1. No category

RISK MANAGEMENT POLICY AND STRATEGY May 2013

Risk Policy 2013
Appendix 4
RISK MANAGEMENT POLICY AND STRATEGY
May 2013
1
Risk Policy 2013
Appendix 4
Contents
Section
Page No
1
Risk Management Overview
3
2
British Library Risk Management Policy Statement
3
3
Risk Management Purpose, Objectives and Framework
4
4
Risk Measurement
13
5
Risk Appetite
17
6
Annual Assurance Statement by Head of Division
22
2
Risk Policy 2013
Appendix 4
1. Risk Management Overview
The British Library defines risk as being the quantifiable level of exposure to the threat of internal
or external events that will adversely affect the Library’s ability to achieve its strategic, policy and
operational goals. In simple terms risk it is regarded as ‘uncertainty’. The task of management is
to effectively respond to these risks and to maximise the likelihood of the organisation achieving its
purposes and ensure the best use of public money and resources.
As resources are finite, the British Library recognises that some risk taking will always be
necessary. To inform the risk taking, the British Library has adopted a risk management
process that enables the following:





understanding of the level of risk exposure that can be tolerated;
that the type of risk is understood and level of risk can be measured;
where the level of risk exposure is too high that a suitable level of mitigation exists;
that the on-going effectiveness of mitigation is assessed; and that
action is taken by management to design and establish suitable mitigation where existing
arrangements are found to be inadequate or ineffective.
The establishment of effective risk management is recognised by DCMS, the Board and the
Executive Leadership Team as being fundamental in ensuring good corporate governance. These
arrangements are endorsed and upheld by The British Library’s Board and Executive Leadership
Team through the implementation of cyclical risk management reporting and monitoring regimes.
These arrangements are suitably robust and transparent to enable the production and certification
of a ‘fair and representative’ Statement on Internal Control (SIC) or corporate governance
statement by the British Library.
The SIC forms part of The British Library’s statutory accounts and annual report. This is a public
statement that confirms the on-going effectiveness of the British Library’s internal control
environment in the management of risk, both financial and non-financial.
The Risk Management Policy and Strategy identifies how the above will be achieved.
This revised document builds on that agreed by the Board in 2010 and reflects the continued
improvement in the control of risks at the Library.
2. British Library Strategy Statement
The British Library Board is committed to ensuring that the management of risk underpins all
activities of the organisation, thus safeguarding against the following:







poor service quality;
financial loss;
waste;
injury and / or death to staff, readers or visitors;
damage to the Library’s reputation;
damage to or loss from the collections; and
damage to relationship with stakeholders.
Not withstanding the above, The British Library Board recognises that the application of risk
management practices should not seek to eliminate all risk exposure, except that which is
considered too high for the organisation. Furthermore, The British Library Board acknowledges its
tolerance to risk (or risk appetite) and this is reflected in the risk management strategy.
3
Risk Policy 2013
Appendix 4
As far as possible, the Library should ensure that for each key organisation priority the following is
known:



the type and level of risk for each activity, service and operation;
how the risk is being managed; and
whether further action should be considered to better mitigate the risk including transfer of the
risk where possible, or whether the British Library knowingly accepts the risk. It is also
important to recognise when risks may be over mitigated. That is, when a risk is already at an
acceptable level and scare resources are being unnecessarily applied to further mitigating the
risk.
To support the application of the risk management framework in practice, a risk management
information system in the form of a series of integrated risk registers has been established,
implemented and is maintained on an ongoing basis in accordance with this policy. The
performance of the risk management system is monitored and reported to The British Library
Executive Leadership Team for review and appropriate decision-making and the Board Audit
Committee as a basis for ensuring its on-going effectiveness.
The active ongoing commitment and full support of the Chief Executive and all senior management
has been given and is an essential part of this risk management policy. The Board, managers and
staff will establish, maintain and support the risk management programme and ensure that
effective mechanisms are in place for assessing and responding to any matters arising. All
employees must have an appropriate level of understanding about the nature of risk and risk
management within The British Library. Those authorised by The British Library must further
accept responsibility for risk ownership, including controls / mitigation effectiveness and the
tracking of risk management actions to their completion / implementation.
3. Risk Management Purpose, Objectives and Framework
3.1
Purpose of risk management
The purpose of risk management is to identify potential problems before they occur so that riskhandling activities may be planned and invoked as needed to mitigate adverse impacts on
achieving objectives.
Risk management is a continuous, forward-looking process that is an important part of business
and technical management processes. Risk management should address issues that could
endanger achievement of critical objectives. A continuous risk management approach is applied to
effectively anticipate and mitigate the risks that have critical impact on a business activity, service,
event or change programme.
Effective risk management includes early and aggressive risk identification through the
collaboration and involvement of relevant stakeholders. Strong leadership across all relevant
stakeholders is needed to establish an environment for the free and open disclosure and
discussion of risk.
3.2
Objectives of Risk Management
To assist in the management of business risk the following objectives have been identified which
form the basis of The British Library risk management framework. These objectives will be
achieved through various mechanisms that are outlined in this risk management strategy and
associated risk management programme. Thus the objectives are to:
4
Risk Policy 2013
Appendix 4

