1. BBC guidance gives both the Executive Board and the Audit Committee detailed responsibilities for risk management but they are not clearly delineated. The BBC Trust, which is responsible for seeing that the Executive Board addresses the key operating risks for the BBC, should make it clear that the Executive Board is responsible for the day-to-day management of risk.

BBC RESPONSE

In its report on the BBC's management of risks, published in November 2006, the NAO concluded that the BBC has an appropriate framework for managing risk, and that its approach is similar to that of other organisations.

Since then the BBC Trust has published a protocol, incorporating the NAO's recommendations, explaining how the BBC addresses key operating risks and the respective responsibilities of the Executive and Trustees. The protocol specifies how the Trust carries out its responsibilities and delineates the roles of the Trust and Executive board in relation to risk management.

2. The main themes used by the BBC for risk management are not aligned with its corporate objectives, and the Executive Board is receiving information on almost 300 risks. The BBC should align its risk management arrangements with the strategic priorities to be set by the Trust, and rationalise the information presented to the Executive Board so that its attention is focused on the most important risks.

BBC RESPONSE

The BBC's top risks, which are regularly reported to the Executive Board, are aligned to the BBC's corporate objectives. Each Division of the BBC considers risks in relation to its business plans and objectives. Risks are recorded on a central system which produces charts showing their relative importance, and these are used to escalate and prioritise action.

Not all risks are foreseeable in detail and therefore the BBC examines its overall ability to respond to unforeseen events. For example, continuity plans have the highest level of management involvement. Test exercises are also conducted, the most recent being in November 2007.

The Executive Board receives a consolidated report with clear indication of the main risk exposures, their status/importance and actions undertaken and/or recommended for implementation. This report, now compiled by the Head of Risk (appointed in October 2007), features a one page Executive Summary which highlights the key risks.

Also papers on specific risks, recently pandemic 'flu and IT security, are presented to the Executive Audit Committee on a regular basis.

3. The abduction of the BBC journalist Alan Johnston while working in Gaza illustrates the risks to which BBC employees can be exposed. The BBC should update its assessments of the risks of working in hostile environments. The BBC should also satisfy itself that freelancers, as well as its employees, are adequately trained for work which could involve risks to their health and safety.

BBC RESPONSE

Safety of our people is our primary concern and is a fundamental tenet behind all our risk management activities. This applies worldwide and there is a continuous review of security arrangements and assignments for BBC staff. Efforts to mitigate risk include the deployment of internal risk specialists and external advice is sought where necessary. Other activities include tests of our management response to all emergency situations.

The BBC designates certain countries as "high risk" and all BBC staff travelling to these countries must undertake an intensive residential course before deployment. A series of "refresher" courses are required every three years.

4. The way the BBC ran a live phone-in competition on Blue Peter led to Ofcom fining the BBC for failing to comply with its Broadcasting Code. The BBC subsequently identified other instances of phone-in and interactive competitions where the public had been misled. The independent review which the BBC Trust intends to commission in 2008 will need to identify the reasons for programme makers ignoring the BBC's own editorial guidelines and exposing it to significant reputational risks.

BBC RESPONSE

Following these breaches, the Director-General presented to the Trust's Editorial Standards Committee, an action plan to address the issues raised by the editorial breaches.

The action plan included a mandatory training programme "Safeguarding Trust" which all programmes and content staff are obliged to attend. The training emphasised the absolute imperative to understand and comply with all of the BBC's values and editorial standards.

Other measures include the total suspension of all phone-related competitions across the BBC until sufficient measures are implemented to ensure competitions are run fairly and honestly.

In November the BBC published a "Code of Conduct" for competitions and voting on the corporation's television, radio and online services. It set out a clear understanding to audiences on how competitions and voting will be handled in future and what they can expect of the BBC. The Code emphasises trust, respect, fairness and honesty.

