Download as pdf or txt
Download as pdf or txt
You are on page 1of 28

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.

Issue Date: 09/03/2015 Classification: Public

Risk Register & Risk Treatment Plan

Marc Seale, Chief Executive & Registrar
Report to Audit Committee, (Feb 2015)

Enc 03a - Risk Register Cover

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public

Jan 2015 Risk Assessment

Contents Page
Contents page 4
Top 10 HCPC risks 5
Changes since last published 6
Strategic risks 7
Operations risks 8
Communications risks 10
Corporate Governance risks 11
Information Technology risks 12
Partner risks 13
Education risks 14
Project Management risks 15
Quality Management risks 16
Registration risks 17
HR risks 18
Legal risks 19
Fitness to Practise risks 20
Policy & Standards risks 21
Finance risks 22
Pensions risks 24
Information Security risks 25
Appendix i Glossary and Abbreviations 26
Appendix ii HCPC Risk Matrix 27
HCPC Risk Matrix terms detail 28
Appendix iii HCPC Strategic Objectives & Risk Appetite 29
Appendix iv HCPC Assurance Mapping 30

Enc 03a - Risk Register Risk Contents

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public


"Top 10" Risks (High & Medium after mitigation) Historic Risk Scores

Risk owner (primary

Sept Feb Sept Feb Feb July Feb Sept Feb
Sept 2012
person responsible 2014 2014 2013 2013 Risk
2012 2011 2011 2010 2010
for assessing and Risk Risk Risk Risk Risk Risk Risk Risk Risk
managing the
Description ongoing risk) Mitigation I Mitigation II Mitigation III CURRENT RISK SCORE

PSA full cost recovery model places

Chief Executive & Legislative and operational
15.23 significant financial pressure on HCPC from Consider increase in fees High High High Low
Finance Director adjustments
August 2015 onwards (pre-mit 20)

Interuption to electricity supply (pre-mit 16) If site wide longer than 24

2.7 Facilities Manager Relocate to other buildings on site - High High High High High High High High High High
ISMS RISK hours invoke DR Plan

Accurate and realistic

13.3 Tribunal exceptional costs (pre-mit 25) FTP Director Quality of operational processes Quality of legal advice Medium Medium Medium Medium Medium High High High High High

Quality of operational Dynamism and quality of

1.5 Loss of reputation (pre-mit 20) Chief Executive Quality of governance procedures Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium
procedures Comms strategy

Flood barrier protection to prevent

2.11 Basement flooding (pre-mit 16) Facilities Manager - - Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium

Rapid increase in number of allegations and

13.4 FTP Director Accurate and realistic budgeting Resource planning - Medium Medium Medium Medium Medium
resultant legal costs (pre-mit 16)

Judicial review of HCPC's implimentation of

Consultation. Stds determined by Appropriate legal advice
12.1 HSWPO including Rules, Standards & Chief Executive - Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium
PLG's. Agreement by Council. sought
Guidance (pre-mit 15)

Risks listed in order of CURRENT RISK SCORE, then PRE_MITIGATION SCORE

Enc 03a - Risk Register Top 10 HCPC Risks

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public
Changes since the previous iteration of HCPC's Risk Register

Category Ref# Description Nature of change in this version

All All Update all dates to latest iteration of risk register
Project Management 8.2 Failure to regulate new profession update likelhood
8.13 Failure to build a sytem to the Education Depts requirements update likelhood

8.14 Failure to deliver a sytem to the HR & Partners Depts requirements update likelhood

8.19 Failure to build a sytem to the Registration Depts requirements New project
Failure to successfully replace the Lotus Notes system eith
8.20 New project
Microsoft Outlook
Finance 15.23 PSA fees to commence August 2015 Description updated following DH announcement
Information Security 17.1-6 Update descriptive wording of individual risks
Information Security 17.8 Failure to maintain accurate risk assessments from ISO27001 process
Add Risk Appetite to Stratgic Objectives page

Overview of Risk Management and Risk Treatment process

Throughout the year exisiting risks are continually monitored and assessed by Risk Owners against Likelihood, and Impact on HCPC,
the effectiveness of mitigations and the levels of residual risk.

Future risks are also documented, evaluated and monitored against the same criteria.

Every six months these changes and additions to risks are updated in the risk register and formally documented by the
Director of Operations or Head of Business Process Improvement, and the Top Ten Risks (High & Medium only after mitigation) are recorded.

Enc 03a - Risk Register Changes since last publishe (2)

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS assessing and managing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description the ongoing risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

HCPC fails to deliver SI Sec 6.2

1 Strategic 1.1
& Health Bill
Council 5 1 5 Delivery of HCPC Strategy Publication of Annual Report - Low Low

Links to 7.1-7.4, 18.1, 8.1-8.3,

10.4, 10.5, 11.4, 15.9

Unexpected change in UK
Strategic 1.2
Chief Executive 5 2 10 Relationship with Government depts Enviromental scanning - Low Low

Links to 2.2, 15.14

Incompatible SI Sec 6.2 & Health Monitoring of EU directives e.g. Professional Membership of Alliance of UK Health
Strategic I 1.3
Bill and EU legislation
Chief Executive 1 3 3 Qualifications Directive Regulators on Europe (lobby group)
- Low Low

Failure to maintain a relationship HCPC Chair and Chief Executive relationship

Strategic 1.4
with PSA (formerly CHRE)
Chief Executive & Chair 5 1 5 with PSA
Communications - Low Low

Dynamism and quality of

Strategic I 1.5 Loss of reputation Chief Executive & Chair 5 4 20 Quality of governance procedures Quality of operational procedures
Comms strategy
Medium Medium

Implimentation of scheme for

Failure to abide by current Equality & Diversity working
Strategic 1.6
Equality & Diversity legislation
Chief Executive 4 2 8 Equality & Diversity scheme employees Implimentation of scheme
Low Low
for partners

Strategic 1.7 Failure to maintain HCPC culture Chief Executive 5 2 10 Behaviour of all employees Induction of new employees Internal communication Low Low

Enc 03a - Risk Register Strategic Risks

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Inability to occupy premises or Invoke Disaster Recovery/Business Continuity Commercial combined insurance cover
2 Operations I 2.1
use interior equipment
Facilities Manager 4 2 8 plan (fire, contents, terrorism etc)
- Low Low