seek to identify, measure, control and report on business risk that will undermine the
achievement of British Library priorities, both strategically and operationally, through
appropriate assessment criteria;

promote awareness of business risk and embed the British Library approach to its
management throughout the organisation;

monitor and measure the overall performance of the risk management framework and the way
in which it contributes to the achievement of the business activities of the British Library; and

support and monitor the role and work of the Board Audit Committee within the organisation.
3.2
Risk Management Process
Vision
The British Library will seek to identify and measure the risks it faces. Wherever practicable, it will
seek to control risks in order to maximise the quality of its service provision and maintain its
reputation.
The Library will encourage innovative solutions that, whilst sometimes involving risk, can be
implemented with an awareness and active management of the risks that they carry.
Culture
The British Library Board recognises the value of adopting a risk management culture.
Consequently, it will:

nominate a senior staff member to promote the risk management function and ensure its
effectiveness across the British Library;

implement and monitor risk management arrangements across the organisation;

establish a programme of risk assessment to feed into the business planning process at all
levels, including the performance management framework and annual statement on internal
control or corporate governance;

set up a cross division risk focus group, to look at emerging risks and best practice;

make available funds that are appropriate to finance risk management initiatives and
projects across the British Library, where this is required; and

encourage, where appropriate, all of the senior managers, suppliers, staff and other
stakeholders to develop and maintain a risk management ethic and to report concerns
accordingly.
3.3
Roles and responsibilities
This section summarises the roles and responsibilities of those involved in the risk management
activity
The Board will be responsible for:

approving the risk management policy statement and subsequent revisions thereof; and

approving risk appetite levels.
5
Risk Policy 2013
Appendix 4
The Board Audit Committee has separately established Terms of Reference, and will be
responsible for:

preparing terms of reference in connection with its risk management responsibilities in
consultation with the Chief Financial Officer and the Executive Leadership Team;

assessing the on-going effectiveness of risk management controls, including the quality of
assurance provision;

monitoring and where necessary reporting further on risk management initiatives and
activities to ensure suitable accountability and effective implementation, either to the Board
and / or regulators and stakeholders;

challenging the way in which risk is managed at the British Library where there is
uncertainty or concerns over the effectiveness of existing arrangements until satisfactory
conclusions have been drawn; this could include requesting Senior Managers attendance
at meetings for the purpose of providing relevant information for assurance purposes;

reviewing, at least annually, the British Library risk management policy and strategy and
any changes required; and

reviewing the annual report on Risk Management (in the form of the SIC or corporate
governance statement), in conjunction with the Chief Executive to ensure that it is ‘fair and
representative’ of the British Library risk management arrangements prior to inclusion in the
annual accounts.
The Chief Executive and the Executive Leadership Team will be responsible for:

agreeing the Risk Management Policy Statement and subsequent revisions thereof;

agreeing and monitoring action in relation to areas of high risk, stemming from any reports
in connection with Risk Management activity;

responding to or keeping under review major risk management issues arising at a strategic
and / or operational level facing the British Library;

agreeing resources to be made available in connection with the management of risk;

provide assurance with regards to the effective application of the above through completion
of an annual assurance statement in connection with risk management;

producing and publishing an annual risk management assurance statement in the form of a
statement of internal control or corporate governance in connection with the effectiveness
of Risk Management across the British Library; and

reviewing and proposing risk appetite levels for agreement by the Board.
The Chief Financial Officer will be responsible for:

overseeing the function of risk management;

advising the Audit Committee and Executive Leadership Team on progress of Risk
Management activities and acting as key contact in connection with risk management
issues;
6
Risk Policy 2013
Appendix 4

submitting, where appropriate, interim reports and policy reviews to the Executive
Leadership Team and Audit Committee on risk management activity throughout the British
Library; and

submitting an annual report to the Audit Committee and Executive Leadership Team on risk
management activity throughout the British Library.
The Risk Management specialist function will be responsible for:

building a visible risk aware culture within the organisation through appropriate education
and mentoring including one to one mentoring, risk workshops and training events;

assisting the British Library Board in setting policy and strategy for Risk Management;

raising awareness of risk management and instilling philosophy and potential benefits of
Risk Management;

