Professional Documents
Culture Documents
Management of Risk –
Principles and Concepts
Term Intention
shall denotes a requirement: a mandatory element
The Orange Book was previously revised by Mark Ripley in 2020. The 2023
version, amended primarily to accommodate Part II, was produced by the
Head of the Government Risk Profession and the Risk Centre of Excellence in
consultation with several public sector organisations.
You may re-use this information (excluding logos) free of charge in any format or
medium, under the terms of the Open Government Licence.
Where we have identified any third-party copyright material you will need to
obtain permission from the copyright holders concerned.
Contents
Introduction 2
Scope 4
Purpose 4
Comply or Explain 5
Structure 6
Part I: Risk Management Principles 8
Section A: Governance and Leadership 10
Section B: Integration 14
Section C: Collaboration and Best Information 16
Section D: Risk Management Processes 20
Section E: Continual Improvement 26
Part II: The Risk Control Framework 28
Section F: Structure of the Risk Control Framework 31
Section G: Assurance 36
Annex 1: Roles and Responsibilities 42
Annex 2: The Three Lines Model 46
Annex 3: Questions to Ask 50
Annex 4: Example Risk Categories 54
Annex 5: Definitions and Supportive Concepts 56
Annex 6: References 60
Introduction
2
Introduction | The Orange Book
Public Sector organisations cannot be risk averse This updated guidance has benefited from
and be successful. Risk is inherent in everything discussions with stakeholders and practitioners
we do to deliver high-quality services. Effective across the public sector and with colleagues from
and meaningful risk management in government the private sector. We are grateful for their time and
remains as important as ever in taking a balanced valuable insights.
view to managing opportunity and risk. It must be
an integral part of informed decision-making; from
policy or project inception through implementation
to the everyday delivery of public services.
3
The Orange Book | Introduction
Scope Purpose
The document builds on the version published in This document is intended for use by everyone
2020 with the addition of a new section: Part II. involved in the design, operation and delivery
Like the original version, this document is of efficient, trusted public services. Its primary
applicable to all government departments and audience is likely to be:
arm’s length public bodies1 with responsibility
• accounting officers
derived from central government for public funds.
• executive and non-executive
This document may be useful to all parts of the members of the boards
UK public sector, as the same principles generally
• Audit and Risk Assurance
apply, with adjustments for context.
Committee members
• risk practitioners
• senior leadership
• policy leads
• programme and project Senior Responsible
Officers (SROs)
1 Executive Agencies, Non Departmental Public Bodies and Non Ministerial Departments.
4
Introduction | The Orange Book
This document does not set out the procedure The main principles are the core of the document.
by which an organisation should design and The way in which they are applied should be
operate risk management. Instead, this document the central question for a board as it determines
sets out a principles-based approach that how it is to operate in accordance with the
provides flexibility and judgement in the design, Corporate Governance Code[2]. Each government
implementation and operation of risk management, organisation is required either to disclose
informed by relevant standards[1] and good compliance or to explain their reasons for
practice. Where relevant, the reader is directed to departure clearly and carefully in the governance
other standards and guidance, including related statement accompanying their annual resource
functional and professional standards and codes of accounts. The requirement for an explanation
practice (see Annex 6). allows flexibility, but also ensures that the process
is transparent, allowing stakeholders to hold
organisations and their leadership to account.
5
The Orange Book | Introduction
Structure Annexes
The primary roles and responsibilities are set out in
each Section. The responsibilities and expectations
The document is structured in two parts: of the board, the accounting officer and the
Audit and Risk Assurance Committee are also
Part I – Risk Management Principles Sections (A-E), summarised at Annex 1.
based on principles that are designed to provide
the “what” and the “why”, not the “how”, for the Some explanation of, and guiding principles on,
design, operation and maintenance of an effective the design and operation of the “three lines model”
risk management framework. are provided in Annex 2.
The principles can be applied within and Annex 3 contains questions that may assist
across departments, arm’s length bodies and in assessing how the principles are applied in
organisations with linked objectives, and to activity defining clear responsibilities, promoting the risk
at any level of decision-making. The principles culture, developing capabilities and supporting the
should be used to inform an organisation’s effectiveness of risk management.
approach to risk management and its own more
detailed policies, processes and procedures Some common categories or groupings of sources
– the “how”. Implementing and improving the of risk are provided at Annex 4. These may help
risk management framework should support consider the range of potential risks that may arise;
an incremental approach to enhancing risk they are not intended to be comprehensive.
management culture, processes and capabilities
over time, building on what already exists to Definitions and supportive concepts are provided
achieve improved outcomes. at Annex 5 of some terms used throughout this
document to explain the scope and intended
Part II – Risk Control Framework Sections meaning behind the language used.