Rapid increase in registrant Scaleable business processes and scalable IT Influence the rate at which new
Operations 2.2
Chief Executive and EMT 3 5 15 systems to support them professions are regulated
- Low Low

Links to 1.2, 13.4

ISO 9001 Registration, process maps, well Hire temporary employees to clear service Detailed workforce plan to
Operations 2.3 Unacceptable service standards Director of Operations 5 4 20 documented procedures & BSI audits backlogs match workload.
Low Low

Links to 9.1, 10.4

Inability to communicate via

Use of other media including Website, Collection of >80% income
Operations 2.4 postal services (e.g. Postal Facilities Manager 3 3 9 newsletter & email and courier services
Invoke Disaster Recovery Plan
fees by DD
Medium Medium

Public transport disruption leading Facilities Manager & Contact employees via Disaster Recovery Plan Make arrangements for employees to
Operations 2.5
to inability to use Park House Head Bus Proc 4 5 20 process work at home if possible
- Low Low

Inability to accommodate HCPC

Operations I 2.6
Facilities Manager 4 3 12 Ongoing Space planning Additional premises purchase or rented - Low Low

Links to 5.2

If site wide longer than 24 hours invoke

Operations I 2.7 Interruption to electricity supply Facilities Manager 4 4 16 Relocate to other buildings on site
DR Plan
- High High

Operations Interruption to gas supply Facilities Manager 1 2 2 Temporary heaters to impacted areas Low Low
Temporarily reduce headcount to align
Interruption to water supply Facilities Manager 2 2 4 Reduce consumption
with legislation
Invoke DR plan if over 24 hrs Low Low

Diverse routing for the physical

Telephone system failure causing Support and maintenance contract for Backup of the configuration for both the telephone lines from the two
Operations 2.10
protracted service outage
Director of IT 4 3 12 hardware and software of the ACD and PABX ACD and PABX exchanges with different media
Low Low

Operations I 2.11 Basement flooding Facilities Manager 4 4 16 Flood barrier protection to prevent ingress - - Medium Medium

Significant disruption to UK
transport network by
Invoke Disaster
environmental extremes e.g . Director of Operations & Use of video or teleconferencing facility to
Operations 2.12
snow, rain, ash; civil unrest or Head Bus Proc 3 2 6 Use of alternate networks
achieve corum
Recovery/Business Continuity Low Low
industrial acton; disrupts planned
external activities

Chief Executive & Health & Safety Training, policies and Personal Injury & Travel
Operations (formerl Health & Safety of employees
Facilities Manager
5 4 20 procedures
H&S Assessments
Low Low
Links to 4.9, 6.3

Enc 03a - Risk Register Operations

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014
Director of FTP, Director
Expenses abuse by Partners not of Education, Head of Planned travel supplier only
Operations 2.15
prevented Registration, Partner
1 2 2 Clear and appropriate Partner Expenses policy Sign off by "user" departments
policy in near future
Low Low

Enc 03a - Risk Register Operations

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Delivery of aspects of communications

workplan, specifically public information
Failure to inform public Article 3
3 Communications 3.1
Director of Comms 5 1 5 Delivery of communications strategy. campaigns, multi media advetising, - Low Low
distribution of public information materials,
and web.

Loss of support from Key Stake Delivery of aspects of communications

Delivery of communications strategy, Quality of Operational
Communications 3.2 holders including professional Director of Comms 5 3 15 supporting the HCPC strategy
work plan, specifically stakeholder
Low Low
bodies, employers or government activities

Links to 1.5

Inability to inform stakeholders

Communications 3.3
following crisis
Director of Comms 4 1 4 Invoke Disaster Recovery Plan Up to date Comms DR plan available - Low Low

Delivery of aspects of communications

workplan, specifically, Meet the HCPC
Failure to inform Registrants Quality of Operational
Communications 3.4
Article 3 (13)
Director of Comms 5 1 5 Delivery of communications strategy events, campaigns, Registrant Newsletter,
Low Low
Profesional media and conference
attendance . Publications and web.

Publication of material not Adherence to operational plans (Social

Communications 3.5
approved for release
Director of Comms 4 2 8 Delivery of communications plan
Media planner)
- Low Low

Enc 03a - Risk Register Communications

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Corporate Governance

Risk owner (primary

person responsible for
assessing and Impact before Risk Score = RISK score after
ISMS managing the ongoing mitigations Jan Likelihood before Impact x RISK score after Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 mitigations Jan 2015 Likelihood Mitigation I Mitigation II Mitigation III Mitigation Jan 2015 2014

Director of Council & Regular meetings, agendas and clear lines of

Corporate Well researched and drafted decision Attendance by external professionals
4.1 Council inability to make decisions Committee Services, & 3 1 3 accountability between Council and
papers at meetings as required
Low Low
Chair committees
Links to 4.4
Disclosure of members' interests to the
Corporate Council members conflict of Annual reminder to update Register of
Chair 4 4 16 Secretariat and ongoing Council & committee
Member induction and training Low Low
agenda item

Poor decision-making eg Well-researched & drafted decision papers,

Corporate Chair's involvement in the induction and Attendance by external professionals,
4.3 conflicting advice or conflicting Chair 4 1 4 Clear lines of accountability and scheme of
relevant training of members as required.
Low Low
advice and decisions delegation

Adequate processes notifying Council &

Failure to meet
Corporate Director of Council & Clear communication of expectations of committee members of forthcoming
4.4 Council/Committee quorums /
Committee Services 4 3 12 Council members' duties upfront meetings prior to meeting icluding
Low Low
failure to make quorate decisions
confirmation of attendance
Links to 4.1
Corporate Removal under Sch 1, Para 9(1)(f) of
4.5 Members' poor performance Chair 4 1 4 Appointment against competencies Annual appraisal of Council members
the HSWPO 2001
Low Low

Corporate Power to remove the Chair under Sch 1,

4.6 Poor performance by the Chair Council 5 1 5 Appointment against competencies
Article 12(1) C of the HSWPO 2001
- Low Low

Corporate Poor performance by Chief Performance reviews and regular "one to

Chair 5 1 5 ones" with the Chair
Contract of Employment - Low Low

Improper financial incentives

Corporate Chair and Chief Induction training re:adherence to
4.8 offered to Council
Executive 4 2 8 Gifts & Inducements policy Council member code of conduct
Nolan principles & Bribery Act 2010
Low Low

