan principles & Bribery Act 2010
Low Low
members/employees
Director of Council &

Failure to ensure the Health &
Corporate Committee Services , Safety briefing at start of each Council or
Governance
4.9 Safety of Council Members ?
Facilities Manager &
4 2 8 Committee meeting.
H&S information on Council Extranet Personal Injury and Travel insurance Low Low
Should this be HCPC wide?
Finance Director
Links to 6.3, 11.5
Maintenance of a detailed role description for
Corporate Member recruitment problem (with
Governance
4.10
the requisite skills)
Chair 4 2 8 these positional applicants on to HCPC or its Use of skills matrix in recruitment exercise Induction of panel members Low Low
committees
Links to 6.1, 11.13
Clear and comprehensive Council agreed

Corporate Expense claim abuse by Director of Council & Budget holder review and authorisation
Governance
4.11
members Committee Services 4 2 8 Members Code of Conduct (public office) policies posted on the Council member
procedures
Low Low
Extranet and made clear during induction
Corporate Operationalise Section 60

Governance
4.12
legislation
Council 5 2 10 Scheme of delegation MIS EMT & CDT Low Low
Failure to comply with DPA 1998

Corporate Director of Council &
Governance
4.13 or FOIA 2000, leading to ICO
Committee Services 3 3 9 Legal advice Clear ISO processes Department training Low Low
action
Failure to adhere to the Chair, & Director of Oversight of HCPC processes that could
Corporate Suite of policies and processes related to the Compliant processes designed for
Governance
I 4.15 requirements of the Bribery Act Council & Committee 4 2 8 Bribery Act
be vulnerable to bribery, by EMT and
HCPC as a matter of course
Low Low
2010 Services Internal Audit
PSA fails to recommend

Corporate Director of Council & PSA comments on advance notice of PSA informed of any deviations from
Governance
4.16 appointment of Council members
Committee Services 1 5 5 Sign off of high level process by Council
intent acted on appropriately agreed process at earliest opportunity
Low Low
to the Privy Council
Corporate Failure to meet requirements of Director of Council &

Governance
4.17
the constitution order Committee Services 3 1 3 Scrutiny of advance notice of intent Targeted advertising strategy _ Low Low
Enc 03a - Risk Register Corporate Governance
11
Information Technology
Risk owner (primary

assessing and Impact before Likelihood before Risk Score = RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan RISK score after
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 Mitigation Jul 2014
Anti-virus software deployed at several key

Adherence to IT policy, procedures and Regular externally run security
5 IT I 5.1 Software Virus damage Director of IT 4 5 20 points.Application of security patches in a timely
training penetration tests.
Low Low
manner
Links to 2.3, 10.2
Employ small core of mainstream
Technology obsolescence, Delivery of the IT strategy including the refresh Accurately record technology
IT I 5.2
(Hard/SoftWare)
Director of IT 2 2 4 of technology.
technology with recognised support and
assets.
Low Low
maintenance agreements
Links to 2.6, 10.2
Appropriate and proportionate access
Fraud committed through IT Regular, enforced strong password Regular externally run security
IT I 5.3
services
Director of IT 3 3 9 restrictions to business data. System audit
changes. tests.
Low Low
trails.
Links to 10.2 and 17.1
Appropriate and proportionate

IT continuity plan is reviewed when a technical solutions are
IT I 5.4 Failure of IT Continuity Provision Director of IT 4 3 12 Annual IT continuity tests
service changes or a new service is added employed. IT technical staff
Low Low
appropriately trained.
Periodic and systematic

proactive security reviews of
Security is designed into the IT architecture, the infrastructure. Application
Malicious damage from Regular externally run security penetration
IT I 5.5
unauthorised access
Director of IT 4 5 20 using external expert consultancy where
tests.
of security patches in a timely Low Low
necessary manner. Physical
access to the IT infrastructure
restricted and controlled.
Appropriate service levels with

Data service disruption (via utility
IT I 5.6
action)
Director of IT 5 1 5 Redundant services Diverse routing of services where possible utility providers and IT continuity Low Low
plan
Enc 03a - Risk Register Information Technology

12
Partners
Risk owner (primary

Efficient and effective support

Inability to recruit and retain Appropriate fees for partner services and
6 Partners 6.1
suitable Partners
Partner Manager 3 3 9 Targetted recruitment strategy.
reimbursement of expenses.
and communication from the Low Low
Partner team.
Links to 4.10, 11.3, 7.3, 18.1
Incorrect interpretation of law
of Education, Head of
Partners 6.2 and/or SI's resulting in PSAHSE
Registration, Partner 2 4 8 Training Legal Advice Regular appraisal system Low Low
review
Manager
H&S briefing at start of any HCPC sponsored

Partners 6.3 Health & Safety of Partners Partner Manager 3 2 6 event.
Liability Insurance - Low Low
Links to 4.9, 11.5

of Education, Head of Partner Complaints Process
Partners 6.4 Partners poor performance
Registration, Partner 4 3 12 Regular training Regular appraisal system
&Partner Code of Conduct
Low Low
Manager

Incorrect interpretation of of Education, Head of Correct selection process and use of qualified Daily Email notificaton of partner registrant
Partners 6.5
HSWPO in use of Partners Registration, Partner 3 2 6 partners lapse
- Low Low
Manager
Staggered partner agreements