(F‑G) outlines a framework to assist accounting
officers and departments, arm’s length bodies Annex 6 contains further details of other standards
and organisations in structuring their internal and guidance referenced throughout the document.
control and assurance activities to help meet
existing high level control requirements placed on
accounting officers.
6
Introduction | The Orange Book
Supplementary ‘Guides’
Linked to the Orange Book are supplementary
guides which support the implementation
of the concepts and principles outlined in
the Orange Book.
• Risk Appetite Guidance Note
• Risk Management Skills &
Capabilities Framework
• Risk Reporting Good Practice Guide
• Portfolio Risk Management Guidance
7
Part I:
Risk Management
Principles
8
Part I: Risk Management Principles | The Orange Book
n
C o
fo
io
rm
at
rm
at
io
fo
n
In
n t Risk treatm
n e
an assesscmatio
e
nt
k identifi
Risk monit
Continual
Communication Improvement Consultation
Risd
or
is in
R
kr g
epo
rting In
si
gh
t
t
gh
si
In
A Risk management shall be an essential part of c the design and operation of integrated,
governance and leadership, and fundamental insightful and informative risk monitoring;
to how the organisation is directed, managed and
and controlled at all levels.
d timely, accurate and useful risk reporting
B Risk management shall be an integral part to enhance the quality of decision-making
of all organisational activities to support and to support management and oversight
decision-making in achieving objectives. bodies in meeting their responsibilities.
9
Section A:
Governance and
Leadership
10
Section A: Governance and Leadership | The Orange Book
Main Principle
A isk management shall be an
R
essential part of governance and
leadership, and fundamental to how the
organisation is directed, managed and
controlled at all levels.
Supporting Principles
A1 Each public sector organisation should
establish governance arrangements
appropriate to its business, scale and
culture[3]. Human behaviour and culture
significantly influence all aspects of risk
management at each level and stage.
To support the appropriate risk culture,
the accounting officer should ensure
that expected values and behaviours are
communicated and embedded at all levels.
11
The Orange Book | Section A: Governance and Leadership
Ambitious
Modern Civil Service
A3 The board should make a strategic choice line with this risk appetite, ensure confidence
about the style, shape and quality of in the response to risks and ensure
risk management[4] and should lead the transparency over the principal risks faced
assessment and management of opportunity and how these are managed.
and risk. The board should determine and
continuously assess the nature and extent
of the principal risks2 that the organisation is
exposed to and is willing to take to achieve
its objectives – its risk appetite – and ensure
that planning and decision-making reflects
this assessment. Effective risk management
should support informed decision-making in
2 A principal risk is a risk or combination of risks that can seriously affect the performance or reputation of the organisation.
12
Section A: Governance and Leadership | The Orange Book
A4 The board should ensure that roles and A7 The accounting officer, supported by the
responsibilities for risk management are Audit and Risk Assurance Committee,
clear, to support effective governance should establish the organisation’s overall
and decision-making at each level with approach to risk management. An effective
appropriate escalation, aggregation and risk management framework will differ
delegation. The accounting officer should between organisations depending on their
ensure that roles and responsibilities are purpose, objectives, context and complexity.
communicated, understood and embedded The risk management framework should be
at all levels. The ‘three lines model’ provides periodically reviewed to ensure it remains
a systematic approach that may be used appropriate (see Section E).
to help clarify the specific roles and
responsibilities that are necessary for the A8 The accounting officer should designate
effective management of risks within an an individual to be responsible for leading
organisation (see Annex 2). the organisation’s overall approach to risk
management, who should be of sufficient
A5 The board should agree the frequency and seniority and should report to a level within
scope of its discussions to review how the organisation that allows them to influence
management is responding to the principal effective decision-making. They should
risks and how this is integrated with other be proactively involved with and influence
matters, including planning and performance governance and decision-making forums
management processes. Risk should be and should establish, and be supported
considered regularly as part of the normal through, effective communication and
flow of management information about the engagement with the accounting officer,
organisation’s activities and in significant senior management, the board and the chair
decisions on strategy, major new projects of the Audit and Risk Assurance Committee.
and other prioritisation and resource They should also exhibit a high level of
allocation commitments. Risk management objectivity in gathering, evaluating and
should anticipate, detect, acknowledge communicating information and should not
and respond to changes and events in an be unduly influenced by their own interests
appropriate and timely manner. Risks can or by others in forming and expressing
crystallise quickly; the board and Audit and their judgements.