Director of Council &

Failure to ensure the Health &
Corporate Committee Services , Safety briefing at start of each Council or
4.9 Safety of Council Members ?
Facilities Manager &
4 2 8 Committee meeting.
H&S information on Council Extranet Personal Injury and Travel insurance Low Low
Should this be HCPC wide?
Finance Director
Links to 6.3, 11.5
Maintenance of a detailed role description for
Corporate Member recruitment problem (with
the requisite skills)
Chair 4 2 8 these positional applicants on to HCPC or its Use of skills matrix in recruitment exercise Induction of panel members Low Low
Links to 6.1, 11.13

Clear and comprehensive Council agreed

Corporate Expense claim abuse by Director of Council & Budget holder review and authorisation
members Committee Services 4 2 8 Members Code of Conduct (public office) policies posted on the Council member
Low Low
Extranet and made clear during induction

Corporate Operationalise Section 60

Council 5 2 10 Scheme of delegation MIS EMT & CDT Low Low

Failure to comply with DPA 1998

Corporate Director of Council &
4.13 or FOIA 2000, leading to ICO
Committee Services 3 3 9 Legal advice Clear ISO processes Department training Low Low

Failure to adhere to the Chair, & Director of Oversight of HCPC processes that could
Corporate Suite of policies and processes related to the Compliant processes designed for
I 4.15 requirements of the Bribery Act Council & Committee 4 2 8 Bribery Act
be vulnerable to bribery, by EMT and
HCPC as a matter of course
Low Low
2010 Services Internal Audit

PSA fails to recommend

Corporate Director of Council & PSA comments on advance notice of PSA informed of any deviations from
4.16 appointment of Council members
Committee Services 1 5 5 Sign off of high level process by Council
intent acted on appropriately agreed process at earliest opportunity
Low Low
to the Privy Council

Corporate Failure to meet requirements of Director of Council &

the constitution order Committee Services 3 1 3 Scrutiny of advance notice of intent Targeted advertising strategy _ Low Low

Enc 03a - Risk Register Corporate Governance

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Information Technology

Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan RISK score after
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 Mitigation Jul 2014

Anti-virus software deployed at several key

Adherence to IT policy, procedures and Regular externally run security
5 IT I 5.1 Software Virus damage Director of IT 4 5 20 points.Application of security patches in a timely
training penetration tests.
Low Low
Links to 2.3, 10.2
Employ small core of mainstream
Technology obsolescence, Delivery of the IT strategy including the refresh Accurately record technology
IT I 5.2
Director of IT 2 2 4 of technology.
technology with recognised support and
Low Low
maintenance agreements
Links to 2.6, 10.2
Appropriate and proportionate access
Fraud committed through IT Regular, enforced strong password Regular externally run security
IT I 5.3
Director of IT 3 3 9 restrictions to business data. System audit
changes. tests.
Low Low
Links to 10.2 and 17.1

Appropriate and proportionate

IT continuity plan is reviewed when a technical solutions are
IT I 5.4 Failure of IT Continuity Provision Director of IT 4 3 12 Annual IT continuity tests
service changes or a new service is added employed. IT technical staff
Low Low
appropriately trained.

Periodic and systematic

proactive security reviews of
Security is designed into the IT architecture, the infrastructure. Application
Malicious damage from Regular externally run security penetration
IT I 5.5
unauthorised access
Director of IT 4 5 20 using external expert consultancy where
of security patches in a timely Low Low
necessary manner. Physical
access to the IT infrastructure
restricted and controlled.

Appropriate service levels with

Data service disruption (via utility
IT I 5.6
Director of IT 5 1 5 Redundant services Diverse routing of services where possible utility providers and IT continuity Low Low

Enc 03a - Risk Register Information Technology

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Efficient and effective support

Inability to recruit and retain Appropriate fees for partner services and
6 Partners 6.1
suitable Partners
Partner Manager 3 3 9 Targetted recruitment strategy.
reimbursement of expenses.
and communication from the Low Low
Partner team.
Links to 4.10, 11.3, 7.3, 18.1
Director of FTP, Director
Incorrect interpretation of law
of Education, Head of
Partners 6.2 and/or SI's resulting in PSAHSE
Registration, Partner 2 4 8 Training Legal Advice Regular appraisal system Low Low

H&S briefing at start of any HCPC sponsored

Partners 6.3 Health & Safety of Partners Partner Manager 3 2 6 event.
Liability Insurance - Low Low

Links to 4.9, 11.5

Director of FTP, Director

of Education, Head of Partner Complaints Process
Partners 6.4 Partners poor performance
Registration, Partner 4 3 12 Regular training Regular appraisal system
&Partner Code of Conduct
Low Low

Director of FTP, Director

Incorrect interpretation of of Education, Head of Correct selection process and use of qualified Daily Email notificaton of partner registrant
Partners 6.5
HSWPO in use of Partners Registration, Partner 3 2 6 partners lapse
- Low Low

Staggered partner agreements

Partner Manager,
Annual forecasting of future partner across professions for Panel
Adequate number and type of Director of FTP, Director Regular review of availability of existing pool of
Partners 6.6
partner roles of Education, Head of 3 2 6 partners to ensure requirements are met.
requirements to ensure that they are Member and Panel Chair to Low Low
budgetted for. ensure adequate supply in line
with the eight year rule.