Partner Manager,
Annual forecasting of future partner across professions for Panel
Adequate number and type of Director of FTP, Director Regular review of availability of existing pool of
Partners 6.6
partner roles of Education, Head of 3 2 6 partners to ensure requirements are met.
requirements to ensure that they are Member and Panel Chair to Low Low
budgetted for. ensure adequate supply in line
Registration
with the eight year rule.
Partner Manager,
User departments using non- Director of FTP, Director Notification of partner resignations to user Current partner lists available to user
Partners 6.7
active partners of Education, Head of 3 3 9 departments. departments on shared drive.
- Low Low
Registration
Partner Manager,
Challenge of non standard
Partners 6.8 Expense claim abuse by Partners
of Education, Head of 2 2 4 Budget holder review and authorisation process Comprehensive Partner agreement items by, Finance department Low Low
and Partner Department
Registration
Enc 03a - Risk Register Partners

13
Education
Risk owner (primary

Memorandums of
Failure to detect low education Operational processes (approval, monitoring understandings with other
7 Education 7.1
providers standards
Director of Education 4 2 8 and complaints about an approved programme)
Regular training of employees and visitors
regulators (e.g. CQC and Care
Low Low
Councils)
Links to 1.1 , 4.3, 6.4
Delivery of Education Dpt supporting
Education providers refusing
Education 7.2
visits or not submitting data
Director of Education 3 2 6 Legal powers (HSWPO 2001) activities as documented in regular work - Low Low
plan
Links to 1.1
Inability to conduct visits and Adequate resourcing, training and visit Temporary staff hire to backfill
Education 7.3
monitoring tasks
Director of Education 4 2 8 scheduling
Approvals & monitoring processes
or clear work backlogs
Low Low
Links to 1.1, 6.1, 11.2 & 11.3
Publications, Newsletters,
website content, inclusion in
Loss of support from Education Chief Executive or Delivery of Education strategy as documented Partnerships with Visitors and professional
Education 7.4
Providers Director of Education 5 2 10 in regular work plan groups.
consultations and relevant Low Low
PLGs, consultations with
education providers
Links to 1.1, 14.2

In house and third party skills to support
Education I 7.5 Education database failure Director of IT 3 2 6 Effective backup and recovery processes
system
Included in future DR/BC tests Low Low
Loss or significant change to

funding, commissioing and Operational processes (approval, monitoring Partnerships with Visitors and professional Regular training of employees
Education 7.6
placement opportunities for
Director of Education 3 2 6 and complaints about an approved programme) groups. and visitors
Low Low
approved programmes
Enc 03a - Risk Register Education

14
Project Management
Risk owner (primary

ISMS managing the on-going mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Director of Finance Project is managed as part of major projects

Project Fee change processes not Project progress monitored by EMT &
8
Management
8.1
operational by required date
Project Portfolio 3 3 9 portfolio & managed in accordance with HCPC
stakeholders
- Low Low
Manager Project Management process
Links to 1.1, 15.3
Failure to regulate a new

Project is managed as part of major projects
Project profession or a post-registration Project Lead Project Project progress monitored by EMT & Assess lessons to be learned
Management
8.2
qualification as stipulated by Portfolio Manager 5 2 10 portfolio & managed in accordance with HCPC
stakeholders from previous projects
Low Low
Project Management process
legislation
Links to 1.1, 15.3
Failure to build a system to the Director of Education Project is managed as part of major projects
Project Project progress monitored by EMT & Ensure robust testing including
Management
8.13 the Education departments Project Portfolio 3 4 12 portfolio & managed in accordance with HCPC
stakeholders load
Low Low
requirements Manager Project Management process
Project Initiation stage to pay

Failure to deliver a system to the Director of HR Project is managed as part of major projects
Project Project progress monitored by EMT & particular attention to project
Management
8.14 HR & Partners departments Project Portfolio 3 4 12 portfolio & managed in accordance with HCPC
stakeholders scope and breadth/reach of
Low Low
requirements Manager Project Management process
project
Project Organisation wide resourcing EMT & Project Portfolio

Management
I 8.17
may impact project delivery Manager 3 4 12 Manage resources accordingly Accept changes to planned delivery Med Med
Director of Operations & Project is managed as part of major projects

Project Registration processes review Project progress monitored by EMT & Assess lessons to be learned
Management
8.18
project
Project Portfolio 3 3 9 portfolio & managed in accordance with HCPC
stakeholders from previous projects
Low Low
Manager Project Management process
Enc 03a - Risk Register Project Management

15
Quality Management
Risk owner (primary

Director of Operations,
Quality Loss of ISO 9001:2008
9
Management.
9.1
Certification
Head of Business 4 3 12 Regular & internal audits QMS standards applied across HCPC Management buy - in Low Low
Improvement
Links to 2.3, 10.3
Employees non-compliance with

Quality Standard Operating Procedures and Extend ISO systems as
Management.
I 9.2 established Standard Operating EMT 5 2 10 Culture, follow procedures and report errors
prevention of overwriting systems required
Low Low
Proceedures
Enc 03a - Risk Register Quality Management