Risk Assurance Committee should ensure
that there are clear processes for bringing A9 The accounting officer should ensure the
significant issues to its attention more rapidly allocation of appropriate resources for risk
when required, with agreed triggers for doing management, which can include, but is
so as a part of risk reporting (see Section D). not limited to, people, skills, experience
and competence.
A6 Regular reports to the board should provide
a balanced assessment of the principal risks A10 The accounting officer, supported by senior
and the effectiveness of risk management. management, must demonstrate leadership
The accounting officer, supported by the and articulate their continual commitment
Audit and Risk Assurance Committee, should to, and the value of, risk management
monitor the quality of the information they through developing and communicating
receive and ensure that it is sufficient to allow a policy or statement to the organisation
effective decision-making. and other stakeholders, which should be
periodically reviewed.
13
Section B:
Integration
14
Section B: Integration | The Orange Book
16
Section C: Collaboration and Best Information | The Orange Book
Strategic/
top down Consolidation
risk
themes
Department Review and approve
risk identification Proposed principal risks
Identification of approved by the: Department
risks from a ‘top Aggregation • Executive Committee principal
down’ view with • Audit and Risk risks
a focus on strategic Assurance Committee
objectives • Board
Consolidated
extended Assessment
enterprise
risks
Suppliers
Escalated risks:
Significant risks
that impact
the delivery of
objectives covering
all policy and Arm’s
operational areas, Length
functions and Bodies
types of risk
17
The Orange Book | Section C: Collaboration and Best Information
C2 Nearly all government departments sponsor C4 Those assessing and managing risks should
arm’s length bodies for which they take consult with appropriate external and
ultimate responsibility, while allowing a internal stakeholders to facilitate the factual,
degree of (or sometimes considerable) timely, relevant, accurate and understandable
independence. Effective relationships and exchange of information and evidence,
partnership working between departments while considering the confidentiality and
and arm’s length bodies, a mutual integrity of this information. Communication
understanding of risk, and a proportionate should be continual and iterative in
approach to monitoring and reporting are supporting dialogue, providing and sharing
critical. The principal accounting officer3 information and promoting awareness and
should consider the organisation’s overall understanding of risks.
risk profile, including the risk management
within arm’s length bodies, who should have C5 Communication and consultation should
their own robust and aligned arrangements also assist relevant stakeholders in
in place. Informative and transparent understanding the risks faced, the basis on
management information should enable which decisions are made and the reasons
departments and arm’s length bodies to why particular actions are required and taken.
promote transparency and understanding Communication and consultation should:
in achieving the effective management of
• bring together different functions and
risks, including the timely escalation of risks,
areas of professional expertise in the
as necessary, based on agreed criteria.
management of risks
C3 Risk management processes (see Section D) • ensure that different views are
should be conducted systematically, appropriately considered when defining
iteratively and collaboratively, drawing on risk criteria and when analysing risks
the knowledge and views of experts and (see Section D)
stakeholders. Information and perspectives
• provide sufficient information and
should be supplemented by further enquiry
evidence to facilitate risk oversight and
as necessary, should reflect changes over
decision making
time and should be appropriately evidenced.
Expert risk assessment methodologies • build a sense of inclusiveness and
may be highly specialised and may vary ownership among those affected by risk
depending on the context.
Complicated and ambiguous risk scenarios
are inherent given the dynamic and/or
behavioural complexity in public service
delivery, often with no simple, definitive
solutions. These risks require whole-
system-thinking, aligned incentives, positive
relationships and collaboration, alongside
relevant technical knowledge, to support
multi-disciplinary approaches to their
effective management.
3 The Treasury appoints the permanent head of each central government department to be its accounting officer. Where there
are several accounting officers in a department, the permanent head is the principal accounting officer.
18
Section C: Collaboration and Best Information | The Orange Book
4 Functions are embedded in government departments and arm’s length bodies, helping to deliver departmental objectives and
better outcomes across government.