Preparing manuals, guidance and templates and establishing and reviewing risk standards;

co-ordinating and facilitating the various functional activities which advise on risk
management issues within the organisation;

supporting the development of risk processes and advising on best practice;

acting as champions for risk management and promoting it including by maintaining
effective Intranet presence and visibility within the Library;

monitoring and reporting on the effectiveness of risk management at the British Library;

quality assurance focusing on the ensuring a common structure and format, consistency
between documents, sign off, review, ownership and feedback;

preparing reports and registers on risk issues for the Executive Leadership Team, the
Board, the Board Audit Committee and other stakeholders;

organising and chairing the Risk Focus Group;

challenging risk entries and actions;

undertaking analysis and report key issues to management at all levels. Escalating risks
where appropriate;

identifying and reported aggregated risks;

undertaking an expert user role for the 4Risk software, looking to maximise the benefits of
the system. Train others in the use of the system; and

Building awareness of continuity risks and preparing continuity plans.
Risk Champions within each Division will, along with the IRM Risk Manager, be responsible
for:

co-ordinating risk management activities within each Division;

promoting the use of risk management with Division colleagues;
7
Risk Policy 2013
Appendix 4

ensuring that the Division’s Risk Register is maintained and regularly reviewed at senior
management meetings;

ensuring that risk registers on 4Risk is updated; and

challenging risk entries and actions.
The Risk (and Business Continuity) Focus Group composed of risk specialists, risk
champions from each Division and representatives from Business Assurance and has
separately established Terms of Reference and will be responsible for:

co-ordinating the risk management initiatives at a strategic, corporate and operational level;

identifying emerging risks and horizon scanning for potential risks;

planning, overseeing and facilitating risk management initiatives at both a strategic,
corporate and operational level;

reporting on risk management initiatives (including compliance) and activities and their
outcomes;

sanity checking the Strategic Risk Register to ensure that the key strategic aims are
reflected;

raising awareness of risk management issues; and

reviewing annually this Risk Management Policy and Strategy to ensure it remains relevant
to the needs of the organisation.
Senior Service Managers will be responsible for:

identifying, assessing, mitigating and reporting on risk through the use of risk assessment
and the maintenance of relevant risk management information systems or risk registers;

determining resource implications / requirements arising in connection with risk
assessments;

ensuring compliance and the effective application of the British Library Risk Management
Policy Statement and this strategy;

ensuring employees, contractors and partners are made aware of the importance of risk
management and the mechanisms for feeding concerns into the formal processes;

ensuring that appetite levels are agreed and that risks are reviewed against the appropriate
appetite level;

ensuring that risks are escalated to a higher level for example from Division Level to
Strategic Level when risks are considered to be out with acceptable levels (appetite levels).
Typically likelihood scores increase to “likely” or “almost certainly” and the impact score
increases to a level that would have a significant impact on the Library’s ability to deliver its
Strategic Objectives. Conversely, risks that have decreased in likelihood and impact,
eliminated or transferred may be de-escalated or indeed removed from the risk registers;

identifying, assessing and deciding risk management training needs for their areas; and
8
Risk Policy 2013

Appendix 4
ensuring fulfilment of risk management responsibilities is recognised in relevant individual
performance appraisals and personal development planning where appropriate.
Employees will be responsible for:

3.4
maintaining an appropriate level of awareness of risks and feeding these into the formal
processes.
Best Practice Model
The following steps of risk management will be followed in the production of risk assessments at
Strategic, Division, Programme or operational level by the British Library:
1. identifying the risk which might impact on the business objectives / priorities by reference to the
categories of risk specified by the British Library;
2. analysing and scoring the risk in terms of impact and likelihood using a consistent methodology
for this purpose across the British Library;
3. identifying and assessing existing countermeasures which contribute to controlling the risk;
4. providing sources of assurance regarding their on-going effectiveness. The following is a list of
sources of assurance that can be used and provides guidance on the duration of validity of the
assurance;
Assurance Type
Management (Executive Leadership Team, Board,
BAC) meeting minute
Management minute (Division, Cross Division groups)
Management report
Policy Document agreed and published
Independent Report (Audit/3rd Party)
Strategic or Business Plan
OGC review report
Internal audit report
External audit report
5. analysing and scoring the remaining / residual risk in terms of impact and likelihood;
6.
prioritising the risk;
7.
determining the action required with a view to eliminating the risk, reducing the risk, accepting
the risk or pass on the risk to a third party. In doing so, consideration will need to be given to
resource implications;
8.
identifying and assigning risk owners, being individuals responsible for monitoring and
reporting on risks identified i.e. changes in the nature of the risk, level of exposure and the ongoing effectiveness of internal controls that are in place for managing or mitigating the risk;
9. identifying individuals responsible for taking action in connection with the risk identified and the
date by which action is required; and
9
Risk Policy 2013
Appendix 4
10. monitoring and reporting on progress in connection with action. Risk owners should consider
early warning indicators that can be used proactively to forewarn of adverse trends that can
erode the organisational performance.
3.5
The Risk Management Process and Cycle
In managing the risk management processes, it is required that records and procedures are
properly maintained, decisions are recorded and clear audit trails exist in order to demonstrate due
diligence, openness and accountability.
The British Library has established a standard approach to the way in which risk will be assessed
and recorded as part of the above process. This approach will be kept under review to ensure its
continued effectiveness and efficiency.
The British Library aims to integrate risk management into the business planning process for the
purposes of ensuring that organisation objectives are achieved. The British Library has
established a risk review and monitoring cycle, consisting of:
Annually
The Board will:

Review the risk management policy / strategy and identify and agree major changes;

Review the statement on internal control or corporate governance; and

Undertake, in conjunction with the Executive Leadership TEam, a formal up-date and
refresh of the British Library risk profile. This will be completed during September of
each year prior to the following year’s business planning and budgeting.
Quarterly
The Executive Team, as part of their business plan monitoring, will complete a review of the
British Library risk information, including:

Changes in risk profile and review of progress against risk management action plans,
particularly in connection with strategic risks and other risks classified as residually
high;

Any new and emerging high risks and any major change of priority on existing risks that
may result in their classification as high risks;

The on-going effectiveness of key risk management controls that contribute to the
reduction of risk exposure from inherently high to a lower classification; and

Key actions for next period.
At each meeting, the Board Audit Committee will undertake a review of the British Library
risk information and in particular the following:

On-going effectiveness of key risk management controls that contribute to the reduction
of risk exposure from inherently high to a lower classification; and

Changes in risk profile and review of progress against risk management action plans in
connection with risks classified as residually high.
10
Risk Policy 2013
Appendix 4
Monthly
The Executive Leadership Team members and Senior Managers complete a review of the
Division Risk Registers for their areas of responsibility i.e. functions / operations, including:
3.6

Changes in risk profile and review of progress against risk management action plans,
particularly in connection with risks classified as high;

Review of new and emerging high risks and any major change of priority on existing
risks that may result in their classification as high risks;

The risk controls to ensure their on-going fitness for purpose and effectiveness; and