16
Registrations
Risk owner (primary

Supporting automation
infrastructure eg call centre
10 Registration 10.1 Customer service failures
Head of Registration
5 4 20 Accurate staffing level forecasts Adequate staff resourcing & training systems, NetRegulate system Low Low
enhancements, registration re-
structure
Links to 11.1, 11.2
Protracted service outage
Maintenance and support contracts for
Registration 10.2 following a NetRegulate Director of IT 5 3 15 Effective backup and recovery procedures
core system elements.
Annual IT Continuity tests Low Low
Registration system failure
Links to 5.1-5.3 and 17.1
Validation of submitted
Inability to detect fraudulent Director of Operations, Policy and procedures supported by
Registration 10.3
applications Head of Registration 5 2 10 Financial audits, system audit trails
internal quality audits
information, Education & ID Low Low
checks
Links to 9.1, 17.1 and 17.2
Maintain required employee
Continually refine model of accurate demand-
Backlogs of registration and Director of Operations, attendence and time keeping
Registration 10.4
applications Head of Registration 4 3 12 forecasting, to predict employees required to Process streamlining
to service applicants and
Low Low
prevent backlogs, and service failures
registrants
Links to 1.1
Mistake in the Registration
Professional indemnity insurance. Excess Policy and procedures
process leading to liability for Director of Operations, Audits by Registration Management, system
Registration 10.5
compensation to Registrant or Head of Registration
5 2 10 audit trails, external auditors
£2.5K. Limit £1M. (Doesn't cover supported by ISO quality audits Low Low
misappropriation of funds) and process controls/checks
Applicant
10.6 Monitor and regulator feedback

Director of Operations, Appropriately trained members of the
18 CPD (18.1- CPD processes not effective
Head of Registration 4 2 8 Well documented processes
registrations team
to the Education & Training Low Low
7.5) Committee
Links to 1.1
Enc 03a - Risk Register Registration

17
HR
Risk owner (primary

Chair, Chief Executive Organisation succession plan held by HR Departmental training (partial or full) and
11 HR 11.1 Loss of key HCPC employees
and EMT 3 2 6 Director. Succession planning generally. process documentation
- Low Low
HR 11.2 High turnover of employees HR Director 3 2 6 Remuneration and HR strategy Regular performance reviews Exit interview analysis Low Low
Links to 11.3
Inability to recruit suitable HR Strategy and adequate resourcing of the Careful specification of recruitment Hire skilled temporary staff in
HR 11.3
employees
HR Director 2 2 4 HR dept adverts and interview panel selection the interim
Low Low
Links to 4.10, 6.1, 11.2, 11.8
Some projects or work
Lack of technical and managerial HR strategy and goals and objectives (buy in
HR 11.4
skills to delivery the strategy
Chief Executive 4 3 12 the skills v staff upskilling on the job v training)
Training needs analysis & training delivery. initiatives delayed or Low Low
outsourced
Links to 1.1
Adequate staff (volume and type) including Return to work interviews and sick leave
HR 11.6 High sick leave levels EMT 2 3 6 hiring temporary staff monitoring
Regular progess reviews Low Low
Regular one on one sessions between manager

Employee and ex-employee Employee surveys, Exit
HR 11.7
litigation
HR Director 4 3 12 and employee and regular performance HR legislation and HR disciplinary policies
Interviews
Low Low
reviews.
Employer/employee inappropriate Whistle blowing policy, Code of Conduct & Employee Assistance
HR I 11.8
behaviour
HR Director 2 2 4 Behaviour
Other HR policy and procedures
programme
Low Low
Links to 11.3
Non-compliance with HR policies and Manager
HR 11.9
Employment legislation
HR Director 5 2 10 HR Strategy Obtain legislation updates and legal advice
training
Low Low
Includes Auto enrolment pensions
Enc 03a - Risk Register HR

18
Legal
Risk owner (primary

Judicial review of HCPC's

implimentation of HSWPO Consultation. Stds determined by PLG's.
12 Legal 12.1
including Rules, Standards &
Chief Executive 5 3 15 Agreement by Council.
Appropriate legal advice sought - Medium Medium
Guidance
Links to 1.2, 14.1, 14.2
Pre-emptive and on-going

Legal challenge to HCPC communications concerning legal
Legal I 12.2
operations
Chief Executive 4 4 16 Legal advice and ISO
basis and implimentation of the
- Low Low
HSWPO
Enc 03a - Risk Register Legal

19
Fitness to Practise
Risk owner (primary

Fitness to Contractual and SLA arrangements with legal Quality assurance

13
Practise
13.1 Legal cost over-runs FTP Director 4 4 16 services providers(s)
Quality of operational procedures
mechanisms
Low Low
Links to 13.4, 15.2

Fitness to
Practise
13.3 Tribunal exceptional costs FTP Director 5 5 25 Quality of operational processes Accurate and realistic forecasting Quality of legal advice Medium Medium
Rapid increase in the number of

Fitness to
Practise
13.4 allegations and resultant legal FTP Director 4 4 16 Accurate and realistic budgeting Resource planning - Medium Medium
costs
Links to 13.1
Fitness to
Practise
13.5 Witness non-attendance FTP Director 4 2 8 Vulnerable witness provisions in the legislation Witness support programme Witness summons Low Low
Fitness to Employee/Partner physical Periodic use of security

