Scottish Government

03 Risk Assessment

Summary

• Risk assessment provides the foundation for the duties to maintain plans to continue to perform functions and respond to emergency.
• Under the Act, Category 1 responders are required to undertake risk assessments for events or situations which may constitute an "emergency".
• The duty to assess risk locally falls on each Category 1 responder in accordance with its functions - but they must co-operate with each other within the Strategic Co-ordinating Group to compile a Community Risk Register.
• The Community Risk Register collates the collective views on risks within a local area. It helps to prioritise risks and identify those which require risk treatment.

Risk assessment

3.1 Risk assessment is both an integral component of risk management and the first step in the emergency planning process. The Civil Contingencies Act places risk assessment duties on all Category 1 responders. ¹

3.2 A fundamental principle of integrated emergency management is to address common consequences rather than different causes. The regulations require Category 1 responders to produce generic arrangements to perform their functions in a variety of circumstances. However, in order to ensure that generic plans can cope, it is essential that they are underpinned by risk assessment that evaluates hazards and threats according to their associated consequences. If generic arrangements cannot cope specific plans may need to be maintained.

3.3 The purpose of the risk assessment duty is to:

• ensure that local responders have an accurate understanding of the risks that they face so that their planning has a sound foundation and is proportionate to the risks.
• enable local responders to assess the adequacy of their planning and capabilities and allow any shortcomings to be addressed.
• facilitate co-ordinated local preparation based on consistent planning assumptions.
• enable local responders to describe the emergency planning context for the public and officials.
• inform and reflect Scottish and UK risk assessments that support emergency planning and capability development.
• provide a rational basis for the prioritisation of objectives, work programmes and the allocation of resources.

3.4 The Act does not require local responders to take action to reduce the likelihood of threats and hazards. Local responders may decide to do this as part of their treatment of assessed risks but the Act only requires that the consequences of plans are maintained that will deal with an emergency caused by the risk.

Kinds of emergency in relation to which risk should be assessed

3.5 The risk assessment duty is concerned with "hazards" and "threats" that might give rise to an emergency within or affecting a geographical area for which each local responder is responsible. ² "Hazards" is the term used here to describe natural or non-malicious risks and "threats" are malicious risks. In this context, an emergency is, as defined in the Act, a threat or a hazard threatening serious damage to human welfare and the environment of a place, or the security of the United Kingdom that meets either of the following criteria:

• The threat or hazard is of a sufficient scale and nature to seriously obstruct a Category 1 responder in the performance of its functions.
• The threat or hazard requires the local responder to exercise its functions and undertake a special mobilisation.

3.6 Challenges which do not constitute an emergency as defined under the Act lie outside the scope of the risk assessment duty. As part of business continuity management ( BCM), Category 1 responders will need to risk-assess their emergency planning arrangements and their ability to deliver their critical functions during those emergencies for which the risks are assessed to be significant. Henceforth in this chapter "hazards" and "threats" are events which may result in an emergency, as defined above.

3.7 Category 1 responders need only perform a risk assessment in relation to emergencies which would, or might, affect the geographical area for which they are responsible.

Co-operation

3.8 As part of the Strategic Co-ordinating Group process Category 1 responders must co-operate with each other in maintaining a Community Risk Register ( CRR). ³

3.9 The Act imposes a duty on each Category 1 responder to assess risk. However, it is recognised that requiring each local responder to assess risk in isolation would lead to a wasteful duplication of resources. It is more efficient for individual Category 1 responders to fulfil their risk assessment duties by participating in a collaborative exercise that results in a single, collective risk assessment. This allows the workload to be shared between Category 1 responders. It also helps to streamline the relationship between Category 1 responders and the government departments and agencies that are able to support the risk assessment.

3.10 In light of this, the Regulations enable the risk assessment duty to be exercised in different ways. Regulations permit responders to assess risk jointly. For example, a number of responders co-operating as a sub-group of the Strategic Co-ordinating Group might collectively assess the risk of a particular emergency occurring.

3.11 Alternatively the Regulations enable one Category 1 responder, by agreement, to be identified with lead responsibility. This mechanism may be used by the SCG members to share the risk assessment activity between them with each leading for a number of risks. However, each responder must assess the challenge, for its functions, posed by the particular risk and treat it appropriately.

3.12 In addition, a Category 1 responder may engage a third party (for example, an external consultant) to provide it with advice that relates to the likelihood of a particular emergency occurring. The responder may then rely on this advice in making its own risk assessment.

