Framework document between the Scottish Government and the Scottish Commission on Social Security

Framework document between the Scottish Commission on Social Security (SCoSS) and the Scottish Government, setting out the broad framework within which SCoSS operates.

Updated June 2024.

Governance and Risk

50. Guidance on governance requirements is available in several documents referred to earlier in this framework document:

51. If in any doubt about a governance issue, the Secretary of SCoSS should consult the Sponsor Team in the first instance, and sponsors may in turn consult the SG Public Bodies Unit, the SG Governance and Risk Branch and/or other teams with relevant expertise.

52. The Board and Secretary of SCoSS are advised to pay particular attention to guidance on the following issues.

Risk Management

53. SCoSS must develop an approach to risk management consistent with the Risk Management section of the Scottish Public Finance Manual and establish reporting and escalation arrangements with the AO or Senior Sponsor.

54. The SCoSS Board should have a clear understanding of the key risks, threats and hazards it may face in the personnel, accommodation and cyber domains, and take action to ensure appropriate organisational resilience, in line with the guidance in: Having and Promoting Business Resilience (part of the Preparing Scotland suite of guidance) and the Public Sector Cyber Resilience Framework.

Internal control

55. The Board should establish clear internal delegated authorities with the Secretary of SCoSS, who may in turn delegate responsibilities to other members of staff. SCoSS have a responsibility to set a framework of prudent and effective controls that enables risk to be assessed and managed.

56. Counter-fraud policies and practices should be adopted to safeguard against fraud, theft, bribery and corruption – see the Fraud section of the SPFM.

57. SCoSS must comply with the requirements of the Freedom of Information (Scotland) Act 2002 and ensure that information is provided to members of the public in a spirit of openness and transparency. SCoSS must also register with Information Commissioners Office and ensure that it complies with the Data Protection Act 2018 and the General Data Protection Regulations, commonly known as GDPR. Staff data will be managed by Scottish Government in line with information governance requirements and applicable legislation.

Budget, finance and procurement

58. As SCoSS is unable to enter into contracts in its own name, any procurement activity must be undertaken through the SG in line with the requirements of the Procurement section of the SPFM. SCoSS must not engage in financial investments, borrowing, lease holding or lending.

59. SCoSS is not under normal circumstances permitted to: generate income; receive gifts, bequests or donations; provide grant funding to a third party; make gifts or special payments; or write off losses. Any exceptions must be agreed in advance with the AO or Senior Sponsor and the SG Financial Management Directorate.


60. Remuneration, allowances and any expenses paid to the Chair and Board Members must comply with the latest SG Pay Policy for Senior Appointments and any specific guidance on such matters issued by the Scottish Ministers.

61. All individuals who would qualify as employees for tax purposes should be paid through the payroll system with tax deducted at source.

62. As part of overall compliance with SG HR policies and procedures the staff (who will normally be civil servants) will come under SG policies, which includes Scottish Government pay agreements.

Back to top Skip to content