Partner Manager,
User departments using non- Director of FTP, Director Notification of partner resignations to user Current partner lists available to user
Partners 6.7
active partners of Education, Head of 3 3 9 departments. departments on shared drive.
- Low Low

Partner Manager,
Challenge of non standard
Director of FTP, Director
Partners 6.8 Expense claim abuse by Partners
of Education, Head of 2 2 4 Budget holder review and authorisation process Comprehensive Partner agreement items by, Finance department Low Low
and Partner Department

Enc 03a - Risk Register Partners

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Memorandums of
Failure to detect low education Operational processes (approval, monitoring understandings with other
7 Education 7.1
providers standards
Director of Education 4 2 8 and complaints about an approved programme)
Regular training of employees and visitors
regulators (e.g. CQC and Care
Low Low
Links to 1.1 , 4.3, 6.4
Delivery of Education Dpt supporting
Education providers refusing
Education 7.2
visits or not submitting data
Director of Education 3 2 6 Legal powers (HSWPO 2001) activities as documented in regular work - Low Low
Links to 1.1

Inability to conduct visits and Adequate resourcing, training and visit Temporary staff hire to backfill
Education 7.3
monitoring tasks
Director of Education 4 2 8 scheduling
Approvals & monitoring processes
or clear work backlogs
Low Low

Links to 1.1, 6.1, 11.2 & 11.3

Publications, Newsletters,
website content, inclusion in
Loss of support from Education Chief Executive or Delivery of Education strategy as documented Partnerships with Visitors and professional
Education 7.4
Providers Director of Education 5 2 10 in regular work plan groups.
consultations and relevant Low Low
PLGs, consultations with
education providers

Links to 1.1, 14.2

In house and third party skills to support
Education I 7.5 Education database failure Director of IT 3 2 6 Effective backup and recovery processes
Included in future DR/BC tests Low Low

Loss or significant change to

funding, commissioing and Operational processes (approval, monitoring Partnerships with Visitors and professional Regular training of employees
Education 7.6
placement opportunities for
Director of Education 3 2 6 and complaints about an approved programme) groups. and visitors
Low Low
approved programmes

Enc 03a - Risk Register Education

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Project Management

Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the on-going mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Director of Finance Project is managed as part of major projects

Project Fee change processes not Project progress monitored by EMT &
operational by required date
Project Portfolio 3 3 9 portfolio & managed in accordance with HCPC
- Low Low
Manager Project Management process

Links to 1.1, 15.3

Failure to regulate a new

Project is managed as part of major projects
Project profession or a post-registration Project Lead Project Project progress monitored by EMT & Assess lessons to be learned
qualification as stipulated by Portfolio Manager 5 2 10 portfolio & managed in accordance with HCPC
stakeholders from previous projects
Low Low
Project Management process

Links to 1.1, 15.3

Failure to build a system to the Director of Education Project is managed as part of major projects
Project Project progress monitored by EMT & Ensure robust testing including
8.13 the Education departments Project Portfolio 3 4 12 portfolio & managed in accordance with HCPC
stakeholders load
Low Low
requirements Manager Project Management process

Project Initiation stage to pay

Failure to deliver a system to the Director of HR Project is managed as part of major projects
Project Project progress monitored by EMT & particular attention to project
8.14 HR & Partners departments Project Portfolio 3 4 12 portfolio & managed in accordance with HCPC
stakeholders scope and breadth/reach of
Low Low
requirements Manager Project Management process

Project Organisation wide resourcing EMT & Project Portfolio

I 8.17
may impact project delivery Manager 3 4 12 Manage resources accordingly Accept changes to planned delivery Med Med

Director of Operations & Project is managed as part of major projects

Project Registration processes review Project progress monitored by EMT & Assess lessons to be learned
Project Portfolio 3 3 9 portfolio & managed in accordance with HCPC
stakeholders from previous projects
Low Low
Manager Project Management process

Enc 03a - Risk Register Project Management

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Quality Management

Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Director of Operations,
Quality Loss of ISO 9001:2008
Head of Business 4 3 12 Regular & internal audits QMS standards applied across HCPC Management buy - in Low Low

Links to 2.3, 10.3

Employees non-compliance with

Quality Standard Operating Procedures and Extend ISO systems as
I 9.2 established Standard Operating EMT 5 2 10 Culture, follow procedures and report errors
prevention of overwriting systems required
Low Low

Enc 03a - Risk Register Quality Management

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Supporting automation
infrastructure eg call centre
Director of Operations,
10 Registration 10.1 Customer service failures
Head of Registration
5 4 20 Accurate staffing level forecasts Adequate staff resourcing & training systems, NetRegulate system Low Low
enhancements, registration re-
Links to 11.1, 11.2
Protracted service outage
Maintenance and support contracts for
Registration 10.2 following a NetRegulate Director of IT 5 3 15 Effective backup and recovery procedures
core system elements.
Annual IT Continuity tests Low Low
Registration system failure
Links to 5.1-5.3 and 17.1
Validation of submitted
Inability to detect fraudulent Director of Operations, Policy and procedures supported by
Registration 10.3
applications Head of Registration 5 2 10 Financial audits, system audit trails
internal quality audits
information, Education & ID Low Low
Links to 9.1, 17.1 and 17.2
Maintain required employee
Continually refine model of accurate demand-
Backlogs of registration and Director of Operations, attendence and time keeping
Registration 10.4
applications Head of Registration 4 3 12 forecasting, to predict employees required to Process streamlining
to service applicants and
Low Low
prevent backlogs, and service failures
Links to 1.1
Mistake in the Registration
Professional indemnity insurance. Excess Policy and procedures
process leading to liability for Director of Operations, Audits by Registration Management, system
Registration 10.5
compensation to Registrant or Head of Registration
5 2 10 audit trails, external auditors
£2.5K. Limit £1M. (Doesn't cover supported by ISO quality audits Low Low
misappropriation of funds) and process controls/checks

10.6 Monitor and regulator feedback

Director of Operations, Appropriately trained members of the
18 CPD (18.1- CPD processes not effective
Head of Registration 4 2 8 Well documented processes
registrations team
to the Education & Training Low Low
7.5) Committee
Links to 1.1

Enc 03a - Risk Register Registration

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Chair, Chief Executive Organisation succession plan held by HR Departmental training (partial or full) and
11 HR 11.1 Loss of key HCPC employees
and EMT 3 2 6 Director. Succession planning generally. process documentation
- Low Low

HR 11.2 High turnover of employees HR Director 3 2 6 Remuneration and HR strategy Regular performance reviews Exit interview analysis Low Low
Links to 11.3
Inability to recruit suitable HR Strategy and adequate resourcing of the Careful specification of recruitment Hire skilled temporary staff in
HR 11.3
HR Director 2 2 4 HR dept adverts and interview panel selection the interim
Low Low
Links to 4.10, 6.1, 11.2, 11.8
Some projects or work
Lack of technical and managerial HR strategy and goals and objectives (buy in
HR 11.4
skills to delivery the strategy
Chief Executive 4 3 12 the skills v staff upskilling on the job v training)
Training needs analysis & training delivery. initiatives delayed or Low Low
Links to 1.1
Adequate staff (volume and type) including Return to work interviews and sick leave
HR 11.6 High sick leave levels EMT 2 3 6 hiring temporary staff monitoring
Regular progess reviews Low Low