Key actions for next period.
Escalation and de-escalation
A risk escalation procedure should be developed for each perspective or major activity whereby
management teams are advised of the tolerance thresholds to which they are required to adhere.
This will largely be determined by the Risk Appetite (see section 5). In the event that a single risk,
group of risks or activity exceeds the agreed threshold, then the results should be escalated to the
Head of Division who will be responsible for either deciding a course of action or escalating it
further to the Chief Executive or the Board and considering whether the risk should be added to the
Strategic Risk Register. Conversely, risks that have decreased in likelihood and impact, eliminated
or transferred may be de-escalated or indeed removed from the risk registers.
3.7
Programme Risk
Programme risk registers will be maintained for each major initiative that is being undertaken and
is considered to have a significant business impact on the British Library. These will be consistent
with the approach adopted by British Library organisation-wide and will utilise the Office of
Government Commerce’s best practice tools and products designed for the Government
programme and project management community. A programme / project specific impact scoring
matrix has been established (See Section 4 on Risk Measurement).
Project Risk Registers will be maintained and where appropriate, risks may be escalated by the
Senior Responsible Officer to the appropriate Programme Register. In particular, they should be
escalated should they exceed tolerance thresholds or threaten the achievement of a Strategic
Objective or the delivery of the parent Programme. Programme or project risks may also be
escalated to the Finance Risk Register or indeed the Strategic Register as a new strategic risk or
as a cause of increased risk to an existing strategic risk in particular Strategic Risk No 97, High
profile projects are not delivered effectively.
3.8
Information Risk
The information risk policy defines how the organisation and its delivery partners will manage
information risk and how its effectiveness will be assessed. In so doing, the policy supports the
organisation’s strategic aims and objectives and should enable employees throughout the delivery
chain to identify an acceptable level of risk, beyond which escalation of risk management decisions
is always necessary. The policy and approach fits within the Library’s overall Risk Management
Framework and utilises the organisations agreed tools and measurement system.
11
Risk Policy 2013
Appendix 4
The approach is consistent with the recommendations in the Cabinet Office review of the
management of sensitive data by Government departments ‘Handling Information Risk’, issued in
April 2008.
The Library maintains a specific risk register for information matters as well incorporating them into
the Strategic Risk Register and Division Risk Registers where appropriate.
3.9
Training
The British Library recognises that the success or otherwise of its Risk Management Policy
Statement will be influenced by those individuals responsible for its implementation on a day to day
basis.
Accordingly, the Executive Leadership Team is required to ensure that designated individuals
receive the necessary training, ongoing support and advice in connection with risk management
and the availability of an associated training budget.
Minimum training for Risk Specialist is the Institute of Risk Management Practitioner Course to
Certificate level (CIRM).
Minimum training for Risk Champions is attendance at the internal risk champion training event but
preferably attendance at the Institute of Risk Management approved course (2 day) Fundamentals
of Risk Management: A practical introduction to Enterprise Risk Management and ISO 31000.
12
Risk Policy 2013
Appendix 4
4. Risk Measurement
The key deliverable is the provision of a basis for understanding which risks and associated
responses are important, based on numeric estimates of uncertainty. In order to achieve this, the
Library has adopted the following measurement criteria.

the 1 to 5 measurement enables a more informed assessment, therefore assisting with distilling
out the ‘Primary’ or highest risks i.e. those that could unbalance the organisation and lead to
failure to achieve the business objectives set;

by applying the measurement criteria the areas of highest risk should by their nature rise to the
top i.e. a risk exposure quantified at £250 might be significant to a cash system, but should not
be something that the Executive Leadership Team should be worrying about, whereas a major
service reduction or loss of £100,000 would be, if the likelihood was equally high; and