19
Section D:
Risk Management
Processes
20
Section D: Risk Management Processes | The Orange Book
Risk trea
tm
en
t
me n
and assess atio
nt
Risk identific
Risk mon
it o
rin
g
Ri
sk
rep
o rting
21
The Orange Book | Section D: Risk Management Processes
22
Section D: Risk Management Processes | The Orange Book
D6 Risk evaluation should involve comparing the D8 As part of the selection and development of
results of the risk analysis with the nature and risk treatments, the organisation should specify
extent of risks that the organisation is willing how the chosen option(s) will be implemented,
to take – its risk appetite – to determine so that arrangements are understood by those
where and what additional action is required. involved and effectiveness can be monitored.
Options may involve one or more of the This should include:
following:
• the rationale for selection of the
• avoiding the risk, if feasible, by deciding option(s), including the expected
not to start or continue with the activity benefits to be gained
that gives rise to the risk
• the proposed actions
• taking or increasing the risk in order to
• those accountable and responsible for
pursue an opportunity
approving and implementing the option(s)
• retaining the risk by informed decision
• the resources required, including
• changing the likelihood, where possible contingencies
• changing the consequences, including • the key performance measures and
planning contingency activities control indicators, including early warning
indicators
• sharing the risk (e.g. through commercial
contracts[12]) • the constraints
• when action(s) are expected to be
The outcome of risk evaluation should be
undertaken and completed
recorded, communicated and validated
at appropriate levels of the organisation. • the basis for routine reporting
It should be regularly reviewed and revised and monitoring
based on the dynamic nature and level of
the risks faced. D9 Where appropriate, contingency,
containment, crisis, incident and continuity
management arrangements should be
Risk treatment developed and communicated to support
D7 Selecting the most appropriate risk resilience and recovery if risks crystallise.
treatment option(s) involves balancing the
potential benefits derived in enhancing the
Risk monitoring
achievement of objectives against the costs,
efforts or disadvantages of proposed actions. D10 Monitoring should play a role before, during
Justification for the design of risk treatments and after implementation of risk treatment.
and the operation of internal control is Ongoing and continuous monitoring
broader than solely economic considerations should support understanding of whether
and should take into account all of the and how the risk profile is changing and
organisation’s obligations, commitments and the extent to which internal controls are
stakeholder views. operating as intended to provide reasonable
assurance over the management of risks to
an acceptable level in the achievement of
organisational objectives.
23
The Orange Book | Section D: Risk Management Processes
24
Section D: Risk Management Processes | The Orange Book
25
Section E: Continual
Improvement
26
Section E: Continual Improvement | The Orange Book
27
Part II:
The Risk Control
Framework
28
Part II: The Risk Control Framework | The Orange Book
Part II does not introduce any additional principles. Purpose of the Risk Control Framework
However, it does provide further granularity on (RCF)
‘what’ and ‘why’ in relation to the control of risk
as it is important that the principles in Part I are To help organisations have an effective and
consistently understood in relation to this aspect efficient approach to risk control, the RCF provides
of risk management. Consistent with the rest structure to existing requirements which should
of the Orange Book this section is not intended help accounting officers:
to be prescriptive about ‘how’ organisations i in being confident in their control activities
should control risk. and
ii when prioritising control improvements.
Existing accounting officer Responsibilities
in relation to Risk Control It should also help strengthen decision making and
support the management of risks taken to fulfil their
As the senior executive official in each public
duties. More effective control can allow for a higher
sector organisation, accounting officers are
level of risk to be taken where desired, allowing
responsible for ensuring organisational compliance
better outcomes from a given level of resource (or
with existing rules and guidance, including
the same with less), leading to more effective and
Functional Standards. Each year accounting
efficient risk management.
officers sign statements acknowledging their
responsibilities and providing assurance on the
adequacy of internal controls. How the Framework was developed
The accounting officer control responsibilities In collaboration with the Government Internal Audit
support the achievement of their organisations’ Agency, the Treasury Officer of Accounts reviewed
policies, aims and objectives, while safeguarding the existing body of rules and guidance related to
quality standards and public funds, as well as internal control and structured the list into a RCF.
meeting high standards of public conduct.
After extensive consultation, the existing rules
The control frameworks in existence vary in their and standards were grouped into categories
nature across government and are permitted to (the “Pillars”) and sub-sections, the aim being to
be so in accordance with broader government simplify navigation of the existing requirements
governance principles. In an ever-changing and offer consistency to the way in which
environment, with new risks emerging and systems adherence can be understood in different parts of
and controls changing, procedures and policies an organisation.
must be regularly reviewed and updated to ensure
that they remain fit for purpose. In summer 2022, the first Head of the Government
Risk Profession took custodianship of the
The Risk Control Framework does not change framework and, with the support of a working
accounting officer responsibilities but should make group from several government organisations,
it easier for accounting officers, their management developed this guidance (and the supporting
teams, functional leaders, audit and risk assurance assurance tool) around it – see Section G for
committees, and boards to demonstrate that these further details.
responsibilities are being discharged appropriately.