Regular one on one sessions between manager

Employee and ex-employee Employee surveys, Exit
HR 11.7
HR Director 4 3 12 and employee and regular performance HR legislation and HR disciplinary policies
Low Low

Employer/employee inappropriate Whistle blowing policy, Code of Conduct & Employee Assistance
HR I 11.8
HR Director 2 2 4 Behaviour
Other HR policy and procedures
Low Low
Links to 11.3
Non-compliance with HR policies and Manager
HR 11.9
Employment legislation
HR Director 5 2 10 HR Strategy Obtain legislation updates and legal advice
Low Low
Includes Auto enrolment pensions

Enc 03a - Risk Register HR

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Judicial review of HCPC's

implimentation of HSWPO Consultation. Stds determined by PLG's.
12 Legal 12.1
including Rules, Standards &
Chief Executive 5 3 15 Agreement by Council.
Appropriate legal advice sought - Medium Medium
Links to 1.2, 14.1, 14.2

Pre-emptive and on-going

Legal challenge to HCPC communications concerning legal
Legal I 12.2
Chief Executive 4 4 16 Legal advice and ISO
basis and implimentation of the
- Low Low

Enc 03a - Risk Register Legal

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Fitness to Practise

Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Fitness to Contractual and SLA arrangements with legal Quality assurance

13.1 Legal cost over-runs FTP Director 4 4 16 services providers(s)
Quality of operational procedures
Low Low

Links to 13.4, 15.2

Fitness to
13.3 Tribunal exceptional costs FTP Director 5 5 25 Quality of operational processes Accurate and realistic forecasting Quality of legal advice Medium Medium

Rapid increase in the number of

Fitness to
13.4 allegations and resultant legal FTP Director 4 4 16 Accurate and realistic budgeting Resource planning - Medium Medium
Links to 13.1

Fitness to
13.5 Witness non-attendance FTP Director 4 2 8 Vulnerable witness provisions in the legislation Witness support programme Witness summons Low Low

Fitness to Employee/Partner physical Periodic use of security

I 13.6
assault by Hearing attendees
FTP Director 5 5 25 Risk Assessment Processes Adequate facilities security
contractors and other steps
Low Low

FTP Director & Director Training and selection of Registration

Fitness to High Number of Registration
of Operations, Head of 3 5 15 Assessors, so reasoned decisions are Quality of operational processes - Low Low
Registrations generated

Fitness to Quality of operational

13.8 Backlog of FTP cases FTP Director 3 4 12 Reforecasting budget processes Monthly management reporting
Low Low

Fitness to Excessive cases per Case

Manager workload
FTP Director 3 4 12 Reforecasting budget processes Monthly management reporting - Low Low

13.2 moved to 12.2

Protracted service outage

Fitness to Maintenance and support contracts for
I 13.10 following a Case Management Director of IT 5 3 15 Effective backup and recovery procedures
core system elements
Annual IT continuity tests Low Low
System failure

Enc 03a - Risk Register Fitness to Practise

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Policy & Standards

Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Incorrect process followed to

Policy & Appropriately experienced and trained Quality mgt system &
14.1 establish stds/guidance/policy eg Policy & Stds Director 4 2 8 Legal advice and sign off sought on processes
members of Policy team. processes
Low Low
no relevant Council decision

Links to 12.1

Inappropriate stds/guidance
Use of professional liaison groups, and Council
Policy & published eg stds are set at Appropriately experienced and trained Consultation with stakeholders
inappropriate level, are too
Council/committees 4 1 4 and committees including members with
members of Policy team. & legal advice sought
Low Low
appropriate expertise
confusing or are conflicting

Changing/evolving legal advice Appropriately experienced and

Policy & Use of well-qualified legal professionals.
14.3 rendering previous work Policy & Stds Director 4 2 8 Regular reviews.
Legal advice obtained in writing. trained members of Policy Low Low
inappropriate team and others eg HR.

Inadequate preparation for a

EMT responsible for remaining up to date
Policy & change in legislation (Health
Professions Order, or other
EMT 3 1 3 relationships with governemnt depts and HCPC's 5 year planning process Legal advice sought Low Low
legislation affecting HCPC)

Policy & Stds Director

Policy & PLG member recruitment without HCPC Chair, Director of
requisite skills and knowledge Council & Committee
4 1 4 Skills and knowledge identified in work plan Recruitment policy Council Scrutiny of PLG result Low Low
Lnks to 4.10

Policy & Maintain appropriate records of project Appropriate hand over and
14.6 Loss of Corporate Memory Policy & Stds Director 3 3 9 decisions succession planning
Department training Low Low

Enc 03a - Risk Register Policy & Standards

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Reserves policy specifies minimum cash level

to be maintained throughout the year. Cash
Insufficient cash to meet Regular cash forecasts and reviews during Fee rises and DoH grant
15 Finance 15.1
Finance Director 5 1 5 flow forecast prepared as part of annual budget
the year applications as required.
Low Low
and 5 year plan assesses whether policy
minimum level will be met.

Six and nine month reforecasts with

Budget holder accountability for setting budgets spending plan revisions as feasible and
Unexpected rise in operating and managing them. Timely monthly reporting appropriate. FTP costs mainly incurred
Finance 15.2
EMT 4 1 4 and regular budget holder reviews held. EMT towards the end of the lifecycle of a case,
Capped FTP legal case costs. Low Low
review of the monthly variances year to date. so increase in case pipeline would give
early warning of rise in FTP costs.

Link to 13.1
Effective project specification including creating Project budgets have 15% contingency.
decision points. Effective project management Project exception reports including revised EMT review of the project
Finance 15.3 Major Project Cost Over-runs Project Lead / EMT 4 2 8 and timely project progress reporting (financial funding proposal is presented to EMT for spendng variances to date
Low Low
and non financial). approval.

