Home > About Ofcom > Accountability > Annual Reports and Plans > Ofcom Annual Report 2007 - 08 > Statement on Internal Control

Scope of responsibility

As Accountable Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of Ofcom’s policies, aims and objectives, i while safeguarding the public funds and Ofcom’s assets for which I am personally responsible, in accordance with the responsibilities assigned to me in Managing Public Money and in the Ofcom Financial Memorandum issued to me by the Secretaries of State for Business, Enterprise and Regulatory Reform and for Culture, Media and Sport.

I am required to advise the Board if any action would infringe upon the requirements of propriety or regularity or upon my wider responsibilities for value for money.

The purpose of the system of internal control

The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve policies, aims and objectives. It can therefore only provide reasonable and not absolute assurance of effectiveness. Ofcom’s system of internal control is based on an ongoing process designed to:

• identify and prioritise risks to the achievement of Ofcom’s policies, aims and objectives;
• evaluate the likelihood of those risks being realised and their impact should they be realised;
• manage those risks efficiently, effectively and economically; and
• integrate risk management into Ofcom’s wider set of management processes.

The system of internal control based on the above objectives has been in place in Ofcom for the year ended 31 March 2008 and up to the date of approval of the Annual Report and Accounts and accords with Treasury guidance.

Capacity to handle risk

Ofcom has developed an effective risk management strategy around four key principles:

• clear ownership of roles and responsibilities;
• establishment of corporate systems to identify, report and evaluate risks and their potential impact;
• ensuring colleagues have the appropriate skills to identify and assess the potential for risks to arise in the delivery of Ofcom’s remit; and
• the creation of a culture which supports well-managed risk-taking where to do so is likely to lead to sustainable improvements in service delivery.

Ofcom recognises, however, that organisational risk tolerance will vary dependent on the circumstances. Ofcom remains highly risk averse in certain areas of its core operational activities but will tolerate, or even encourage, greater risk-taking in other, more policy-focused areas in order to achieve beneficial changes for citizens and consumers. This acceptance of a higher level of risk does not, of course, override the need for a full evaluation of such risk before such activities are undertaken, nor override the need to take appropriate actions to manage risk effectively within the tolerances adopted.

Ofcom has therefore developed appropriate processes for the systematic identification, evaluation and control of risk and has further enhanced these in 2007/8.

The risk and control framework

Executive Committee role

Under Ofcom’s risk management arrangements the Executive Committee has a key role in managing Ofcom’s risk profile and considering the main risks which might prevent achievement of its policies, aims and objectives. The Committee met weekly for most of 2007/8 and is the most senior internal management committee of Ofcom. To reflect Ofcom’s maturing management arrangements, the Committee moved to monthly meetings from February 2008 onwards with a newly reconstituted Operations Board, meeting every two weeks, taking on more of the decision-making processes.

All members of the Executive Committee are committed to undertake regular reviews of the major areas of risk for which they are responsible and to work with their teams to ensure that all Ofcom colleagues are able to identify and highlight risks attached to their areas of activity and to take appropriate action to manage such identified risks.

This identification process is intended to establish the priority policy and operational risks which could affect Ofcom’s ability to deliver its Annual Plan objectives. Actions to address priority risks are reviewed by the Executive Committee on a monthly basis and, periodically, the list of priority risks is reviewed to assess its continuing relevance with risks added or removed as appropriate.

In addition, individual risk registers have been maintained, in an appropriate form, for each functional area within the organisation. Members of the Executive Committee are responsible for managing the risks in their areas. They must do so in a manner in keeping with Ofcom’s overall tolerance of risk.

As part of the annual planning process carried out in relation to 2008/9, all projects have been assigned a risk ranking to help prioritise Ofcom’s forthcoming work. All project managers are required to identify risks attached to their projects and to put in place measures to manage such identified risks, and a section within decision papers is designed to make key risks and their management visible to decision makers.

The Directorate of Planning and Development is responsible for the overall co-ordination of the risk identification and assessment process and works with the Executive Committee and the project teams on risk identification and management.

Ofcom’s profile of prioritised risks is reviewed annually following the business planning cycle.

Risk management reporting and reviews

Actions identified, implemented and embedded into Ofcom include:

• a weekly report by the Communications Director and Director of the Chief Executive’s Office of current concerns in terms of stakeholder relations;
• a monthly Management Information report circulated to all members of the Executive Committee which incorporates:
• the register of priority risks updated by the Executive Committee risk owners. Each month this is reviewed by the Executive Committee to help monitor risks at a corporate level; and
• exception-based reporting of other high and medium level risk status projects across the organisation, litigation risks, financial and other operational risks.
• a review at each meeting of the Audit Committee of Ofcom’s litigation risks and security risks. The Committee annually reviews Ofcom’s financial statements and committee members regularly receive Ofcom’s monthly management information pack;
• an annual risk review to analyse the adequacy of the risk identification and monitoring process, based on the Government’s Risk Management Assessment Framework;
• an annual review and discussion of internal controls by the Board with the Chairman of the Audit Committee; and
• the carrying out of impact assessments (as required by the Communications Act 2003) designed to identify, inter alia, the risks attached to proposed policies to be introduced by Ofcom.