29
The Orange Book | Part II: The Risk Control Framework
30
Section F: Structure
of the Risk Control
Framework
31
The Orange Book | Section F: Structure of the Risk Control Framework
32
Section F: Structure of the Risk Control Framework | The Orange Book
Governance
Functional
Statement & AO All Staff Annual Planning
Standards
System Statement
Descriptions of the pillars and blocks and examples of specific items that organisations
might look for against each of the blocks are contained in the assurance tool.
33
The Orange Book | Section F: Structure of the Risk Control Framework
34
Section F: Structure of the Risk Control Framework | The Orange Book
Continual Improvement
RM Processes
Integration
Risk Control Framework
Pillars Blocks
Propriety and ethics •
35
Section G:
Assurance
36
Section G: Assurance | The Orange Book
37
The Orange Book | Section G: Assurance
38
Section G: Assurance | The Orange Book
39
The Orange Book | Section G: Assurance
40
Section G: Assurance | The Orange Book
Whichever approach (or combination of • Appropriate mix: There are different types of
approaches) to mapping is adopted by assurance that may have different strengths and
organisations, the following generic tips should may be best used in different ways. The Audit
be useful to consider: and Risk Assurance Committee can play a key
role in seeking an optimum mix of assurance
• Start with strategic: Focusing first on aspects
of most strategic importance will help calibrate • Proportionality and Pragmatism: In practical
further, less-strategic assurance work terms assurance should be manageable and
suitable for the nature, scale and complexity
• Leverage existing information: Existing risk of the operations being reviewed
and control information (including owners and
links to business processes etc) should already
have been captured in risk registers and other
documents and this should be useful when
planning assurance work
• Effectiveness and Efficiency: Address the
effectiveness and efficiency of the assurance
being planned to include the level of assurance
and the sources of it (which might be of varying
quality and otherwise result in gaps/overlaps)
41
Annex 1: Roles and
Responsibilities
– Board, accounting
officer and Audit
and Risk Assurance
Committee
42
Annex 1: Roles and Responsibilities | The Orange Book
43
The Orange Book | Annex 1: Roles and Responsibilities
44
Annex 1: Roles and Responsibilities | The Orange Book
Audit and Risk Assurance Committee[14] Assurance should be obtained on risks across
the organisational group. The group should
Leading the assessment and management of risk is
focus on assurances over the management of
a role for the board. The Audit and Risk Assurance
cross organisational governance, risk and control
Committee should support the board in this role.
arrangements to supplement departmental or
entity level assurances. Similarly, assurance should
It is essential that the Audit and Risk also encompass services outsourced to external
Assurance Committee: providers, including shared service arrangements,
• understands the organisation’s business and risks that cross organisational boundaries,
strategy, operating environment and the for example, in major projects.
associated risks, taking into account all key
elements of the organisation as parts of an
“extended enterprise”
• understands the role and activities of the
board (or equivalent senior governance body)
in relation to managing risk
• discusses with the board its policies, attitude
to and appetite for risk to ensure these are
• appropriately defined and communicated
so that management understands these
parameters and expectations
• understands the risk management framework
and the assignment of responsibilities
• critically challenges and reviews the risk
management framework, without second
guessing management, to evaluate how well
the arrangements are actively working in
the organisation
• critically challenges and reviews the
adequacy and effectiveness of control
processes in responding to risks within
the organisation’s governance, operations,
compliance and information systems
45
Annex 2: The Three
Lines Model
46
Annex 2: The Three Lines Model | The Orange Book
BOARD/AUDIT COMMITTEE
SENIOR MANAGEMENT
Inspection Bodies
• Identify, assess, own and • Set the boundaries for • Provide an objective
manage risks delivery through the evaluation of the
• Design, implement and maintain definition of standards, adequacy and
effective internal control policies, procedures and effectiveness of
measures guidance the framework of
• Supervise execution and • Assist management in governance, risk
monitor adherence developing controls in line management and
• Implement corrective actions to with good practice control
address deficiencies. • Monitor compliance and • Provide proactive
effectiveness evaluation of
• Agree any derogation controls proposed by
from defined requirements management
• Identify and alert senior • Advise on potential
management, and where control strategies and
appropriate governing the design of controls.
bodies, to emerging
issues and changing risk
scenarios.