Professional Indemnity & fidelity

Registrant Credit Card record
Finance I 15.7
Finance Director 2 2 4 Compliance with PCI standards. Limited access to card information (fraud) insurance for first £250k Low Low
of loss
Links to 5.3
Use of spending prioritisation
Mismatch between Council goals Close and regular communication between the Adequate quantification of the budgetary
Finance 15.9
& approved financial budgets
Chief Executive 4 2 8 Executive, Council and its Committees. implications of proposed new initiatives
criteria during the budget Low Low
Links to 1.1

Building security including electronic access Fixed Asset register itemising assets. Job
Unauthorised removal of assets Facilities Manager & IT control and recording and CCTV. IT asset exit procedures (to recover HCPC laptops,
Finance I 15.12
(custody issue) Director 2 2 4 labeling & asset logging (issuance to blackberries, mobile phones etc). Regular
Computer asset insurance. Low Low
employees) audits. Whistleblowing policy.

Well established effective processes, incl Professional Indemnity & fidelity

Finance I 15.13a Theft or fraud Finance Director 3 2 6 segregation of duties and review of actual costs Regular audits; whistleblowing policy (fraud) insurance for first £250k Low Low
vs budgets. of loss
Incorporates aspects of previous risks 15.10 and 15.11

Signed disclosure forms indicating tax

PAYE Settlement Agreement in
Effective payroll process management at 3rd category status for all Council and
PAYE/NI/corporation tax place with HMRC relating to
Finance 15.18
Finance Director 2 3 6 party. Finance staff attend payroll & tax Committee members. Professional tax
Category One Council and
Low Low
updates advice sought where necessary, including
Committee members.
status of CCM's and partners

Investment policy sets "investment grade"

Bank insolvency: permanent loss
minimum credit rating for HCPC's banks and
Finance 15.20 of deposits or temporary inability Finance Director 5 1 5 requires diversification - cash spread across at
Low Low
to access deposits
least two banking licences

Financial health of new suppliers above OJEU

Financial distress of key trade Alternative suppliers where
threshold considered as part of OJEU PQQ
Finance 15.21 suppliers causes loss of business Finance Director 4 2 8 process. Ongoing financial monitoring of key
Escrow agreements possible, eg transcription Medium Medium
critical service services framework
suppliers through Dun & Bradstreet reports

Enc 03a - Risk Register Finance - revised

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

Outsourced to third party. Agreed monthly

payroll process timetable (with slack built in). If Hard copy records held securely.
Finance 15.22 Payroll process delay or failure Finance Director 2 2 4 process delayed, payment may be made by Restricted system access.
Low Low
CHAPS (same day payment) or cheque.

PSA full cost recovery model

places significant financial Chief Executive &
Finance 15.23
pressure on HCPC after August Finance Director
4 5 20 Consider increase in fees Legislative and operational adjustments High High
1st 2015 ▀
Model not yet finalised by DH or PSA
Failure to apply good
procurement practice (contracts
Finance Director & Approved procurement policy. Legal advice on Internal monitoring of Tendering and New suppliers process as
Finance 15.24 below OJEU threshold) leads to
Procurement Mgr
2 2 4 ISO9001 compliant process design. contract process use. "backstop" to failure.
Low Low
poor value for money and/or

Failure to adhere to OJEU

Legal oversight of OJEU
Procurement and Tendering Finance Director & Robust OJEU specific processes agreed by Legal oversight of OJEU related material
Finance 15.25
requirements leads to legal Procurement Mgr 4 3 12 legal advisors created by HCPC
scoring and supplier Low Low
challenge and costs

Income and FTP costs are budgeted for on

Budgets are prepared by departments and Budgets are
FAST standard models. Payroll costs are
Budgeting error leads to then reviewed by Finance. Budgets for discussed/challenged by EMT
Finance 15.26
overcommitment of funds
Finance Director 4 2 8 budgeted for post by post. Cautious
coming year baselined vs current year at annual pre-budget setting
Low Low
assumptions used in relation to income and
budget and forecast review

Payment error leads to Extensive use of preferred suppliers with bank System controls over changing payee Payment signatory reviews of
Finance 15.27
irrecoverable funds
Finance Director 3 2 6 account details loaded into Sage. bank details payment runs
Low Low

Enc 03a - Risk Register Finance - revised

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public




Risk owner (primary

person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan Mitigation Jul
Ref Category Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 2014

HCPC pension scheme reviewed for Advice from payroll provider.

Non compliance with pensions Finance Director and HR HR and Finance staff briefed on
16 Pensions 16.2
legislation Director 3 2 6 compliance with pensions legislation including
Seek specialist pensions legal Low Low
auto enrolment advice as required.

Increase in the Capita Flexiplan Plan is closed to new members so there is only Monitor the performance of the
Initial employer contributions to the Plan
Pensions 16.3 funding liability resulting from Finance Director 3 2 6 a limited set of circumstances that could give
deficit were set on prudent basis
Plan through periodic Low Low
scheme valuation deficiency rise to an increase in the liability employers' meetings

Enc 03a - Risk Register Pensions - revised

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Information Security

Risk owner (primary

Category person responsible for
assessing and Impact before Likelihood before Risk Score = RISK score after
ISMS managing the ongoing mitigations Jan mitigations Jan Impact x Mitigation Jan RISK score after
Ref Risks Ref # Description risk) 2015 2015 Likelihood Mitigation I Mitigation II Mitigation III 2015 Mitigation Jul 2014

Laptop encryption.
Loss of information from HCPC's Access is restricted to only the data that is
Remote access to our
Information electronic databases due to EMT, Director of IT and necessary for the performance of the services. Adequate access control procedures
I 17.1
inappropriate removal by an Director of Operations
5 3 15 Employment contract includes Data Protection maintained. System audit trails.
infrastructure using a VPN . Low Low
Documented file encryption
employee and Confidentiality Agreement
Links to 5.3. Incl old 17.6
Use of locked document destruction bins in Data Protection agreements signed by the Regarding Reg Appln forms
Information HCPC Document & Paper record EMT; Head of Business each dept. Use of shredder machines for relevant suppliers. Dept files stored onsite processing, employment
I 17.2
Data Security Improvement
5 3 15 confidential record destruction in some depts in locked cabinets. Training where contract includes Data
Low Low
e.g. Finance. appropriate (Employees & Partners) Protection Agreement
Links to 15.7
Effective system processes including
Access is restricted to only the data that is secure data transfer and remote access Data Processor agreements
Information Unintended release of electronic or EMT, Director of IT and
I 17.3
paper based information Director of Operations
5 3 15 necessary for the performance of the granted only on application and through signed by the relevant Low Low
services. secure methods. Training where suppliers.
appropriate Employees & (Partners)

