Purpose
- This risk management policy forms part of SSAFA’s internal control and governance arrangements.
- As a registered charity the trustees are required under the Accounting and Reporting for Charities Statement of Recommended Practice (SORP) 2019 to make a positive statement in the annual report confirming that all major risks to which the charity is exposed, as identified by the trustees, have been reviewed and that systems have been established to mitigate those risks.
- The need to disclose our arrangements for risk management is not the sole driver for this policy. We recognise that putting in place effective arrangements for the management of risk is best business practice and brings with it a number of significant benefits.
- This policy sets out the principles underpinning risk management, outlines our risk management methodology and defines the responsibilities of Council members/trustees, the Controller and directors in relation to risk management.
- In addition, it describes how SSAFA will evaluate the effectiveness of its risk management arrangements.
Commitment
- SSAFA acknowledges that efficient and effective management of risk is important in achieving its charity and business objectives. This policy reflects our commitment to sound risk management principles and practices. Furthermore, we would not wish to take undue risk and all significant risk decisions will be based on fully informed Management Board discussions.
Policy Principles
- SSAFA’s policy on risk management is to:
- Meet the requirements of the Charities SORP 2019.
- Consider best practice in designing our risk management procedures.
- Encourage well-managed taking of risk to deliver business objectives, which involves weighing the benefits of an opportunity against the risks involved to minimise any negative impact.
- Provide staff with the policies and procedures necessary for effective risk management.
- Embed risk management in the day-to-day business.
- Identify and prioritise risk using the risk management methodology.
- Regularly monitor major risks at Controller and director level.
- Achieve continuous improvement in risk management.
Responsibilities
The Controller has overall responsibility for the implementation of this policy.
The policy is executed through key personnel who have been allocated specific responsibilities for managing risk.
The organisational structure set out below shows the key personnel with risk responsibilities.
Council
- Council, through its trustees, has overall responsibility for risk management and for the risk management statement required annually by the Charities SORP.
Risk Committee
- Council has delegated oversight responsibility for risk management to its Risk Committee. The duties of the Committee are to:
- Formulate SSAFA’s risk management policy.
- Review the high-level risk registers.
- Advise Council on the effectiveness of the risk management process.
Controller and Management Board
- The Management Board has a fundamental role to play in the management of risk. Its responsibilities are to: Set the tone and influence the culture of risk management within SSAFA.
- Communicate SSAFA’s approach to risk to employees and volunteers.
- Design and implement the policy on risk management.
- Encourage good risk management practices.
- Identify and evaluate any significant risks faced by the charity for consideration by the Risk Committee.
- Review the effectiveness of risk management arrangements.
- Review the Management Board high level risk register quarterly.
- Report regularly to the Risk Committee on the status and management of risks.
- Satisfy itself that the less fundamental risks are being actively managed, with the appropriate controls in place and working effectively.
- Keep the Risk Manager informed of any changes to the services offered by SSAFA or any major changes to legislation affecting departments.
Risk Manager
- The Risk Manager is responsible for:
- Devising and developing this risk management policy.
- Assisting with the categorising of risks.
- Monitoring and reviewing the risk management arrangements.
- Providing assistance to individuals and/or teams who have responsibility for specific risk management actions and ensuring they have received adequate training to carry out their role.
- Maintaining the Management Board high level risk register.
- Advising on the maintenance of high-level risk registers and departments on the maintenance of operational risk registers.
- Reporting regularly to the Management Board on risk management matters.
Risk management methodology
- The risk management methodology will include the following key stages:
- Identification and regular review of major risks directly linked to strategic aims and objectives and their mitigation.
- Identification and regular review of other major risks and any possible mitigation.
- Assessment of risks in terms of their likelihood and impact.
- Evaluation of the action that needs to be taken.
- Periodic monitoring of risks.
- Monitoring the delivery of the control measures/mitigating actions set out in the risk register.
The risk management process
The risk management process is activated through the following steps:
The assessment tool used is known as RAPID (Risk Assessment Probability and Impact Diagnostic).
Requirements
- All SSAFA departments must maintain operational risk registers, and all deputy controllers must maintain registers of high-level risks (including those escalated from the operational risk registers). If a director is unable to manage a risk, they must escalate it to the Management Board high level risk register for action. A risk can be passed back to a departmental register once it has been reduced.
- A matrix is used to guide the register owners to analyse and evaluate identified risks consistently. When using the risk matrix, register owners estimate the likelihood against the severity of impact in relation to service provision, financial loss, reputation, legal and other identified criteria.
- Risk control and further treatment measures plans are developed and implemented by the risk owner who then monitors their progress to ensure all actions are completed and/or the risk is managed to an acceptable level.
- At Management Board risk review meetings, the risk owner may either suggest the risk is removed from the register because it has been reduced or that it remains on the register for further monitoring. As part of this review process the risk status, actions taken to date and outstanding risk treatment actions are communicated to the Risk Manager. The Risk Manager then ensures the registers are amended accordingly.
- The amended Management Board high level risk register is then reviewed, challenged, consolidated and prepared for quarterly reporting to the Risk Committee, which has oversight on behalf of Council.
Annual review of effectiveness
- In reviewing the effectiveness of risk management, the following sources will be considered:
- The adequacy of the controls as evidenced by reports from external auditors, internal auditors and third parties.
- SSAFA’s performance in achieving its objectives and its financial and non-financial targets.
- Assurances provided by risk owners, the Controller and directors that all risks to SSAFA have been considered, prioritised and that control methods are effective.
Risk management strategy
- In implementing our risk management policy SSAFA will:
- Provide periodic risk management workshop for the Management Board and heads of department to identify the strategic risks to achieving the business objectives.
- Ensure the Management Board reviews the major risks quarterly.
- Ensure the Management Board reports quarterly to the Risk Committee on the status and management of major risks.
- Annually assess the effectiveness of controls over major risks.
- Periodically review the risk management policy