47
The Orange Book | Annex 2: The Three Lines Model
First line Roles The second line should have a defined and
proportionate approach to ensure requirements
Under the ‘first line role’, management
are applied effectively and appropriately.
have primary ownership, responsibility and
This would typically include compliance
accountability for identifying, assessing and
assessments or reviews carried out to determine
managing risks. Their activities create and/or
that standards5, expectations, policy and/or
manage the risks that can facilitate or prevent an
regulatory considerations are being met in line with
organisation’s objectives from being achieved.
expectations across the organisation.
The first line ‘own’ the risks and are responsible
Where they exist, Assurance Teams (typically from
for execution of the organisation’s response to
the second line as third line assurance is provided
those risks through executing internal controls on
by Internal Audit) usually:
a day-to-day basis and for implementing corrective
actions to address deficiencies. • Lead and coordinate the assurance mapping
and delivery activity, including consolidating
Through a cascading responsibility structure, and reporting results to committees
managers design, operate and improve processes,
• Agree and refine wording of questions to
policies, procedures, activities, devices,
be used locally each year, with help from
practices, or other conditions and/or actions
Subject Matter Experts (SME), specifying
that maintain and/or modify risks and supervise
‘what good looks like’ locally in terms of
effective execution. There should be adequate
controls and evidence
managerial and supervisory controls in place
to ensure compliance and to highlight control • Set the rating mechanisms and
breakdown, variations in or inadequate processes formatting requirements to be used for
and unexpected events, supported by routine assurance findings
performance and compliance information.
• Pursue areas requiring improvements,
ensuring actions taken e.g., development of
Second line Roles management information (such as reports
on staff undertaking mandated training)
The second line role consists of functions
and activities that monitor and facilitate the • Attend challenge meetings with
implementation of effective risk management Director Generals (DGs) and other
practices and facilitate the reporting of adequate senior business leaders
risk related information up and down the • Undertake other duties as appropriate
organisation. The second line should support for their organisation
management by bringing expertise, process
excellence, and monitoring alongside the first line
to help ensure that risks are effectively managed.
5 In addition to professional standards, functional standards guide people working in and with the UK government. They exist to
create a coherent and mutually understood way of doing business across organisational boundaries, and to provide a stable
basis for assurance, risk management, and capability improvement.
48
Annex 2: The Three Lines Model | The Orange Book
6 Some executive NDPBs may have private sector external auditors (either appointed by the relevant Secretary of State
or by the Body’s Executive) with a reporting line directly to the Secretary of State or to the body rather than through NAO
to Parliament.
49
Annex 3: Questions
to Ask
50
Annex 3: Questions to Ask | The Orange Book
These questions may assist in assessing 6 How are authority, responsibility and
how the risk management principles accountability for risk management and
are applied to support the efficient and internal control defined, co-ordinated and
effective operation of the risk management documented throughout the organisation?
framework. They should be read in
conjunction with the principles set out 7 How is the designated individual responsible
in this document and are included in the for leading the overall approach to risk
Assurance Tool. The questions are not management positioned and supported to
intended to be exhaustive and not all will allow them to exercise their objectivity and
be applicable in all circumstances. If the influence effective decision-making?
answers to the questions raise concerns,
consideration should be given to whether 8 How are the necessary skills, knowledge
action is needed to address possible areas and experience of the organisation’s risk
practitioners assessed and supported?
for improvement.
9 How has the necessary commitment to risk
Governance and Leadership management been demonstrated?
1 How is the desired risk culture defined,
communicated, and promoted? How is this Integration
periodically assessed?
10 How are risks considered when setting and
changing strategy and priorities?
2 How do human resource policies and
performance systems encourage and support
desired risk behaviours and discourage 11 How are risks transparently assessed
inappropriate risk behaviours? within the appraisal of options for policies,
programmes and projects or other significant
commitments?
3 How has the nature and extent of the
principal risks that the organisation is willing
to take in achieving its objectives been 12 How are emerging risks identified and
determined and used to inform decision- considered?
making? Is this risk appetite tailored and
proportionate to the organisation? 13 How are risks to the public assessed and
reflected within policy development and
4 How are the board and other governance implementation?
forums supported to consider the
management of risks, and how is this 14 How are National Risk Register risks, that are
integrated with discussion on other matters? particularly pertinent to the organisation,
recognised in risk assessments and
5 How effective are risk information and discussions?
insights in supporting decision-making,
in terms of the focus and quality of
information, its source, its format and
its frequency?