Practise
I 13.6
assault by Hearing attendees
FTP Director 5 5 25 Risk Assessment Processes Adequate facilities security
contractors and other steps
Low Low
FTP Director & Director Training and selection of Registration

Fitness to High Number of Registration
Practise
13.7
Appeals
of Operations, Head of 3 5 15 Assessors, so reasoned decisions are Quality of operational processes - Low Low
Registrations generated
Fitness to Quality of operational

Practise
13.8 Backlog of FTP cases FTP Director 3 4 12 Reforecasting budget processes Monthly management reporting
processes
Low Low
Fitness to Excessive cases per Case

Practise
13.9
Manager workload
FTP Director 3 4 12 Reforecasting budget processes Monthly management reporting - Low Low
13.2 moved to 12.2
Protracted service outage

Fitness to Maintenance and support contracts for
Practise
I 13.10 following a Case Management Director of IT 5 3 15 Effective backup and recovery procedures
core system elements
Annual IT continuity tests Low Low
System failure
Enc 03a - Risk Register Fitness to Practise

20
Policy & Standards
Risk owner (primary

Incorrect process followed to

Policy & Appropriately experienced and trained Quality mgt system &
14
Standards
14.1 establish stds/guidance/policy eg Policy & Stds Director 4 2 8 Legal advice and sign off sought on processes
members of Policy team. processes
Low Low
no relevant Council decision
Links to 12.1
Inappropriate stds/guidance
Use of professional liaison groups, and Council
Policy & published eg stds are set at Appropriately experienced and trained Consultation with stakeholders
Standards
14.2
inappropriate level, are too
Council/committees 4 1 4 and committees including members with
members of Policy team. & legal advice sought
Low Low
appropriate expertise
confusing or are conflicting
Changing/evolving legal advice Appropriately experienced and

Policy & Use of well-qualified legal professionals.
Standards
14.3 rendering previous work Policy & Stds Director 4 2 8 Regular reviews.
Legal advice obtained in writing. trained members of Policy Low Low
inappropriate team and others eg HR.
Inadequate preparation for a

EMT responsible for remaining up to date
Policy & change in legislation (Health
Standards
14.4
Professions Order, or other
EMT 3 1 3 relationships with governemnt depts and HCPC's 5 year planning process Legal advice sought Low Low
agencies.
legislation affecting HCPC)
Policy & Stds Director

Policy & PLG member recruitment without HCPC Chair, Director of
Standards
14.5
requisite skills and knowledge Council & Committee
4 1 4 Skills and knowledge identified in work plan Recruitment policy Council Scrutiny of PLG result Low Low
Services(?)
Lnks to 4.10
Policy & Maintain appropriate records of project Appropriate hand over and
Standards
14.6 Loss of Corporate Memory Policy & Stds Director 3 3 9 decisions succession planning
Department training Low Low
Enc 03a - Risk Register Policy & Standards

21
Finance
Risk owner (primary

Reserves policy specifies minimum cash level

to be maintained throughout the year. Cash
Insufficient cash to meet Regular cash forecasts and reviews during Fee rises and DoH grant
15 Finance 15.1
commitments
Finance Director 5 1 5 flow forecast prepared as part of annual budget
the year applications as required.
Low Low
and 5 year plan assesses whether policy
minimum level will be met.
Six and nine month reforecasts with

Budget holder accountability for setting budgets spending plan revisions as feasible and
Unexpected rise in operating and managing them. Timely monthly reporting appropriate. FTP costs mainly incurred
Finance 15.2
expenses
EMT 4 1 4 and regular budget holder reviews held. EMT towards the end of the lifecycle of a case,
Capped FTP legal case costs. Low Low
review of the monthly variances year to date. so increase in case pipeline would give
early warning of rise in FTP costs.
Link to 13.1
Effective project specification including creating Project budgets have 15% contingency.
decision points. Effective project management Project exception reports including revised EMT review of the project
Finance 15.3 Major Project Cost Over-runs Project Lead / EMT 4 2 8 and timely project progress reporting (financial funding proposal is presented to EMT for spendng variances to date
Low Low
and non financial). approval.
Professional Indemnity & fidelity

Registrant Credit Card record
Finance I 15.7
fraud/theft
Finance Director 2 2 4 Compliance with PCI standards. Limited access to card information (fraud) insurance for first £250k Low Low
of loss
Links to 5.3
Use of spending prioritisation
Mismatch between Council goals Close and regular communication between the Adequate quantification of the budgetary
Finance 15.9
& approved financial budgets
Chief Executive 4 2 8 Executive, Council and its Committees. implications of proposed new initiatives
criteria during the budget Low Low
process
Links to 1.1
Building security including electronic access Fixed Asset register itemising assets. Job
Unauthorised removal of assets Facilities Manager & IT control and recording and CCTV. IT asset exit procedures (to recover HCPC laptops,
Finance I 15.12
(custody issue) Director 2 2 4 labeling & asset logging (issuance to blackberries, mobile phones etc). Regular
Computer asset insurance. Low Low
employees) audits. Whistleblowing policy.
Well established effective processes, incl Professional Indemnity & fidelity