3.13 According to the Regulations, the CRR should be shared with SCGs with whom a boundary is shared. ⁴ Category1 responders should also consider whether there are any specific risks which should be communicated to any SCGs in any other local areas.

3.14 Category 1 responders in a Police area must inform each other of their own risk assessments but not insofar as sensitive information is compromised or its confidentiality is impaired. ⁵ See also Chapter 7 of this guidance.

3.15 The Community Risk Register will identify the hazard/threat, its scale, its effects, arrangements and plans in place to deal with the effects, steps that need to be taken to manage the risk and its place in local priorities.

3.16 In performing its duties to assess risks in its area a Category 1 responder should have regard to any relevant Community Risk Register. ⁶ It may be necessary to consider risks from other Police areas that could impact upon its geographical area - for example, a chemical plant in a neighbouring Police area.

3.17 There will be benefits for local responders in Scotland in having a standardised risk management approach. Common risk assessment processes are established at UK and Scottish levels and Preparing Scotland has been written with these in mind. By applying an approach that is consistent at all levels it will be possible to:

• understand and monitor the Scottish and UK exposure to risk.
• compare the exposure of local areas and local responders to different types of risks.
• facilitate regional aggregation of local risk assessments in support of Scottish and UK planning.
• ensure that plans and capabilities - at all levels - are commensurate with the risks.

Guidance and risk assessments issued by Scottish Ministers

3.18 The Regulations enable the Scottish Ministers to issue Category 1 responders with guidance on the likelihood or impact of an emergency or an assessment of the risk of an emergency. ⁷ Category 1 responders must take into account any guidance issued to them and adopt any assessment as their own. ⁸ In general, the assessment approach will be used for risks associated with threats. The statements will indicate that there is assessed to be a significant - though usually very low - likelihood of the threat occurring. In such a case, a responder must not assess the likelihood of that emergency occurring itself, it must rely on the Ministerial assessment and adopt it as their own.

3.19 Alternatively, the Minister may require the Category 1 responders to take account of the Ministerial assessment. ⁹ In such cases, Category 1 responders must conduct a subsequent risk assessment of their own. However, if there are particular reasons to depart from that assessment (e.g. because there are peculiar local features which have not been taken into account in the Ministerial assessment), a responder may do so. This is how generic local likelihood assessments of hazards will be provided to Category 1 responders.

Frequency of risk assessment

3.20 The Act requires risks to be assessed from time to time. ¹⁰ This must be interpreted in light of the purpose of the risk assessment duty and the duty on responders to perform their duties under the Act in a "reasonable fashion". Thus, Category 1 responders should assess risk as often as is necessary to ensure that they are in a reasonable position to maintain and update their emergency plans and to perform the civil protection duties under the Act. However, the risk assessment should respond quickly to changes in the risk environment so that plans can be updated accordingly. This means that the process should be continuous and should contain risk monitoring and updating mechanisms.

3.21 Although there is no statutory requirement, a full and formal review of all risks on a four-yearly cycle is recommended. However, the risks should be monitored continuously. When information suggests a potential change in risk assessment because of, say, changes in the environment in which it is placed or due to lessons identified during an emergency or exercise, a risk assessment must be performed and the Community Risk Register updated accordingly. This may require special meetings of the Strategic Co-ordinating Group. Nonetheless, risk assessments must be a standing item on the agenda of the Strategic Co-ordinating Group. The CRR will also need to be updated periodically to reflect changes in the environment in which it is set. Consequently, the CRR should be seen as a living document.

Publication of risk assessments

3.22 Each responder must publish all, or part, of its risk assessments. ¹¹ It may do this (by agreement with its Strategic Co-ordinating Group partners) by publishing all or part of the Community Risk Register. Alternatively, it may publish all or part of an individual risk assessment it has carried out. It may also fulfil the duty by publishing all or part of a plan, where the part published includes a summary of the risk assessment on which the plan is based. See also Chapter 5 of this guidance.

3.23 When publishing their risk assessments, Category 1 responders must have regard to the importance of not alarming the public unnecessarily. ¹² When deciding what may be published, the security classification of information and any restrictions on the disclosure of sensitive information should be taken into consideration.

3.24 In fulfilling the Act's requirements each Category 1 responder should have an auditable process in place regarding its individual risk assessment, the development of a Community Risk Register, the actions it has taken to treat risks identified and, where necessary, the publication of its assessments or the Community Risk Register.