this will assist management in formulating action where action is really required and using
resources appropriately in doing so i.e. areas of primary / high risk. Why take action if the risk
is low – this wastes resources.
4.1 Risk Scoring Criteria
A Risk Matrix is a tool used in the Risk Assessment process; it allows the severity of the risk of an
event occurring to be determined by considering impact and probability.
4.2 IMPACT Scores and Description
Impact is the result of a particular threat or opportunity actually occurring. The following table
shows Impact scores and their descriptions:
13
Appendix 4
Risk Policy 2013
IMPACT SCORES AND DESCRIPTION
Category 
Impact
Level 
(5)
Catastrophic
Financial
Service Quality
Health/
Safety
Reputation
Financial
impact of
£5m or
more in
total.
Complete failure
of services.
Fatality
Reputation
damage is
irrecoverable i.e.
Government
intervention.
(4)
Major
Financial
impact of
between
£500k and
£5m in total.
Significant
reduction in
service quality
expected.
Serious
injury
may
occur.
(3)
Moderate
Financial
impact of
between
£100k and
£500k in
total.
Some
Minor
injury.
(2)
Minor
Financial
impact of
between
£10k and
£100k in
total.
Service quality
impaired
leading to
changes in
service delivery
required to
maintain quality.
Marginally
impaired, a
slight
adjustment to
service delivery
required.
Reputation
damage occurs
with the key
stakeholders such
that their overall
confidence in the
Library is affected.
Reputation
damage is
uncomfortable for
British Library.
Very
minor
injury.
Slight reputation
damage.
(1)
Almost
None
Financial
impact
of
less
than
£10k in total
Negligible
Effects
on
service quality.
No
injury
No effects
reputation.
on
Collection Risk
Programme Risk
Irrecoverable reputational damage leading
to external intervention.
May lead to the cessation of the BL.
Will lead to a political or literal inability to
function. Will incur major interruption of
service/business.
Will have a long term impact on our
reputation. The BL will always be
associated with the event. It will require
disaster recovery procedures.
The BL will be able to recover functionality
relatively soon.
Programme is more
than 40% overspent or
under spent.
Programme is ahead
or behind by more
than 48 weeks
Programme is more
than 21-40%
overspent or under
spent.
Programme is ahead
or behind by 25-48
weeks
Programme is more
than 11-20%
overspent or under
spent.
Programme is ahead
or behind by 13-24
weeks
Programme is more
than 6-10% overspent
or under spent.
Programme is ahead
or behind by 7-12
weeks
Affects the integrity of the collection.
Will have an impact outside the
organisation and will damage our
reputation. Involves collection item(s) that
cannot be routinely replaced. Includes
instances of identified staff theft.
A collection item that can be routinely
replaced. May attract external attention or
have caused minor damage to our
reputation. Within the scope of Division
action to resolve (e.g. to find a book and
correct procedure) [where loss is due to
an inadequacy in the process.] May
include Reader theft.
Unlikely to attract external attention.
Business as usual; resolved through
routine administrative action. An isolated
loss – not part of an identified pattern or
trend. Does not involve an item for which
we believe there may be future demand. A
collection item that can be routinely
replaced.
Programme is 1-5%
overspent or under
spent.
Programme is ahead
or behind by 1-6
weeks
14
Appendix 4
Risk Policy 2013
4.3 PROBABILITY Score and description.
Probability is a way of expressing knowledge or belief that an event will occur. Probability is
scored as follows:
1. Rare
0 – 20%
2. Unlikely
21- 40%
3. Possible
41 – 60%
4. Likely
61 – 80%
5. Almost Certain
81 – 100%
15
Appendix 4
Risk Policy 2013
The Risk Matrix below shows how risk levels are calculated and describes the response levels
that should be applied at each level.
Risk Matrix
Impact
(I)
Catastrophic Contingency Contingency Contingency Primary
Primary
Major
Contingency Contingency Contingency Primary
Primary
Moderate
Low
Low
Low
Contingency
Contingency
Minor
Low
Low
Low
House
Keeping
House
Keeping
Almost
None
Low
Low
Low
House
Keeping
House
Keeping
Rare
Unlikely
Possible
Likely
Almost
Certain
Likelihood (L)
Primary / High Risks (P)
Risks that fall in to the area highlighted as red will require immediate attention. Both the status
of the risk will require to be monitored with regard to effect on British Library activities and the
progress of action taken to ensure its effective completion.
As a minimum will form part of the monthly risk management review cycle.
Contingency Risk (C)
Risks that fall in to the area highlighted as amber may require action but will require to be
monitored for any changes in the risk or control environment which may result in the risk
attracting a higher score. In all cases, the British Library will look to pass-on this risk where
possible i.e. insurance, indemnities, to third parties.
As a minimum this will form part of the quarterly risk management review cycle.
Housekeeping Risk (HK)
Risks that fall in to the area highlighted as yellow will require to be monitored by management.
This will form part of the quarterly risk management cycle.
Low Risk (L)
Risks that fall in to the area highlighted as green will require review only, but no further action.
This will form part of the quarterly risk management cycle.
16
Appendix 4
Risk Policy 2013
5. Risk Appetite
Risk appetite is defined as the Library’s willingness to accept risk in pursuit of its objectives. The
establishment of the British Library’s statement on risk appetite is intended to guide risk owners in
their actions and ability to accept and manage risks.
Risk appetite is the shorthand phrase used to describe where the Library considers itself to be on
the spectrum ranging from willingness to take or accept risk through to an unwillingness or
aversion to taking some risks. It is about the question “what are we prepared to take on, which
risks do we need to reduce and which risks are we prepared to accept?”
The Board for example will have an appetite for some types of risk and an aversion for others.
Decisions depend on the context, on the nature of the potential losses or gains and the extent to