In January the Director-General reported to the BBC Trust saying that good progress had been made against the action plan on several fronts and across the BBC, and that all Divisional Boards now have a Board member with responsibility for ensuring editorial compliance processes are well understood.

An independent review is being undertaken on behalf of the BBC Trust by Ronald Neil and his team to assess the impact of the BBC management's actions and changes to procedures so the Trust can be sure the BBC can and will comply with its own Editorial Guidelines and external regulation.

5. The BBC has not related its risks to corporate objectives or assigned all risks to named owners, as recommended in Treasury guidance. We have commented before, in our report on the BBC's White City 2 Development, that the BBC would benefit from drawing on such guidance.

BBC RESPONSE

Risks are considered in relation to business plans and objectives by each Division of the BBC.

Within the central database of risks (the Magique system) it is now mandatory to record risk owners against all risks. Furthermore, all key risks themes are ultimately owned by a nominated Executive Risk Owner and Senior Manager.

6. BBC managers at all levels are not sufficiently engaged in the management of risk:

• senior management are not promoting risk management effectively;
• individual risk managers are dissatisfied with the training provided and do not bother to use the available guidance; and
• good risk management practices are not embedded throughout the BBC's projects and business processes.

The BBC should develop a timetabled strategy for increasing and measuring understanding of its risk management policies and procedures, and require positive confirmation annually that individual managers understand their responsibilities. It is helpful that the BBC intends to re-run the National Audit Office survey of risk management to assess progress.

BBC RESPONSE

Senior management have put in place new processes for promoting risk management. This includes formal quarterly reporting (now consolidated into a concise report) which continues to the BBC Direction Group and the Executive Board.

Divisional Boards are monitored as to how regularly they take and approve risk reports; this information being part of the Key Performance Indicators incorporated into formal reporting.

Major projects have risk registers which are regularly reviewed and updated and where appropriate risks to overall objectives from these projects are factored into Divisional risk registers.

The NAO identified training and communication as key areas. An interactive risk management training package is being developed under the stewardship of the Head of Risk and with assistance from BBC People's training and development department to address these issues.

This is in the final stages of development, and will soon be piloted. Using lessons learnt from the pilot, it will be rolled out to all Divisions as soon as possible. Once the roll out is complete and the Head of Risk has reported on overall embedding, the NAO survey will be re-run to gauge the effectiveness of these measures.

Briefing papers on "Top and Emerging Risks" informed by input from all BBC Divisions and the Magique system are prepared regularly by the Head of Risk and are discussed by senior management and the Trust Finance and Strategy Committee.

Other points to note regarding the results of the NAO questionnaire include:

• some 70% of respondents to the NAO questionnaire "Agreed" or "Strongly Agreed" that the risk policy/process existing at that time (June/July 2006) was useful. The new policy and additional training will re-emphasise the importance of full understanding and implementation of the risk policy.
• similarly in the NAO questionnaire respondents answered a question on the effectiveness of the BBC's responses to risk. 72% replied that they felt these responses to risk were either "Effective" or "Very Effective". The Head of Risk is taking steps to ensure that there is appropriate effective response to risk in all Divisions.

7. The BBC Trust, not the Comptroller and Auditor General, decides the programme and the scope of individual value for money reviews of the BBC. The Comptroller and Auditor General should have the same rights of access to the BBC as to other publicly funded bodies. He would then be able to decide what to examine and when, on the basis of a full and independent assessment of value for money risks, and report to Parliament independently of the BBC. There is no evidence to suggest that such arrangements would do anything other than strengthen Parliamentary scrutiny of the BBC and the oversight role of the BBC Trust.

BBC RESPONSE

Under the new Charter the Trust has an explicit duty to commission value for money reports. However, ensuring value for money for the licence fee payer is not the Trust's only duty—protecting the independence of the BBC is also one of its key Charter responsibilities and the Trust believes that the current arrangements with the NAO allow both duties to be satisfactorily fulfilled.