Risk Management Policy
Author:
Alok Bhatia
Policy objective
Risk in this policy describes the uncertainty surrounding events and their outcomes that may have a significant impact, either enhancing or inhibiting, on any area of the charity's operations.
The Charity Commission strongly recommends that charities have a clear risk management policy and process. The charity should have a structured approach to risk management that is appropriate for its size and complexity.
The objective of this policy is to provide guidance on managing organisational risk to support the achievement of strategic objectives, protect beneficiaries, staff and business assets and ensure business operations and financial sustainability. The policy objective is to provide a framework to:
• Define risk governance
• Identify principal risks
• Assess priority risks
• Develop mitigating strategies and actions
• Monitor and review risk activities
• Communicate and report risks
The policy design and section headers are in line with Charity Commission guidance, Charities and risk management (CC26), and UK corporate governance requirements, FRC risk guidance.
Risk Governance
Role: Council
Responsibility: Trustees are required to identify and review the strategic, operational, regulatory, people, political and environmental risks to which the organisation is exposed and to assess the likelihood of such risks and the possible level of impact they would have.
Trustees must be satisfied that risk management is embedded in the organisation and adequate systems are in place to monitor, manage and, where appropriate, mitigate ServePlanets' exposure to the major risks.
Role: Audit committee
Responsibility: Detailed review of priority risk log at every audit committee meeting.
Role: Staff
Responsibility: Comply with risk management policy and processes and foster an environment where risks can be identified and escalated.
Role: Management team
Responsibility: Review of key management reports, issues and actions at every management meeting. Discuss and decide as to whether priority risks need to be introduced, amended or replaced in light of external events or operational challenges.
Promote risk management processes throughout the organisation and encourage transparency in reporting and speedy issue and risk escalation.
Principal risk identification
Risk is embedded within the organisation and risk management is factored into business planning, performance management, audit and assurance, business continuity management and project management. All projects and countries look at risks specific to their particular context. Enterprise wide risks that could have a major impact on ServePlanet as a whole are those reviewed by Council and management.
There are myriad enterprise risks to which ServePlanet is exposed. ServePlanet has identified the risks which are split between six main categories:
• Financial
• Operational
• Legal and regulatory
• Political and environmental
• Strategic
• People
The purpose of introducing categories is to stimulate thinking and ensure that a comprehensive list of potential risks is developed.
Categorisation is not an exact science hence the list of risks is reviewed periodically and 'priority risks' are chosen, which are considered by trustees as particularly relevant and important at that point in time. This allows an in-depth discussions about whether these are the correct principal risks, and what we should be doing to mitigate them.
Assess priority risks
Each priority risk is assessed by considering the following dimensions:
• Risk appetite (high, medium, medium/low, low)
• Significance of the risk (scale of 1-5, where 5 is the most significant)
• Probability of risk occurrence (scale of 1-5, where 5 is the most probable)
• Description of worst-case outcome, including a financial quantification, if appropriate.
In addition, 'direction of travel' is also noted, whether we think that overall the impact of the risk has stayed static since previous review or is changing for better or worse.
Risk mitigation
Each risk has an owner responsible for the mitigation strategy. The key elements of the mitigation strategy and specific delegation are noted.
A key element of our approach is to capture 'RAG' status, which relates to our progress on mitigating the risk rather than on 'retained risk'. Our view has been that this is far more useful as it indicates what Trustees should be focusing on rather than simply ranking risks post mitigation. 'Red' means the strategy is not yet finalised (or can mean that the current strategy has not been found to be adequate to mitigate so we are 'back to the drawing board'), 'amber' means we have a strategy but have not yet fully implemented it, and 'green' means we have taken all the actions we think are required.
It is designed to be a dynamic process, both in terms of considering what the top risks are and looking at strategies to mitigate them. These strategies provide the foundation for developing our key operational and financial processes such as safeguarding, reserves, investment and treasury management policies.
Risk monitoring and review
Council is ultimately responsible for the system of risk management and internal control and through the audit committee reviews the effectiveness of this system.
Every year Council considers in-depth the nature and extent of the principal risks that ServePlanet is willing to take to achieve its strategic objectives. For each principal risk, risk appetite is assessed to balance opportunities for business development and growth in areas of potentially higher risk, while maintaining reputation and reasonable levels of broad stakeholder support.
The audit committee reviews the risk log at each meeting.
Key management reports, issues and actions are reviewed at every monthly management meeting. It is an accountability of Council to promote risk management processes throughout the organisation and encourage transparency in reporting and speedy issue and risk escalation.
Priority risks are reviewed regularly by the Council and considered when developing the annual internal audit plan. Key risks are also assessed and referenced in the development of the audit approach for each individual internal audit review.
In addition, the risk list is reviewed in depth prior to each audit committee and annual review of risks by Council.
Risk communication and reporting
Trustees are required to report on the adequacy of the risk management framework under Charities SORP - Accounting and Reporting by Charities: Statement of Recommended Practice applicable to charities preparing their accounts in accordance with the Financial Reporting Standard applicable in the UK and Republic of Ireland (FRS 102) (effective 1 January 2015).
As well as a risk systems adequacy statement, a description of each priority risk is published by trustees in the annual report.
Risk management is factored into business planning, performance management, audit and assurance, business continuity management and project management and monitoring. All projects and countries look at risks specific to their particular context. Project risk logs are published on the programme portal alongside other relevant documentation.
Partner risk processes inclusive of safeguarding and financial control elements are assessed as a core element of partner due diligence. If their policy/processes are deficient, we will either not work with them. Where it is deemed essential that ServePlanet does partner, policies will be developed as part of the early stages of the partnership, led by the due diligence process. These should include child safeguarding and risk management elements, and partners could use our policies as a foundation, adapted to the legislation of the relevant country.
ServePlanets' Risk Management Policy is also published on its website, alongside myriad other key policies such as the Safeguarding Adults Policy, Safeguarding Children Policy, Grant-making Policy, Ethical Donation Acceptance Policy and Programme Partnership Policy.
Appendix 1
Charity Commission: Charities and Risk Management (CC26)
Appendix 2
Institute of Risk Management guidance
www.theirm.org/media/3296897/0926-IRM-Risk-Appetite-12-10-17-v2.pdf
This document from the IRM summarises UK Corporate Governance Code requirements and notes selected company approaches to designing and implementing risk appetite statements.
Back to Publications