which information regarding the risks is complete, reliable and relevant. The outcomes of any
decision need to be considered both in terms of the consequences of threats and opportunities
missed, and are not confined to money – there are risks we steward on behalf of the public where
our appetite may be very low.
The Executive Leadership Team and the Board should review the risk appetite levels
annually. In times of limited resources for example it may be that the Library will inevitably
need to be less risk averse to be able to maximise opportunities and deliver strategic
objectives.
The table below describes the 5 levels of risk appetite from the highest level Risk Appetite 5 where
the Library is willing to accept significant risks in pursuit of major gains to Risk Appetite 1 where the
Library is unwilling to accept risk regardless of perceived gains.
(Note: These scores relate solely to the risk appetite, they are not comparable with the
impact and probability scores.)
Risk Appetite levels and descriptions.
Assessment
Description
Maximum The Library accepts opportunities that have an inherent high risk that may
Risk Appetite result in reputation damage, financial loss or exposure, major breakdown
5
in information system or information integrity, significant incidents(s) of
regulatory non-compliance, potential risk of injury to staff and readers.
Moderate The Library is willing to accept risks that may result in reputation damage,
Risk Appetite financial loss or exposure, major breakdown in information system or
4
information integrity, significant incidents(s) of regulatory non-compliance,
potential risk of injury to staff and students.
Modest Risk The Library is willing to accept some risks in certain circumstances that
Appetite
may result in reputation damage, financial loss or exposure, major
3
breakdown in information system or information integrity, major
incidents(s) of regulatory non-compliance, potential risk of injury to staff
and readers.
Low Risk
Appetite
2
The Library is not willing to accept risks in most circumstances that may
result in reputation damage, financial loss or exposure, major breakdown
in information system or information integrity, significant incidents(s) of
regulatory non-compliance, potential risk of injury to staff and readers.
Minimum
The Library is not willing to accept risks that may result in reputation
17
Appendix 4
Risk Policy 2013
Risk Appetite damage, financial loss or exposure, major breakdown in information
1
system or information integrity, minor significant incidents(s) of regulatory
non-compliance, potential risk of injury to staff and readers.
This translates into the statements below which aim to give guidance on the level of risk that
should be accepted in each risk area.
5.1 Brand
2
Risk Appetite
The Library aims to protect its brand seeking to develop or align the expectations behind
the brand experience, creating the impression that a brand associated with a product or
service has certain qualities or characteristics that make it special or unique. Our brand is
therefore considered one of the most valuable elements that demonstrate what the Library
is able to offer in the marketplace and we are not willing to accept risks in most
circumstances.
5.2 Academic and Scholarly Reputation
2
Risk Appetite
The Library will continue to maintain its high standards of scholarship, conduct and
academic quality when dealing with matters associated with the Collections within its
financial limits.
5.3 Financial Resources
5.3.1 Stewardship
Risk Appetite
1
The Library will maintain its high financial stewardship standards. The Executive
Leadership Team and Board have a duty to manage the finances and resources of the
Library to ensure transparency, accountability, efficiency, economy and effectiveness.
5.3.2 Budgeting
Risk Appetite
2
We accept that in certain circumstances there may be a risk of overspend against individual
budgets, the overall impacts of which will need to be managed within the aggregate
resources available to the Library.
5.4 Information Management – Administrative Systems
Risk Appetite
2
The Library will maintain the security, integrity and availability of information systems at the
highest levels possible commensurate with available resources.
5.5 Collection Management – Security of the Collection item by security category.
The Library’s role as steward of the national collection means that it mitigates risk as
far as possible to its collection, while providing access to it. The collection has for
some time been subdivided into 5 categories based on the type of collection item, the
18
Appendix 4
Risk Policy 2013
value and the associated security risks. These existing categories have been used to
articulate a range of appetite statements below.
Category 1: Restricted - Items to which access is not normally granted, due to
exceptionally high monetary value, or proven susceptibility to theft or for preservation
reasons.
Risk Appetite
1
The Library has an extremely small number of collection items where underlying issues
mean that we do not publicly record our ownership of them, nor allow any access to
them. In addition the Library has a larger number of items to which access may not be
allowed for a set period of time. For example, the deposited papers of a person may
be ‘closed’ for a substantial period because they mention living individuals.
Category 2: Special - Items which due to their value, vulnerability, subject or format must
be read in a high level reading room at a designated desk under staff supervision
Risk Appetite
2
Collection items identified as being of particularly high cultural or financial value, or
noted as particularly vulnerable to theft or damage, are subject to increased security
measures including under close supervision in a high security Reading Room. These
items are classified as ‘special’, ‘and are subject to additional measures to protect them
as far as possible from loss or harm.
Category 3: Higher - Items which due to their value, vulnerability, subject or format must
be read in a high level reading room
Risk Appetite
2
As above these collection items identified as being of particularly high cultural or
financial value, or noted as particularly vulnerable to theft or damage, are subject to
increased security measures and may only be accessed by Readers in a high security