Ofcom has taken action during 2007/8 to tighten security over its handling of personal and sensitive information. Further steps to ensure continued security of information will be taken during 2008/9.

Integrated approach to risk management

Risk management processes, set out in a risk management policy document incorporating risk assessment criteria, are integrated into the project management system for policy projects. Other aspects of the integrated approach are set out below:

• colleagues’ capacity to handle risk is reinforced by face-to-face risk management briefings for management teams in policy groups and by the continuing focus of management review boards on what could prevent delivery of planned outputs or achievement of policy or operational outcomes;
• during 2007/8 the role of steering groups was expanded including responsibility, where appropriate, for considering the risk approach relevant for projects within its remit and to review risk management actions at a more detailed level;
• application of Treasury management policy and procedures aligned with the risk management policy;
• appropriate controls on the delegated authorities from the Board to colleagues both to agree policy decisions and to commit to expenditure;
• an internal audit plan agreed annually between the Audit Committee and the internal auditors with regular reviews by the internal auditors of the appropriateness of Ofcom’s system of internal controls together with recommendations for improvement;
• the maintenance of a ‘whistle-blowing’ or ‘protected disclosure’ policy to enable Ofcom colleagues to communicate concerns to an independent member of the Executive Committee;
• the operation of a security policy dealing with all aspects of security including personal, document and IS; and
• a Health and Safety Policy including required practices for risk assessment and management.

Review of effectiveness

As Accountable Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by the executive managers within Ofcom who have responsibility for the development and maintenance of the internal control framework, the work of the internal auditors and comments made by the external auditors in their management letter and other reports.

The process that has been applied in maintaining and reviewing the effectiveness of the system of internal control is as follows:

The Board

The Board has overall responsibility for monitoring the effectiveness of Ofcom’s system of internal controls and receives regular reports from the Audit Committee.

The Audit Committee

The Audit Committee plays an important role in managing risk within Ofcom. It is constituted in line with Treasury guidance, with Non-Executive Members of the Ofcom Board on the Committee and an independent Non-Executive in the Chair with direct access to the Chairman of Ofcom. The Audit Committee reviews the effectiveness of the risk management process. It met four times during the year.

I am not a member of the Committee but attend most of its meetings, as do our internal auditors and our external auditors, the National Audit Office. The Committee’s terms of reference incorporate a right of access to the Chair for both the internal and external auditors.

Internal Audit

The internal audit function was outsourced to KPMG in November 2003 and re-tendered and won by KPMG in 2006. It carries out its work in accordance with the Internal Audit plan that is approved by the Audit Committee and which is designed to allow internal audit to make a statement on the adequacy and effectiveness of Ofcom’s risk management, governance and control processes for the year.

The Audit Committee receives regular reports from internal audit. These reports identified a number of opportunities for improving controls and procedures, which management has responded to positively, and concluded in the year under review that, based on the work undertaken, Ofcom has a satisfactory system of risk management, governance and control.

Annual risk review

A number of recommendations arising from the risk review carried out in the first half of 2007/8 were addressed during the year, enhancing Ofcom’s risk profile and processes. These enhancements included:

• a new role for steering groups: remit to include, as appropriate, agreeing risk approach with project teams;
• integrate risk refresh as part of 2008/9 strategy planning in September 2007 Board awayday;
• improving our prediction and response to emerging risks, through better understanding of stakeholders particularly regarding new business models;
• a more robust internal review and challenge of significant linked policy-implementation-operational activities; and
• more scenario planning to consider possible risks to policy outcomes and potential responses.

Other assurance mechanisms

A number of financial control processes have been maintained. The Finance department produces monthly management accounts which are reviewed by budget holders, the Executive Committee and Board on a monthly basis to identify departures from the original budget.

Ofcom re-forecasts its expenditure and outputs (primarily planned consultation documents and policy statements) on a quarterly basis to take into account changes in the work required to meet its strategic objectives and ensure that it operates within the financial targets of the Annual Plan. The Annual Plan is prepared following consultation with stakeholders and a rigorous internal approach involving project managers, the Executive Committee and final approval by the Board.

Capital expenditure projects are approved on an individual basis through presentation of a business justification, risk assessment and discounted cash flow forecast to the Operations Board, and, where they exceed certain expenditure thresholds, the Executive Committee and the Board.

During 2007/8 Ofcom’s IS renewal programme completed the development of a new system for spectrum licensing covering fixed links; this was implemented in April 2008. The renewal programme was subject to an internal review in the year resulting in replanning of tasks and a new governance structure. Risks identified have been closely monitored at project management, Operations Board and Board level and appropriate action taken to address cost, time and functionality risks and issues.

Executive Committee members provide to the Accountable Officer a signed annual assurance statement in relation to their operation of internal controls for the major areas of risk they are responsible for.

I have been advised on the implications of the result of my review of the effectiveness of the system of internal control by the Board and the Audit Committee and a plan to address weaknesses and ensure continuous improvement of the system is in place. It is my belief that there are satisfactory processes in place for identifying, evaluating and managing the significant risks faced by Ofcom

Ed Richards
Chief Executive

17 June 2008

• Ofcom Annual Report 2007/08 - Section D [pdf]
• Adroddiad Blynyddol 2007-08 Ofcom - Adran CH [pdf]

Back to top