Ensure third party data

providers e.g. professional
bodies provide the data
Read only, password protected access by a Registrant payments taken in compliance
Information Inappropriate data received by Director of Ops, and password
I 17.4
HCPC from third parties Director of FTP
5 2 10 restricted no of FTP employees to electronic with Payment Card Industry (PCI) Security
protected/encrypted/door to
Low Low
KN data. standards ie with quarterly PCI testing.
door courier/registered
mail/sign in sign out as

Loss of physical data despatched to Director of Ops and Hd Data Protection/Controller agreements signed Use of transit cases for archive boxes sent
I 17.5 and held by third parties for the of Business Process 5 3 15 by the relevant suppliers. Use of electronic for scanning or copying and sign out - Low Low
delivery of their services Improv firewalls by suppliers. procedures.

Loss of Registrant personal data by

Effective system processes including
the registration system Access to and export of personal data is Data processor side letter
Information Director of IT and secure data transfer and remote access
I 17.6 (NetRegulate) application support
Director of Operations,
5 3 15 restricted to only that which is necessary for the
granted only on application and through
specifying obligations and Low Low
provider in the performance of their performance of the services. granting a limited indemnity.
secure methods.
support services (specific risk).

Regular identification and

Information Incorrect risk assessment of Hd of Business Process Identification and collection of information risk Regular audit and review of information
I 17.7
Information Assets Improv & Asset Owners
4 2 8 assets risk assets by Hd of BPI
review of information risk Low New
assets by Hd of BPI

Loss of personal data by an HCPC Director of IT and

Effective system processes including
NEW Contractor or Partner providing Director of Operations, Access to and export of personal data is
secure data transfer and remote access
Information I 17.8 application support in the Director of Education, 5 3 15 restricted to only that which is necessary for the
granted only on application and through
Security performance of their support Director of Fitness to performance of the services.
secure methods.
services (specific risk). Practice

Enc 03a - Risk Register Information Security

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public

Appendix i
Glossary & Abbreviations
Term Meaning
AGM Annual General Meeting
CDT Cross Directorate Team (formerly HCPC's Middle Management Group)
CPD Continuing Professional Development QMS
EEA European Economic Area, = European Economic Union, plus Norway, Iceland, plus for our purposes Switzerland
EMT HCPC's Executive Management Team
EU European Economic Union (formerly known as the "Common Market")
Europa Quality Print Supplier of print and mailing services to HCPC
FReM Financial Reporting Manual
FTP Fitness to Practise
GP Grandparenting
HSWPO Health and Social Work Professions Order (2001)
HR Human Resources
HW Abbreviation for computer hardware
I I = Information Security Management System (ISMS) risk
Impact The result of a particular event, threat or opportunity occuring. Scored between 1 least effect on HCPC and 5 maximum effect on HCPC.
ISO International Standards Organisation (the global governing body for the Quality standards used by HCPC)
ISO 9001:2008 The ISO Quality Management Standard used by HCPC.
IT Information Technology
Likelihood Used to mean Probability of the event or issue occurring within the next 12 months
MIS Management Information System
MOU Memorandum of Understanding
NetRegulate The bespoke computer application used to manage the application, registration and renewal processes, and publish the online register
OIC Order in Council
OJEU Official journal of the European Union
Onboarding The process of bringing a new profession into statuatory regulation from HCPC's viewpoint
OPS Operations
PSA Formerly (CHRE), renamed Professional Standards Authority for Health and Social Care in the 2012 legislation.
PLG Professional Liason Group
Probability Likelihood, chance of occurring. Not the "mathematical" probability. Scored between 1 least likely and 5 most likely to occur within the next year.
Q Q = Quality Management System (QMS) Risk
QMS Quality Management System, used to record and publish HCPC's agreed management processes
Risk An uncertain event/s that could occur and have an impact on the achievement of objectives
Risk Owner The person or entity that has been given the authority to manage a particular risk and is accountable for doing so.
Risk Score Likelihood x Impact or Probability x Significance
SI Statutory Instrument
Significance Broadly similar to Impact
SSFS Scheme Specific Funding Standard, a set of standards relating to pensions services
STD Standards
SW Abbreviation for computer software
VPN Virtual Private Network, a method of securely accessing computer systems via the public internet

Enc 03a - Risk Register App i Glossary & Abbreviations

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public

Appendix ii
Public Protection Financial Reputation
Catastrophic 5 Catastrophic 5 Catastrophic 5
A systematic failure for which HCPC are ultimately responsible
for, exposes the public to serious harm in cases where Unfunded pressures greater than Incompetence/ maladministration or other event 5 10 15 20 25
mitigation was expected. £1 million that will destroy public trust or a key relationship

Significant 4 Significant 4 Significant 4

A systematic failure for which HCPC are ultimately responsible Incompetence/ maladministration that will
for, exposes more than 10 people to harm in cases where Unfunded pressures £250,000 - undermine public trust or a key relationship for a 4 8 12 16 20
mitigation was expected. £1 million sustained period or at a critical moment.

Moderate 3 Moderate 3 Moderate 3

A systemic failure for which HCPC are ultimately responsible Incompetence/ maladministration that will
for exposes more than 2 people to harm in cases when undermine public trust or a key relationship for a 3 6 9 12 15
IMPACT mitigation was expected. Unfunded pressures £50,000 - £250,000 short period. Example Policy U-turn

Minor 2 Minor 2 Minor 2

A systemic failure which results in inadequate protection for
Unfunded pressures £20,000 - Event that will lead to widespread public 2 4 6 8 10
individuals/individual communities, including failure to resolve
celebrity cases. £50,000 criticism.

Insignificant 1 Insignificant 1 Insignificant 1

A systemic failure for which fails to address an operational Unfunded pressures over Event that will lead to public criticism by external 1 2 3 4 5
requirement £10,000 stakeholders as anticipated.

