We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Philosophy, principles, structures and regulatory duties

Published
1 Jun 2016
Topic
Preparing Scotland
Mandatory requirements and recommended good practice

Duty to assess risk

Mandatory requirements

Category 1 Responders must:

1. From time to time assess the risk of an emergency occurring - Section 2(1)(a) of the Civil Contingencies Act 2004 - but need only perform this duty in relation to an emergency which affects or may affect the area in which the organisation exercises its functions - Regulation 102. (References to “Regulations” relate to the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations)

2. From time to time assess the risk of an emergency making it necessary or expedient for the organisation to perform any of its functions - Section 2(1)(b).

3. Consider whether a risk assessment is necessary in relation to an emergency or type of emergency. A risk assessment is necessary if:

  • the emergency would be likely to seriously obstruct the performance of your functions - Section 2(2)(a)
  • the organisation considers it necessary or desirable to take action to prevent the emergency, to reduce, control or mitigate its effects or take other action in connection with the emergency
  • the organisation would be unable to act without changing the deployment of resources or acquiring additional resources - Section 2(2)(b)

4. Take into account any guidance and adopt any assessment issued by Scottish Ministers in relation to: 

  • the likelihood of a particular emergency or emergency of a particular kind occurring
  • the extent to which such an emergency would or might cause damage to human welfare or the environment in Scotland or the security of the UK - Regulation 11

5. Co-operate with other Category 1 responders operating in your Regional Resilience Partnership (RRP) area to maintain a Community Risk Register (CRR) - Regulation 12 (1). This involves:

  • from time-to-time sharing your individual risk assessments, where possible, with the other Category 1 responders in your RRP area - Regulation 12(2);
  • having regard to the CRR when producing your own risk assessments - Regulation 12(4)

6. Arrange for the publication of any risk assessments made where publication is necessary or desirable to:

  • prevent an emergency
  • reduce, control or mitigate the effects of an emergency
  • enable another action to be taken in connection with an emergency - Section 2(1)(f)

Issues to consider and recommended good practice

7. Adopting a systematic risk assessment process for threats and hazards (threats’ relate to malicious risks; ‘hazards’ relate to natural or non-malicious risks) in the local area. This process should cover:

  • the context within which risks exists. This includes:
    • area-specific health, social, economic, and environmental factors
    • the wider risk context, drawing on government guidance (Scottish and UK, as appropriate)
  • the likelihood of occurrence
  • possible impacts
  • capabilities that exist to prepare for, respond to and recover from emergencies caused by the identified threats and hazards
  • the identification of potential capability and capacity gaps
  • the sharing of information amongst all relevant bodies

The risk assessment process should be monitored and reviewed on a regular basis and in accordance with guidance below.

For further information see Regional Resilience Partnerships’ Risk and Preparedness Assessment Guidance.

8. Reviewing the Risk and Preparedness Assessments and the public-facing Community Risk Register (CRR) and individual risk assessments as often as is necessary to ensure that you are in a reasonable position to maintain and update your emergency and business continuity plans and comply with your CCA duties.

9. Setting up a regional multi-agency group to co-operate in the risk assessment process for the area and to develop and maintain the Risk and Preparedness Assessment and the public facing Community Risk Register (CRR).

10. Being aware of potential security considerations around some risk related matters - notably but not exclusively relating to threats - and ensure information is handled appropriately.

11. Within the constraints of information security, consulting widely (internally and externally) during the risk assessment process.

12. Consultation could include (but is not restricted to):

  • key officers responsible for delivering your organisation’s functions in an emergency
  • Category 1 and 2 responders
  • Scientific/subject matter experts – both from national agencies and academia
  • the voluntary sector or parts of the wider community
  • Scottish Government policy officials

13. Taking account of “out of area” hazards (including across RRP boundaries, national or transnational, transnational: meaning other UK and/or international nations.) which could affect your organisation and its locality.

14. Sharing the area’s RPA with neighbouring Category 1 responders in contiguous resilience/RRP areas and publishing your CRR.

15. Considering sharing your RPA, or sections of it, with other non-neighbouring resilience areas.

16. Ensuring that the Scottish Government is kept properly apprised of risk assessment in your area and by your organisation and are sent a completed Regional RPA annually.

Indicators of good practice

17. Collectively, being able to demonstrate that responders in the area work together effectively, maximising the use of relevant expertise and avoiding duplication of effort.

18. Being able to provide documentary evidence of a regular process for monitoring, reviewing and updating risk assessments. This should include:

  • audit trails recording any updates made
  • version control
  • a list of contributors
  • reference and list sources used (including government guidance)

19. Being able to demonstrate that your risk assessment – as an organisation and collectively within the area – is based on a rigorous analysis of threats and hazards within the organisational and local context.

20. Being able to show how your risk assessment – as an organisation and collectively within the area – aligns with national risk assessments (Scottish and UK, as appropriate) and more generally with relevant government guidance.

Back to top