Finance I 15.13a Theft or fraud Finance Director 3 2 6 segregation of duties and review of actual costs Regular audits; whistleblowing policy (fraud) insurance for first £250k Low Low
vs budgets. of loss
Incorporates aspects of previous risks 15.10 and 15.11
Signed disclosure forms indicating tax

PAYE Settlement Agreement in
Effective payroll process management at 3rd category status for all Council and
PAYE/NI/corporation tax place with HMRC relating to
Finance 15.18
compliance
Finance Director 2 3 6 party. Finance staff attend payroll & tax Committee members. Professional tax
Category One Council and
Low Low
updates advice sought where necessary, including
Committee members.
status of CCM's and partners
Investment policy sets "investment grade"

Bank insolvency: permanent loss
minimum credit rating for HCPC's banks and
Finance 15.20 of deposits or temporary inability Finance Director 5 1 5 requires diversification - cash spread across at
Low Low
to access deposits
least two banking licences
Financial health of new suppliers above OJEU

Financial distress of key trade Alternative suppliers where
threshold considered as part of OJEU PQQ
Finance 15.21 suppliers causes loss of business Finance Director 4 2 8 process. Ongoing financial monitoring of key
Escrow agreements possible, eg transcription Medium Medium
critical service services framework
suppliers through Dun & Bradstreet reports
Enc 03a - Risk Register Finance - revised

22
Finance
Risk owner (primary

Outsourced to third party. Agreed monthly

payroll process timetable (with slack built in). If Hard copy records held securely.
Finance 15.22 Payroll process delay or failure Finance Director 2 2 4 process delayed, payment may be made by Restricted system access.
Low Low
CHAPS (same day payment) or cheque.
PSA full cost recovery model

places significant financial Chief Executive &
Finance 15.23
pressure on HCPC after August Finance Director
4 5 20 Consider increase in fees Legislative and operational adjustments High High
1st 2015 ▀
Model not yet finalised by DH or PSA
Failure to apply good
procurement practice (contracts
Finance Director & Approved procurement policy. Legal advice on Internal monitoring of Tendering and New suppliers process as
Finance 15.24 below OJEU threshold) leads to
Procurement Mgr
2 2 4 ISO9001 compliant process design. contract process use. "backstop" to failure.
Low Low
poor value for money and/or
criticism
Failure to adhere to OJEU

Legal oversight of OJEU
Procurement and Tendering Finance Director & Robust OJEU specific processes agreed by Legal oversight of OJEU related material
Finance 15.25
requirements leads to legal Procurement Mgr 4 3 12 legal advisors created by HCPC
scoring and supplier Low Low
communication
challenge and costs
Income and FTP costs are budgeted for on

Budgets are prepared by departments and Budgets are
FAST standard models. Payroll costs are
Budgeting error leads to then reviewed by Finance. Budgets for discussed/challenged by EMT
Finance 15.26
overcommitment of funds
Finance Director 4 2 8 budgeted for post by post. Cautious
coming year baselined vs current year at annual pre-budget setting
Low Low
assumptions used in relation to income and
budget and forecast review
payroll.
Payment error leads to Extensive use of preferred suppliers with bank System controls over changing payee Payment signatory reviews of
Finance 15.27
irrecoverable funds
Finance Director 3 2 6 account details loaded into Sage. bank details payment runs
Low Low
Enc 03a - Risk Register Finance - revised

23
Pensions
Risk owner (primary

HCPC pension scheme reviewed for Advice from payroll provider.

Non compliance with pensions Finance Director and HR HR and Finance staff briefed on
16 Pensions 16.2
legislation Director 3 2 6 compliance with pensions legislation including
regulations
Seek specialist pensions legal Low Low
auto enrolment advice as required.
Increase in the Capita Flexiplan Plan is closed to new members so there is only Monitor the performance of the
Initial employer contributions to the Plan
Pensions 16.3 funding liability resulting from Finance Director 3 2 6 a limited set of circumstances that could give
deficit were set on prudent basis
Plan through periodic Low Low
scheme valuation deficiency rise to an increase in the liability employers' meetings
Enc 03a - Risk Register Pensions - revised

24
Information Security
Risk owner (primary

Category person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan RISK score after
Ref Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 Mitigation Jul 2014
Laptop encryption.
Loss of information from HCPC's Access is restricted to only the data that is
Remote access to our
Information electronic databases due to EMT, Director of IT and necessary for the performance of the services. Adequate access control procedures
17
Security
I 17.1
inappropriate removal by an Director of Operations
5 3 15 Employment contract includes Data Protection maintained. System audit trails.
infrastructure using a VPN . Low Low
Documented file encryption
employee and Confidentiality Agreement
procedure
Links to 5.3. Incl old 17.6
Use of locked document destruction bins in Data Protection agreements signed by the Regarding Reg Appln forms
Information HCPC Document & Paper record EMT; Head of Business each dept. Use of shredder machines for relevant suppliers. Dept files stored onsite processing, employment
Security
I 17.2
Data Security Improvement
5 3 15 confidential record destruction in some depts in locked cabinets. Training where contract includes Data
Low Low
e.g. Finance. appropriate (Employees & Partners) Protection Agreement
Links to 15.7
Effective system processes including
Access is restricted to only the data that is secure data transfer and remote access Data Processor agreements
Information Unintended release of electronic or EMT, Director of IT and
Security
I 17.3
paper based information Director of Operations
5 3 15 necessary for the performance of the granted only on application and through signed by the relevant Low Low
services. secure methods. Training where suppliers.
appropriate Employees & (Partners)
Ensure third party data