51
The Orange Book | Annex 3: Questions to Ask
52
Annex 3: Questions to Ask | The Orange Book
Continual Improvement
33 How are policies, programmes and projects
evaluated to inform learning from experience?
How are lessons systematically learned from
past events?
53
Annex 4: Example
Risk Categories
54
Annex 4: Example Risk Categories | The Orange Book
Strategy risks – Risks arising from identifying People risks – Risks arising from ineffective
and pursuing a strategy, which is poorly defined, leadership and engagement, suboptimal culture,
is based on flawed or inaccurate data or fails to inappropriate behaviours, the unavailability of
support the delivery of commitments, plans or sufficient capacity and capability, industrial action
objectives due to a changing macro-environment and/or non-compliance with relevant employment
(e.g. political, economic, social, technological, legislation/HR policies resulting in negative impact
environment and legislative change). on performance.
Governance risks – Risks arising from unclear Technology risks – Risks arising from
plans, priorities, authorities and accountabilities, technology not delivering the expected
and/or ineffective or disproportionate oversight of services due to inadequate or deficient system/
decision-making and/or performance. process development and performance or
inadequate resilience.
Operations risks – Risks arising from
inadequate, poorly designed or ineffective/ Information risks – Risks arising from a failure
inefficient internal processes resulting in fraud, to produce robust, suitable and appropriate data/
error, impaired customer service (quality and/or information and to exploit data/information to its
quantity of service), non-compliance and/or poor full potential.
value for money.
Security risks – Risks arising from a failure to
Legal risks – Risks arising from a defective prevent unauthorised and/or inappropriate access
transaction, a claim being made (including a to the estate and information, including cyber
defence to a claim or a counterclaim) or some other security and non-compliance with General Data
legal event occurring that results in a liability or Protection Regulation requirements.
other loss, or a failure to take appropriate measures
Project/Programme risks – Risks that change
to meet legal or regulatory requirements or to
programmes and projects are not aligned with
protect assets (for example, intellectual property).
strategic priorities and do not successfully and
Property risks – Risks arising from property safely deliver requirements and intended benefits
deficiencies or poorly designed or ineffective/ to time, cost and quality.
inefficient safety management resulting in
Reputational risks – Risks arising from adverse
non-compliance and/or harm and suffering to
events, including ethical violations, a lack of
employees, contractors, service users or the public.
sustainability, systemic or repeated failures or
Financial risks – Risks arising from not managing poor quality or a lack of innovation, leading to
finances in accordance with requirements and damages to reputation and or destruction of
financial constraints resulting in poor returns from trust and relations.
investments, failure to manage assets/liabilities
or to obtain value for money from the resources Failure to manage risks in any of these categories
deployed, and/or non-compliant financial reporting. may lead to financial, reputational, legal, regulatory,
safety, security, environmental, employee,
Commercial risks – Risks arising from
customer and operational consequences.
weaknesses in the management of commercial
partnerships, supply chains and contractual
requirements, resulting in poor performance,
inefficiency, poor value for money, fraud, and/or
failure to meet business requirements/objectives.
55
Annex 5: Definitions
and Supportive
Concepts
56
Annex 5: Definitions and Supportive Concepts | The Orange Book
7 Objectives can have different aspects and categories – covering efficient and effective operations, financial and non-financial
reporting, and compliance with laws and regulations – and can be applied at different levels.
57
The Orange Book | Annex 5: Definitions and Supportive Concepts
RISK
Cause 1 Consequence 1
Cause 3 Consequence 3
58
Annex 5: Definitions and Supportive Concepts | The Orange Book
In stating risks, care should be taken to avoid Internal Control is the dynamic and iterative
stating consequences that may arise as being the framework of processes, policies, procedures,
risks themselves, i.e. identifying the symptoms activities, devices, practices, or other conditions
without their cause(s). Equally, care should be and/or actions that maintain and/or modify risk.
taken to avoid defining risks with statements that Internal controls permeate and are inherent in the
are simply the converse of the objectives, i.e. way the organisation operates and are affected by
failure to achieve the intended output/outcome. cultural and behavioural factors.