Negligible1 Rare 2 Unlikely 3 Possible 4 Probable 5


an operational environment.
occur once a year or so in
programmes lifecycle. May
occur during a project or
strategic environment or
unlikely to happen in a
Extremely infrequent –

initiative - sooner rather than
probably impact on this
represented by this risk - will
"Clear and present danger",
of the strategy.
occurring in the lifetime lifecycle of the programme of once every six months.
Only small chance of

the lifetime of the
May well occur during

next one or two years.

some point during the
Likely to happen at

>11 High Risk: Urgent action required

cycle of the project, probably

an operational environment.

Not likely to occur during the

May occur during the life of

Programme / Project
early on and perhaps more happen almost every day.
programmes lifecycle. May

cycle of the programme or

Likely to happen in the life-
occur once a year or so in

the programme or project.

Likely to occur in the life-

occur during a project or
strategic environment or

Extremely infrequent –
unlikely to happen in a

than once.

6-10 Medium Risk: Some action

programmes lifecycle. May

occur once a year or so in

occur during a project or

strategic environment or

Does not happen often -

Extremely infrequent –
unlikely to happen in a

May well happen on a

May well happen on a

The threat is likely to

monthly basis.
an operational

weekly basis.

<5 Low Risk: Ongoing monitoring



Enc 03a - Risk Register App ii HCPC Risk Matrix

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public



Public Protection Financial Reputation Strategic Programme / Project Operational

Catastrophic 5 Catastrophic 5 Catastrophic 5 Probable 5 Probable 5 Probable 5
A systematic failure for which
Incompetence/ "Clear and present danger",
HCPC are ultimately responsible Likely to occur in the life-cycle
Unfunded pressures greater maladministration or other event represented by this risk - will The threat is likely to happen
for, exposes the public to of the project, probably early on
than £1 million that will destroy public trust or a probably impact on this initiative almost every day.
serious harm in cases where and perhaps more than once.
key relationship - sooner rather than later.
mitigation was expected.
Significant 4 Significant 4 Significant 4 Possible 4 Possible 4 Possible 4
A systematic failure for which Incompetence/
HCPC are ultimately responsible maladministration that will Likely to happen in the life-
Unfunded pressures greater Likely to happen at some point May well happen on a weekly
for, exposes more than 10 undermine public trust or a key cycle of the programme or
than £50,000 £250k - £1 million during the next one or two years. basis.
people to harm in cases where relationship for a sustained project.
mitigation was expected. period or at a critical moment.
Moderate 3 Moderate 3 Moderate 3 Unlikely 3 Unlikely 3 Unlikely 3
A systemic failure for which Incompetence/

HCPC are ultimately responsible maladministration that will
Unfunded pressures greater May well occur during the May occur during the life of the May well happen on a monthly

for exposes more than 2 people undermine public trust or a key

than £8,000 £50,000 - £250,000 lifetime of the strategy. programme or project. basis.
to harm in cases when relationship for a short period.
mitigation was expected. Example Policy U-turn
Minor 2 Minor 2 Minor 2 Rare 2 Rare 2 Rare 2

A systemic failure which results

in inadequate protection for Not likely to occur during the
Unfunded pressures over £2,000 Event that will lead to Only small chance of occurring Does not happen often - once
individuals/individual lifecycle of the programme of
between £20,000-£50,000 widespread public criticism. in the lifetime of the strategy. every six months.
communities, including failure to project.
resolve celebrity cases.

Insignificant 1 Insignificant 1 Insignificant 1 Negligible1 Negligible1 Negligible1

Extremely infrequent – unlikely Extremely infrequent – unlikely Extremely infrequent – unlikely
to happen in a strategic to happen in a strategic to happen in a strategic
A systemic failure for which fails Unfunded pressures over £1,000 Event that will lead to public
environment or occur during a environment or occur during a environment or occur during a
to address an operational Unfunded pressures over criticism by external
project or programmes lifecycle. project or programmes lifecycle. project or programmes lifecycle.
requirement £10,000 stakeholders as anticipated.
May occur once a year or so in May occur once a year or so in May occur once a year or so in
an operational environment. an operational environment. an operational environment.

Enc 03a - Risk Register App ii Risk Matrix defns

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public

HCPC Strategic Objectives 2009 - 2015

SO1.GG Objective 1: Good governance
To maintain, review and develop good corporate governance

SO2.EBP Objective 2: Efficient business processes

To maintain, review and develop efficient business processes throughout the organisation

SO3.Com Objective 3: Communication

To increase understanding and awareness of regulation amongst all stakeholders

SO4.Evid Objective 4: Build the evidence base of regulation

To ensure that the organisation’s work is evidence based

SO5.IPA Objective 5: Influence the policy agenda

To be proactive in influencing the wider regulatory policy agenda

SO6.HmCty Objective 6: Engagement in the four countries

To ensure that our approach to regulation takes account of differences between the four countries

HCPC has an averse appetite to risk in that we;

a. Identify all relevant risks
b. Mitigate those risks to an appropriate level
c. Invest mitigation resources in proportion to the level of risk

Enc 03a - Risk Register App iii Strat Obj

DOCUMENT CONTROL: Reference Risk Treatment Plan. Version Feb 2015 Version 1.0
Issue Date: 09/03/2015 Classification: Public

HCPC draft Risk Assurance mapping
Increasing Assurance

AREA C. Management Control & Reporting AREA B. Functional AREA A. Independent review / Assurance / Regulatory oversight
oversight / Governance

External Quality
Operational Risk Inter-departmental Near Miss Audit Internal External Legal Security Penetration Parliamentary
Key Business Risk areas Assurance Map Systems Controls EMT Council Auditors Management PSA PCI-DSS
Management Quality Assurance Reporting Committee Auditors Advice Management Testing oversight
(NAO) System ISO9001

Strategic risks     x x x x x

Communications x x x x x x x x x x x

Continuing Professional Development x x x x x x x

Corporate Governance x x x x x x x x x x x

Information Security x x x x x x x x x x x

Education x x x x x x x x x x x

Finance x x x x x x x x x x x x x x

Fitness to Practise x x x x x x x x x x x   x

HR x x x x x x x x x x x

Information Technology x x x x x x x x x x x x x

Legal x x x x x x x x

Operations x x x x x x x x x x x

Partner x x x x x x x x x x x

Pensions x x x x x x

Policy & Standards x x x x x x x x x x

Project Management x x x x x x x x x x x  

Quality Management x x x x x x x x x x

Registration x x x x x x x x x x x

Enc 03a - Risk Register Assurance_map


You might also like