providers e.g. professional
bodies provide the data
Read only, password protected access by a Registrant payments taken in compliance
Information Inappropriate data received by Director of Ops, and password
Security
I 17.4
HCPC from third parties Director of FTP
5 2 10 restricted no of FTP employees to electronic with Payment Card Industry (PCI) Security
protected/encrypted/door to
Low Low
KN data. standards ie with quarterly PCI testing.
door courier/registered
mail/sign in sign out as
appropriate.
Loss of physical data despatched to Director of Ops and Hd Data Protection/Controller agreements signed Use of transit cases for archive boxes sent
Information
Security
I 17.5 and held by third parties for the of Business Process 5 3 15 by the relevant suppliers. Use of electronic for scanning or copying and sign out - Low Low
delivery of their services Improv firewalls by suppliers. procedures.
Loss of Registrant personal data by

the registration system Access to and export of personal data is Data processor side letter
Information Director of IT and secure data transfer and remote access
Security
I 17.6 (NetRegulate) application support
5 3 15 restricted to only that which is necessary for the
granted only on application and through
specifying obligations and Low Low
provider in the performance of their performance of the services. granting a limited indemnity.
secure methods.
support services (specific risk).
Regular identification and

Information Incorrect risk assessment of Hd of Business Process Identification and collection of information risk Regular audit and review of information
Security
I 17.7
Information Assets Improv & Asset Owners
4 2 8 assets risk assets by Hd of BPI
review of information risk Low New
assets by Hd of BPI
Loss of personal data by an HCPC Director of IT and

NEW Contractor or Partner providing Director of Operations, Access to and export of personal data is
secure data transfer and remote access
Information I 17.8 application support in the Director of Education, 5 3 15 restricted to only that which is necessary for the
granted only on application and through
Low
Security performance of their support Director of Fitness to performance of the services.
secure methods.
services (specific risk). Practice
Enc 03a - Risk Register Information Security

25
Appendix i
Glossary & Abbreviations
RISK ASSESSMENT & RISK TREATMENT
Term Meaning
AGM Annual General Meeting
CDT Cross Directorate Team (formerly HCPC's Middle Management Group)
ISMS /
CPD Continuing Professional Development QMS
EEA European Economic Area, = European Economic Union, plus Norway, Iceland, plus for our purposes Switzerland
EMT HCPC's Executive Management Team
EU European Economic Union (formerly known as the "Common Market")
Europa Quality Print Supplier of print and mailing services to HCPC
FReM Financial Reporting Manual
FTP Fitness to Practise
GP Grandparenting
HSWPO Health and Social Work Professions Order (2001)
HR Human Resources
HW Abbreviation for computer hardware
I I = Information Security Management System (ISMS) risk
Impact The result of a particular event, threat or opportunity occuring. Scored between 1 least effect on HCPC and 5 maximum effect on HCPC.
ISO International Standards Organisation (the global governing body for the Quality standards used by HCPC)
ISO 9001:2008 The ISO Quality Management Standard used by HCPC.
IT Information Technology
Likelihood Used to mean Probability of the event or issue occurring within the next 12 months
MIS Management Information System
MOU Memorandum of Understanding
NetRegulate The bespoke computer application used to manage the application, registration and renewal processes, and publish the online register
OIC Order in Council
OJEU Official journal of the European Union
Onboarding The process of bringing a new profession into statuatory regulation from HCPC's viewpoint
OPS Operations
PSA Formerly (CHRE), renamed Professional Standards Authority for Health and Social Care in the 2012 legislation.
PLG Professional Liason Group
Probability Likelihood, chance of occurring. Not the "mathematical" probability. Scored between 1 least likely and 5 most likely to occur within the next year.
Q Q = Quality Management System (QMS) Risk
QMS Quality Management System, used to record and publish HCPC's agreed management processes
Risk An uncertain event/s that could occur and have an impact on the achievement of objectives
Risk Owner The person or entity that has been given the authority to manage a particular risk and is accountable for doing so.
Risk Score Likelihood x Impact or Probability x Significance
SI Statutory Instrument
Significance Broadly similar to Impact
SSFS Scheme Specific Funding Standard, a set of standards relating to pensions services
STD Standards
SW Abbreviation for computer software
VPN Virtual Private Network, a method of securely accessing computer systems via the public internet
Enc 03a - Risk Register App i Glossary & Abbreviations
26
Appendix ii
HCPC RISK MATRIX
Public Protection Financial Reputation
Catastrophic 5 Catastrophic 5 Catastrophic 5
A systematic failure for which HCPC are ultimately responsible
for, exposes the public to serious harm in cases where Unfunded pressures greater than Incompetence/ maladministration or other event 5 10 15 20 25
mitigation was expected. £1 million that will destroy public trust or a key relationship
Significant 4 Significant 4 Significant 4

A systematic failure for which HCPC are ultimately responsible Incompetence/ maladministration that will
for, exposes more than 10 people to harm in cases where Unfunded pressures £250,000 - undermine public trust or a key relationship for a 4 8 12 16 20
mitigation was expected. £1 million sustained period or at a critical moment.
Moderate 3 Moderate 3 Moderate 3

A systemic failure for which HCPC are ultimately responsible Incompetence/ maladministration that will
for exposes more than 2 people to harm in cases when undermine public trust or a key relationship for a 3 6 9 12 15
IMPACT mitigation was expected. Unfunded pressures £50,000 - £250,000 short period. Example Policy U-turn
Minor 2 Minor 2 Minor 2

A systemic failure which results in inadequate protection for
Unfunded pressures £20,000 - Event that will lead to widespread public 2 4 6 8 10
individuals/individual communities, including failure to resolve
celebrity cases. £50,000 criticism.
Insignificant 1 Insignificant 1 Insignificant 1

A systemic failure for which fails to address an operational Unfunded pressures over Event that will lead to public criticism by external 1 2 3 4 5
requirement £10,000 stakeholders as anticipated.
Negligible1 Rare 2 Unlikely 3 Possible 4 Probable 5

KEY
an operational environment.
occur once a year or so in
programmes lifecycle. May
occur during a project or
strategic environment or
unlikely to happen in a
Extremely infrequent –
later.
initiative - sooner rather than
probably impact on this
represented by this risk - will
"Clear and present danger",
of the strategy.
occurring in the lifetime lifecycle of the programme of once every six months.
Only small chance of
strategy.
the lifetime of the
May well occur during
next one or two years.

some point during the
Likely to happen at
Strategic
>11 High Risk: Urgent action required
cycle of the project, probably

an operational environment.
Not likely to occur during the
May occur during the life of
Programme / Project
early on and perhaps more happen almost every day.
cycle of the programme or

Likely to happen in the life-
the programme or project.
Likely to occur in the life-

than once.
project.
project.
6-10 Medium Risk: Some action
required


Does not happen often -

May well happen on a
May well happen on a
The threat is likely to
Operational
monthly basis.
an operational
weekly basis.
environment.
<5 Low Risk: Ongoing monitoring

required
LIKELIHOOD
Enc 03a - Risk Register App ii HCPC Risk Matrix

27
RISK MATRIX DEFINITIONS

IMPACT TYPES LIKELIHOOD AREAS RISK ASSESSMENT & RISK TREATMENT
Public Protection Financial Reputation Strategic Programme / Project Operational

Catastrophic 5 Catastrophic 5 Catastrophic 5 Probable 5 Probable 5 Probable 5
A systematic failure for which
Incompetence/ "Clear and present danger",
HCPC are ultimately responsible Likely to occur in the life-cycle
Unfunded pressures greater maladministration or other event represented by this risk - will The threat is likely to happen
for, exposes the public to of the project, probably early on
than £1 million that will destroy public trust or a probably impact on this initiative almost every day.
serious harm in cases where and perhaps more than once.
key relationship - sooner rather than later.
mitigation was expected.
Significant 4 Significant 4 Significant 4 Possible 4 Possible 4 Possible 4
A systematic failure for which Incompetence/
HCPC are ultimately responsible maladministration that will Likely to happen in the life-
Unfunded pressures greater Likely to happen at some point May well happen on a weekly
for, exposes more than 10 undermine public trust or a key cycle of the programme or
than £50,000 £250k - £1 million during the next one or two years. basis.
people to harm in cases where relationship for a sustained project.
mitigation was expected. period or at a critical moment.
Moderate 3 Moderate 3 Moderate 3 Unlikely 3 Unlikely 3 Unlikely 3
A systemic failure for which Incompetence/
LIKELIHOOD
HCPC are ultimately responsible maladministration that will
Unfunded pressures greater May well occur during the May occur during the life of the May well happen on a monthly
IMPACT
for exposes more than 2 people undermine public trust or a key

than £8,000 £50,000 - £250,000 lifetime of the strategy. programme or project. basis.
to harm in cases when relationship for a short period.
mitigation was expected. Example Policy U-turn
Minor 2 Minor 2 Minor 2 Rare 2 Rare 2 Rare 2
A systemic failure which results

in inadequate protection for Not likely to occur during the
Unfunded pressures over £2,000 Event that will lead to Only small chance of occurring Does not happen often - once
individuals/individual lifecycle of the programme of
between £20,000-£50,000 widespread public criticism. in the lifetime of the strategy. every six months.
communities, including failure to project.
resolve celebrity cases.
Insignificant 1 Insignificant 1 Insignificant 1 Negligible1 Negligible1 Negligible1

Extremely infrequent – unlikely Extremely infrequent – unlikely Extremely infrequent – unlikely
to happen in a strategic to happen in a strategic to happen in a strategic
A systemic failure for which fails Unfunded pressures over £1,000 Event that will lead to public
environment or occur during a environment or occur during a environment or occur during a
to address an operational Unfunded pressures over criticism by external
project or programmes lifecycle. project or programmes lifecycle. project or programmes lifecycle.
requirement £10,000 stakeholders as anticipated.
May occur once a year or so in May occur once a year or so in May occur once a year or so in
an operational environment. an operational environment. an operational environment.
Enc 03a - Risk Register App ii Risk Matrix defns
28
HCPC Strategic Objectives 2009 - 2015

code
SO1.GG Objective 1: Good governance
To maintain, review and develop good corporate governance
SO2.EBP Objective 2: Efficient business processes

To maintain, review and develop efficient business processes throughout the organisation
SO3.Com Objective 3: Communication

To increase understanding and awareness of regulation amongst all stakeholders
SO4.Evid Objective 4: Build the evidence base of regulation

To ensure that the organisation’s work is evidence based
SO5.IPA Objective 5: Influence the policy agenda

To be proactive in influencing the wider regulatory policy agenda
SO6.HmCty Objective 6: Engagement in the four countries

To ensure that our approach to regulation takes account of differences between the four countries
HCPC has an averse appetite to risk in that we;

a. Identify all relevant risks
b. Mitigate those risks to an appropriate level
c. Invest mitigation resources in proportion to the level of risk
Enc 03a - Risk Register App iii Strat Obj

29
HCPC draft Risk Assurance mapping
Increasing Assurance
AREA C. Management Control & Reporting AREA B. Functional AREA A. Independent review / Assurance / Regulatory oversight
oversight / Governance
Information
External Quality
Operational Risk Inter-departmental Near Miss Audit Internal External Legal Security Penetration Parliamentary
Key Business Risk areas Assurance Map Systems Controls EMT Council Auditors Management PSA PCI-DSS
Management Quality Assurance Reporting Committee Auditors Advice Management Testing oversight
(NAO) System ISO9001
ISO27001
Strategic risks x x x x x
Communications x x x x x x x x x x x
Continuing Professional Development x x x x x x x
Corporate Governance x x x x x x x x x x x
Information Security x x x x x x x x x x x
Education x x x x x x x x x x x
Finance x x x x x x x x x x x x x x
Fitness to Practise x x x x x x x x x x x x
HR x x x x x x x x x x x
Information Technology x x x x x x x x x x x x x
Legal x x x x x x x x
Operations x x x x x x x x x x x
Partner x x x x x x x x x x x
Pensions x x x x x x
Policy & Standards x x x x x x x x x x
Project Management x x x x x x x x x x x
Quality Management x x x x x x x x x x
Registration x x x x x x x x x x x
Enc 03a - Risk Register Assurance_map
30

Risk Register & Risk Treatment Plan: Marc Seale, Chief Executive & Registrar Report To Audit Committee, (Feb 2015)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Register & Risk Treatment Plan: Marc Seale, Chief Executive & Registrar Report To Audit Committee, (Feb 2015)

Uploaded by

Copyright:

Available Formats

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.

Risk Register & Risk Treatment Plan

Enc 03a - Risk Register Cover

Jan 2015 Risk Assessment

Enc 03a - Risk Register Risk Contents

THE HEALTH AND CARE PROFESSIONS COUNCIL

Risk owner (primary

PSA full cost recovery model places

Interuption to electricity supply (pre-mit 16) If site wide longer than 24

Accurate and realistic

Quality of operational Dynamism and quality of

Flood barrier protection to prevent

Rapid increase in number of allegations and

Judicial review of HCPC's implimentation of

Risks listed in order of CURRENT RISK SCORE, then PRE_MITIGATION SCORE

Enc 03a - Risk Register Top 10 HCPC Risks

Category Ref# Description Nature of change in this version

Overview of Risk Management and Risk Treatment process

Enc 03a - Risk Register Changes since last publishe (2)

THE HEALTH AND CARE PROFESSIONS COUNCIL

RISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015

Risk owner (primary

HCPC fails to deliver SI Sec 6.2

Links to 7.1-7.4, 18.1, 8.1-8.3,

Links to 2.2, 15.14

Failure to maintain a relationship HCPC Chair and Chief Executive relationship

Dynamism and quality of

Implimentation of scheme for

Enc 03a - Risk Register Strategic Risks

THE HEALTH AND CARE PROFESSIONS COUNCIL

RISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015

Risk owner (primary

Links to 1.2, 13.4

Links to 9.1, 10.4

Inability to communicate via

Inability to accommodate HCPC

If site wide longer than 24 hours invoke

Diverse routing for the physical

Enc 03a - Risk Register Operations

THE HEALTH AND CARE PROFESSIONS COUNCIL

RISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015

Risk owner (primary

Enc 03a - Risk Register Operations

THE HEALTH AND CARE PROFESSIONS COUNCIL

RISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015

Risk owner (primary

Delivery of aspects of communications

Loss of support from Key Stake Delivery of aspects of communications

Inability to inform stakeholders

Delivery of aspects of communications

Publication of material not Adherence to operational plans (Social

Enc 03a - Risk Register Communications

THE HEALTH AND CARE PROFESSIONS COUNCIL

RISK ASSESSMENT & RISK TREATMENT PLAN Jan 2015

Risk owner (primary

Director of Council & Regular meetings, agendas and clear lines of

Poor decision-making eg Well-researched & drafted decision papers,

Adequate processes notifying Council &

Corporate Power to remove the Chair under Sch 1,

Corporate Poor performance by Chief Performance reviews and regular "one to

Improper financial incentives

Director of Council &