The key corporate risks managed by ORR during 2023-24 were as follows:
Principal risks and mitigating actions | Risk category | Change in the year |
---|---|---|
Uncertainty around implementation of CP7 and modernisation programmes, industrial relations, financial pressures and managing ageing infrastructure impact on ORR’s credibility as a health and safety regulator. We have worked with dutyholders, seeking sustained compliance with health and safety responsibilities (delivering our proactive inspection work, providing feedback in end of year reports and appropriate use of enforcement). We are progressing a strategic intervention on Network Rail maintenance delivery in CP7, including embedding of modernising maintenance and management of change. We pursue effective responses from Network Rail to rail break incidents and seek assurance of learning from such incidents across Network Rail. We will recruit additional resource to provide a focal point to work with internal and external stakeholders in holding Network Rail to account for meeting commitments in their CP7 delivery plan for safety. | Reputational | Score remained the same throughout the year |
ORR does not hold Network Rail to account for declining train service performance. We held Network Rail to account in accordance with our holding to account policy, escalating concerns with train service performance where relevant. We publicly reported on Network Rail’s contribution to train service performance, including through a published letter and Network Rail annual assessment report. We engaged with industry stakeholders on our approach to holding to account for train service performance. An investigation was launched into Network Rail’s train service performance in its Wales and Western region, as train performance was notably poor compared to other Network Rail regions. | Reputational | Score remained the same throughout the year |
We fail to deliver key milestones of PR23 programme, causing uncertainty for Network Rail, its supply chain and train operators. Programme milestones were actively tracked by the project management office throughout the 2023 periodic review, and risks and mitigations actively monitored. We worked with external stakeholders and had governance channels in place to coordinate the delivery of key milestones. | Reputational | Risk closed after the publication of the final determination |
We do not keep pace with emerging cyber security threats which results in a cyber attack on the critical infrastructure of the business. Network management is kept up to date and in accordance with recognised standards. Laptop and mobile device encryption and multi-factor authentication have been in place throughout the year. We maintain and publicise a security policy for accessing data. Staff are reminded of their responsibilities in respect of data security and are encouraged to report potential problems. We work with partner organisations to monitor threats and implement security measures. | Operational | Score increased part way through the year |
Having exposed the size of the issue, we are ineffective in reducing the effect of resource availability shortage “P*-coded” pre-cancellations on passengers and stakeholders. We have required TOCs to advertise pre-cancellations to the public as soon as they are known. We will use the TOC licence to monitor compliance. We collect and publish periodic data from all TOCs on resource availability shortage “P*-coded” pre-cancellations, including where caused by Network Rail. We are currently engaging TOCs and Network Rail to bring network-wide consistency on how pre-cancellations are recorded, intending to eliminate the need to collect separate data and therefore reduce manual processing workload. | Reputational | Risk lowered due to increased transparency through our reporting |
Delays and challenges in setting of RIS3 lead to a loss of confidence in the roads reform system and impact ORR’s advice to the Secretary of State. We started our efficiency review at risk to mitigate the impact on the delay to the overall programme, by reviewing an interim draft RIS and draft strategic business plan. We have also engaged with DfT and National Highways on what contingency plans would be required, should there be no RIS by March 2025. | Reputational | Risk arose in Q3, score has remained the same for the remainder of the year |