Reading Room. These items are classified as ‘higher’ and are subject to additional,
measures to protect them as far as possible from loss or harm.
Category 4: Document Supply Service material
4
Risk Appetite
The Library is willing to accept a moderate level of risk to collection items which under
our policies are able to be lent through the Document Supply Service. While a range
of measures mitigate risk to them, the BL accepts that a very small number of items
may be lost or damaged. In these circumstances, Document Supply customers are
invoiced for replacement costs.
Category 5: Open General - Items which can be read in any reading room and reference
works shelved in open access in the Reading Rooms.
Risk Appetite
3
19
Appendix 4
Risk Policy 2013
The Library’s role as steward of the national collection means that it mitigates risk as
far as possible to its general and open access reference collection, while providing
access to it. The Library accepts a modest level of risk to these items.
Buildings – the physical fabric of the Library
4
Risk Appetite
The Library will continue to use the resources available for the maintenance of the Estate to
ensure it is fit for purpose and is utilised as efficiently as possible. We will accept some risk
in managing the Estate including on building projects where gains are particularly
significant. We further accept however that, given the ageing nature of some parts of the
Estate and the resources available, it will not be possible to maintain all buildings beyond
ensuring that they meet the minimum requirements to make them fit for purpose.
5.6 Digital Library development
Risk Appetite
3
The Library will continue the development of infrastructure for the Digital Library and is
willing to accept some risk in pursuit of creative and innovative technical solutions. We
recognise that this is an area which has inherent high level of risks but where gains are
particularly significant.
5.7 Physical Environment – Health and Safety
Risk Appetite
2
The Library will take corrective action to address known health, safety, and employee and
public well-being exposures. We will continue to prioritize investigative/preventative studies
and initiatives in these areas.
5.8 Ethical Environment
Risk Appetite
2
The Library will strive to respond in accordance with established policy, procedure and
agreements to any ethical breach. However, we accept the potential for minor incidents of
ethical concern.
5.9 Relationships
Risk Appetite
3
The Library will continue to maintain good relationships with critical stakeholders
(community, funders, donors, government). However, we are willing to accept some risks
in certain circumstances that may result in damage to some stakeholder relationships. This
may be for example where stakeholder groups have conflicting views or needs or where the
costs of mitigating the risks are particularly high.
5.10
Staff
Risk Appetite
3
The Library will develop capabilities and capacity of staff in order to deliver key priorities
and maintain service levels. We will strive to recruit and retain the best possible staff within
20
Appendix 4
Risk Policy 2013
the organisation’s budgetary limits while accepting because of these limits that we may not
be able to recruit and retain staff with ideal competency sets.
5.11
Service delivery
Risk Appetite
2
The Library will not accept risk in most circumstances. In this area of significant uncertainty
and high costs of mitigation, some limited risk has to be accepted. We accept that day to
day service reductions are inevitable due to the volatility of supply and demand.
5.13 Business Continuity
Risk Appetite
3
The Library mitigates the impact of interruptions to its services when it is possible to do so
within its financial limits. As a consequence the Library accepts a level of risk for service
interruptions that are either unlikely to occur or that are beyond the Library’s financial
resources to address.
5.14 Governance
Risk Appetite
2
The Library is not willing to accept risks in most circumstances in relation to governance.
However, we accept the potential for minor risk within contractual matters and governance
processes.
5.15 Compliance
Risk Appetite
1
The Library is not willing to accept risks in any circumstances in relation to compliance in
legal and financial matters.
21
Risk Policy 2013
Appendix 4
6. Annual Assurance Statement
The British Library requires Heads of Division to sign an annual statement relating to their work
done in risk management. This is part of the overall risk management arrangements that will allow
the Chief Executive and Chairman of the Board to sign the Statement of Internal Control /
corporate governance, as the Statement can only be signed without reservation if risk
management arrangements have been in place and operating throughout the year. This annual
statement will be made to the Library’s Accounting Officer. A comments section is included to
allow Heads of Division to bring to the attention of the Accounting Officer (via this annual
statement) any concerns or areas of uncertainty that they have identified in terms of specific risks
or in terms of process.
Annual Assurance Statement with regard to Risk Management by British Library Head of
Division:
Certification by: ……...............………………..……..…..
For: ………………………………………………………… Head of Division
I, the undersigned, certify that, to the best of my knowledge, I have complied with the Library’s risk
management policies and procedures contained in the Library's Risk Management Policy and
Strategy statement during the period from 1 April 20xx until 31 March 20xx. I have been advised on
these procedures and policies by the appropriate staff. I am not aware of any significant noncompliance by other members of my staff, all of whom have been made aware of the above
requirements, nor am I aware of any major issues of non-compliance since 31 March 20xx.
Comment…………………………………………………………………………………………………
………………………………………………………………………………………………………………
………………………………………………………………………………………………………………
………………………………………………………………………………………………………………
………………………………………………………………………………………………………………
………………………………………………………………………………………………………………
………………….
Signed ……………………………………………….
Date …………………………………………………..
22

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz