Visit Scotland | Alba

1. Roles and responsibilities

  • The Board has responsibility for the strategic direction of VisitScotland, ensuring that it fulfils the aims and objectives set by the Scottish Ministers. The Board approves risk management arrangements and considers the risk implications of Board decisions. It is informed on risk by the Audit & Risk Committee.
  • The Audit & Risk Committee (ARC) is a sub-committee of the Board which advises the Board on the strategic processes for risk, control and governance. The processes include the compilation of a risk register and the effectiveness of our management of risk. The Committee monitors effectiveness through reviews, challenge, and internal audit reports on the systems of internal control.
  • The Chief Executive, as Accountable Officer, is responsible for maintaining a sound system of internal control and ensuring a system of risk management is embedded in the organisation. This system is designed to inform decisions on financial and operational planning and to assist in achieving objectives and budgets.
  • The Leadership Group comprising of the Chief Executive, Directors, and other Senior Management, has overall responsibility for the operation of risk management and ensuring regular reviews are carried out. Directors are responsible for promoting risk awareness within their operations and ensuring risk management is incorporated at the concept stage of projects. Risk is integrated into the planning and management process and is a standing item for bi-weekly meetings of the Leadership Group.
  • The Director of Corporate Services provides leadership and advice on all aspects of corporate governance, audit and risk management to the Board and Leadership Group and is VisitScotland’s Senior Information Risk Manager (SIRO).
  • The Risk Officer is VisitScotland’s risk champion and promotes risk management within the culture of the organisation. The Risk Officer is responsible for the Risk Strategy and Framework and building awareness of it within the organisation, maintaining the Corporate Risk Register, chairing the Risk Management Committee, leading reviews of risk, and drafting a Risk Report for each Audit & Risk Committee meeting. The Risk Officer will also consult with colleagues on a regular basis to identify any new or changed risks, attend project Steering Groups to provide risk management support, and have oversight of all project risk registers.
  • The Risk Management Committee (RMC) comprises of senior managers from all areas of the business who meet in advance of each Audit & Risk Committee meeting to monitor and review all risk registers for and oversee risk management arrangements within VisitScotland.
  • Risk Owners are those who ‘own’ a risk for the organisation. These will normally be Directors but can be Heads of Departments or Project Managers.
  • Mitigating Action Owners are those members of staff who have responsibility to deliver on specific actions which will mitigate risk.
  • Project Managers are responsible for the creation of a project risk register, and management of the risks aligned with their project.
  • ABC Owners will prepare risk registers for those ABC related risks not covered in the Corporate Register as part of their annual operations plans, and report on progress. They will involve their staff in minimising the effect of risks in their area of operation.
  • Internal Auditors will review, challenge and report on the adequacy and effectiveness of the system of internal control including audit of the risk management and reporting process.
  • External Auditors also review and report on the system of internal control along with other corporate governance matters including the effectiveness of the risk policy and strategy.

2. Risk identification

Risk identification sets out to identify an organisation’s exposure to uncertainty. This requires an intimate knowledge of VisitScotland, the market in which we operate, the legal, social, political and cultural environment in which we exist, as well as the development of a sound understanding of our strategic and operational objectives, including factors critical to our success and the threats and opportunities related to the achievement of these strategies and objectives.

The four Corporate Strategic Pillars outlined in the Corporate Plan for 2017-20 are outlined below and each corporate risk must be assigned to one lead Strategic Pillar:

  • Building a visitor-shaped destination brand
  • Investing in Scotland’s Tourism and Events Communities
  • VS Facilitating collaboration and embracing change in a global digital economy
  • Enabling VS: Good to Great to World Class

Risks will be identified through the following channels:

  • Risk workshops are held every three years (or more frequently if required) with Board Members and Directors to fully refresh the risk register in line with objectives contained within the Corporate Plan.
  • Annual planning process includes review of risk by each ABC owner and preparation of the ABC risk register, which is reviewed by the Risk Officer.
  • Risk Management Committee meetings review planning activity and economic and consumer insights to identify any new activities, global threats or trends.
  • Leadership Group bi-weekly meetings have risk as a standing item on the agenda and risk is considered when planning or approving new activities or projects, and when reviewing issues arising from business as usual.
  • Risk workshops facilitated for significant new projects enable project managers to compile project risk registers which become part of the project management process, and which are reviewed by the Risk Officer and Risk Management Committee (“significant” is determined by the Director of Corporate Services and agreed by the Audit & Risk Committee on a case by case basis, taking in to account the scale of the project and resource and time required).
  • The Policy, Regulation & Legislation Steering Group monitors changing compliance issues, legislation and accounting practice.
  • Internal audit reviews may highlight areas of risk and control weaknesses and recommend mitigating actions.
  • Incident and accident reporting, complaints or claims against the organisation may identify risks

Any emerging or changing risks identified by or to the Risk Officer which he/she considers likely to be assessed or re-assessed as “very high” (scoring over 20 out of 25) will be notified to the Leadership Group immediately and escalated to the Audit & Risk Committee, and the Board as appropriate.  This may include implementation of the Crisis Communications or Business Continuity Plans.

3. Risk classification

VisitScotland has classified the type of risk as either External or Internal with sub-categories according to their nature.

External risks are those over which we have limited/no control but are to do with the nature and purpose of the organisation, its ability to achieve its mission, the environment it works in, its competitors, the stakeholders’ needs it seeks to satisfy, its response to opportunities and threats, its vulnerability to political and economic shifts, or the solidity of its reputation and standing.

Internal risks are those which we can control and are to do with the day to day operation of the business in areas like marketing, communications, managing relationships, events, retailing, technology, human resources, facilities, procurement and finance.

Categories for risks are shown in the table below - they can be external or internal:

Category Description
Compliance Associated with changes in UK or EU legislation, Scottish Government policy or requirements, accounting practice, breaches of regulations etc
Economic Relates to global economic factors, UK economy, inflation, foreign exchange rates, industry performance, income levels etc
Environment Includes the political environment and factors outside our control which affect tourism in general including terrorism, pandemics, weather, natural disasters
Reputation Arising from adverse publicity in the media, trade criticism, brand damage, crisis management etc concerning VisitScotland and/or the tourism industry
Finance Associated with funding levels, reduction in income, budgetary control, financial planning, cost effectiveness, financial controls, fraud etc
Governance & Strategy Includes industry engagement, stakeholder management, partnerships, branding, marketing campaigns, competition, strategic decision making
Process Associated with operational matters including contractual arrangements, organisation structure, human resources, business continuity, health & safety
Technology Relates to IT infrastructure, capital investment, pace of technological change, systems, websites, data security, disaster recovery, third party hosting etc

Nature of risk types are shown in the table below:

Nature Description
Strategic Long-term or opportunity risk concerned with where the organisation wants to go and how it plans to get there, and impacts on the achievement of the strategic aims of the organisation
Operational A risk that could occur from inadequate or failed internal processes, people or systems, and capable of impacting the operation of the organisation
Horizon External risk in which it’s likelihood of occurring is out-with the control of the organisation
Project Significant projects will have risk registers which will manage those risks that could present doubt on our ability to deliver a project on time, within budget and to scope

4. Risk management process

Successful risk management requires the identification and recording of key risks and an assessment of the level of the risk in terms of likelihood of occurrence and scale of impact on the organisation, including consideration of the current methods of managing that risk. From this process actions can be agreed to mitigate these risks, with ownership assigned to specific managers. Regular monitoring then needs to take place to ensure that actions are implemented, risks reduced, and any new risks identified.

Our approach to the management of risk can be summed up as follows:

  1. Identify, evaluate and prioritise the key risks facing VisitScotland.
  2. Complete a Risk Register categorising and listing all the risks identified.
  3. Assess the impact and likelihood of the risk occurring.
  4. Assign each risk to an individual and identify existing controls and responses which address and minimise the risk - risks can be allocated at Head of Department, Project Manager, or Director level.
  5. Where there are insufficient or ineffective controls or responses, formulate new controls and an action plan to address the risk.
  6. Regularly re-score risks and review and report on responses to risks at the Leadership Group, RMC, ARC and Board level.
  7. Embed risk assessment into the working practices and planning processes at VisitScotland so that staff become focused on meeting objectives and managing the significant risks.

5. Risk register

VisitScotland has a Corporate Risk Register covering the main strategic, operational, horizon and project risks identified by the Board and Management. These are split between "External" risks over which we have little control, e.g. foreign exchange rate fluctuations, flu pandemic, terrorism, natural disasters, political decisions, and "Internal" risks which we can influence, e.g. adverse media commentary, lack of commitment from the trade, lack of funding, core IT system failure, loss of staff and morale, damage to offices etc.

The Risk Register shows the current and planned mitigating actions and controls for each key risk, the person responsible and an assessment of the likelihood and impact of the risk occurring. All risks must be reported through this template, however, whilst project risks can be detailed and controlled on a separate risk register template, a project overview and current scoring must be summarised in the Corporate Risk Register.

6. Risk reporting

The Risk Register is reviewed and reported in advance the Audit & Risk Committee meeting by the Risk Officer, with the Audit & Risk Committee receiving a report on the current amber and red risks.

Risk Level Risk Level Description
Very High (black)

Rating: Unacceptable level of risk exposure that requires immediate mitigating action.

Reporting: To Chief Executive, Audit & Risk Committee and the Board.
Very High (red)

Rating: Unacceptable level of risk exposure that requires immediate mitigating action.

Reporting: To Chief Executive, Audit & Risk Committee and the Board.
High (amber)

Rating: Unacceptable level of risk which requires controls to be put in place to reduce exposure.

Reporting: To Chief Executive/Audit & Risk Committee for upward reporting to the Board.
Medium (yellow)

Rating: Acceptable level of risk exposure subject to regular active monitoring.

Reporting: At Risk Management Committee/ Leadership Group level.
Low (green)

Rating: Acceptable level of risk subject to regular passive monitoring.

Reporting: To Risk Management Committee. Consideration should be given as to whether risks recorded as low are still extant.

At each meeting of the Risk Management Committee a review will be undertaken of the Corporate Risk Register to ensure that it is accurate and remains applicable.  A report will be made to the Leadership Group and the Audit & Risk Committee, which could consider:

  • The previous year's record on risk management
  • Progress made with mitigating actions to address each risk
  • Reports from auditors
  • The Corporate Plan objectives, performance targets and departmental or area risks identified
  • Any other new or changed risks, or changed likelihood or impact of risks
  • Insights and scenario planning activity including creation of any contingency plans
  • Any changes in responsible officers

The reviews will include interaction with Directors, Senior Managers and other staff as appropriate, and will include any necessary training and awareness on risk management arising from the review.

The Risk Officer prepares a report for the Leadership Group and the Audit & Risk Committee in league table format clearly showing the ranking of risks based on scoring together with a summary of mitigating actions for each risk. Risks moving up or down are highlighted together with explanations.

A summarised version of the red and amber risks is included in the Measurement Report issued to the Board.

7. Additional project risk registers

All major new initiatives and significant projects will undergo a risk assessment process which will generate a project-specific risk register to be owned and maintained by the Project Manager and reviewed by the Risk Officer and the projects’ Steering Group. This forms part of the VisitScotland standard project management methodology as overseen by the Portfolio Office.

The Risk Officer will provide advice and guidance on the risk process to Project Managers which should include a brainstorming session of risks with the project team and other interested parties in order to identify all the risks. The initial project risk register is also reported to the Audit & Risk Committee by the Project Manager with any updates as considered appropriate.

8. Risk and the planning process

To be effective, risk management needs to be embedded in the planning process. This will assist Directors, Senior Management and the Risk Officer in identifying new key risks or significant changes to existing ones. Each ABC will include a key risk register for the project/activity. The risk updates will be reviewed by the Risk Officer on an ongoing basis.

The ABC Owner will own, promote and review the risk management process for their ABC and encourage staff in their teams to understand how their actions can help to minimise the key risks to their area/department’s objectives and activities.

The key risks will be reviewed regularly when reporting on progress against objectives, and any significant new risks or changes to existing risks will be brought to the attention of the appropriate Director.

9. Options for managing risks (mitigation)

Risk management is not simply about identifying risks and then avoiding them. It is about managing those risks in the most efficient and effective manner. External and internal risks are identified, objectively assessed, scored using quantitative methods and, where this is the appropriate response, actively managed. The most common forms of dealing with or responding to risk are:

Terminate the risk - do something differently thereby removing the risk completely. Care should be taken that any alternative approach does not create bigger risks.

Treat the risk - this is where action is taken to reduce the likelihood or impact of the risk. The key is that any action must be cost effective against the size and impact of the risk.

Contingency planning - where the impact or likelihood of the risk cannot be reduced to an acceptable level (or even when it can) then contingency plans should be devised to ensure business continuity and recovery after events that cannot be controlled. Contingency plans should as a minimum be considered for all risks with expected high impact or high likelihood. Contingency plans should always be tested.

Transfer the risk - this is where the risk’s financial impact or the responsibility for managing it is given to someone other than VisitScotland. This can usually be achieved by contracting out the activity or through insurance or penalty clauses.

Tolerating the risk - this response to a risk is really the response of last resort. Tolerating the risk involves accepting a risk above our acceptable level without reducing it, probably because nothing can be done to reduce it a reasonable cost.

10. Risk appetite

The aim of effective risk management is not to remove all risk but to recognise that some level of risk will always exist. Risk appetite can be defined as the amount and type of risk that the organisation is willing to take in order to achieve its strategic objectives. In this sense it is about comparing the cost (financial or otherwise) of constraining the risk with the cost of the exposure should the exposure become a reality and finding an acceptable balance. Risk appetite is deemed to be the acceptable level of risk before any mitigation.

Note that some risk is un-avoidable, and it is not within the ability of VisitScotland to completely manage it to a tolerable level - for example many organisations must accept that there are global economic factors which they cannot control. In these cases, VisitScotland will make contingency plans.

The risk appetite of the organisation is determined by the Board at Strategic Pillar level, with an appetite applied to risk in its inherent (gross) state. The Board also determines the risk appetite for the activities carried out within each Strategic Pillar, depending on its nature.

11. Risk proximity

Risk proximity means how close we are, in terms of time, to a risk potentially occurring. Assessing and applying the proximity of a risk allows for risk prioritisation. We need to assess when the risk is likely to occur so that we can respond to it appropriately. Risk proximity is used to ensure that focus on risks is balanced with a greater emphasis on those risks that are likely to occur in the short term.

The below table outlines fixed proximity categories that should be applied to risks within a risk register.

Proximity
Immediate unknown – could occur at any time
Imminent predicted to occur within the next 3 months
Short-term predicted to occur within the next 3-12 months
Medium-term predicted to occur within the next 1-3 years or is an activity aligned to our Strategic Framework
Long-term predicted to occur within the next 3+ years

It is important that ongoing monitoring of a risks’ proximity is carried out when undertaking review of the risk register, in the eventuality of a change to the risk horizon.

Related links

Our best value policy

Find our best value policy, containing the measures we take to deliver best value in our services, including our policy, responsibilities, and…

Our data protection policy

This policy ensures that all personal data is processed fairly, lawfully, in a transparent manner, and in compliance with data protection and privacy…

Our health and safety policy

Our health and safety policy contains the measures we take in accordance with the requirements of health and safety law.

Our open source code policy

Find out more about the purpose and scope of working with open source code in conjunction with our principles and legislative framework.