Organisations typically assess consequences using Where additional action is required to bring the
a combination of criteria, which commonly include levels of risk within the nature and extent that
financial, reputational, legal, regulatory, safety, the organisation is willing to take to achieve its
security, environmental, employee, customer objectives, the organisation should select, develop
and operational effects. The criteria used should and implement options for addressing risk through
be dynamic and should be periodically reviewed preventive, directive, detective, and/or corrective
and amended, as necessary. Scales should controls that manage risks to an acceptable level.
allow meaningful differentiation for ranking and These might be manual or automated. This involves
prioritisation purposes based on assigning values an iterative process of:
to each risk using the defined criteria.
• planning and implementing internal control
When assigning a consequence rating to a risk, • assessing the effectiveness of internal control
the rating for the highest, most credible worst-case
• deciding whether the nature and extent of
scenario should be assigned.
the remaining risk after the implementation
of internal controls is acceptable
The risk analysis process defines the level of risk,
based on the assessment of the likelihood of • if not acceptable, reassessing options and
the risk occurring and the consequences should taking further action where appropriate
the event happen. Likelihood is the assessment
of something happening, whether defined, Internal control, even if carefully designed and
measured or determined objectively or subjectively, implemented, might not produce the intended
qualitatively or quantitatively, and described or expected outcomes. Internal control can also
using general terms or mathematically (such as a introduce new risks that need to be managed.
probability or a frequency over a given time period).
Assurance is a general term for the confidence
Risk analysis should also consider: that can be derived from objective information over
the successful conduct of activities, the efficient
• sensitivity and confidence levels,
and effective design and operation of internal
based on the information available
control, compliance with internal and external
• complexity and connectivity requirements, and the production of insightful
and credible information to support decision-
• time-related factors and volatility
making. Confidence diminishes when there are
• the effectiveness of existing internal control uncertainties around the integrity of information or
of underlying processes.
59
Annex 6:
References
60
Annex 6: References | The Orange Book
ID Description
1 BS ISO 31000:2018(E) – Risk management – Guidelines
2 Corporate governance code for central government departments https://www.gov.uk/
government/publications/corporate-governance-code-for-central-government-departments
3 Managing Public Money – Section 4 Governance and Management https://www.gov.uk/
government/publications/managing-public-money
4 Managing Public Money – Annex 4.3 Risk
5 Budget 2018: 2.18 The Balance Sheet Review – https://www.gov.uk/government/publications/
budget-2018-documents/budget-2018 and Getting smart about intellectual property and
intangible assets https://www.gov.uk/government/publications/getting-smart-about-intellectual-
property-and-intangible-assets
6 Central Government Guidance on Appraisal and Evaluation – The Green Book https://assets.
publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/685903/
The_Green_Book.pdf
7 The Future Toolkit provides guidance on horizon scanning and outlines how scenarios can be
used to further investigate emerging risks https://assets.publishing.service.gov.uk/government/
uploads/system/uploads/attachment_data/file/674209/futures-toolkit-edition-1.pdf
8 The National Security Risk Assessment (NSRA) is the Government's principal tool for identifying
and assessing risks to the UK over the medium-term. It is owned by the Resilience Directorate in
the Economic and Domestic Secretariat of the Cabinet Office.
9 The Principles of Managing Risks to the Public https://assets.publishing.service.gov.uk/
government/uploads/system/uploads/attachment_data/file/191518/Managing_risks_to_the_
public_appraisal_guidance.pdf
10 ISO 31010:2009 is a supporting standard for BS ISO 31000 and provides guidance on selection
and application of systematic techniques for risk assessment
11 Guidance on producing quality analysis for government – The Aqua Book https://assets.
publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/416478/
aqua_book_final_web.pdf
12 The Outsourcing Playbook - Central Government Guidance on Outsourcing Decisions and
Contracting https://assets.publishing.service.gov.uk/government/uploads/system/uploads/
attachment_data/file/780361/20190220_OutsourcingPlaybook_6.5212.pdf
13 Guidance for evaluation – The Magenta Book https://assets.publishing.service.gov.uk/
government/uploads/system/uploads/attachment_data/file/220542/magenta_book_combined.pdf
14 HM Treasury Audit and Risk Assurance Committee Handbook, March 2016 https://www.gov.uk/
government/publications/audit-committee-handbook
15 Public Sector Internal Audit Standards https://assets.publishing.service.gov.uk/government/
uploads/system/uploads/attachment_data/file/641252/PSAIS_1_April_2017.pdf
16 International Standards on Auditing – ISA 315 and 610
17 HMT Assurance Frameworks 2012 https://assets.publishing.service.gov.uk/government/uploads/
system/uploads/attachment_data/file/270485/assurance_frameworks_191212.pdf
61