RISK MANAGEMENT POLICY
October 2019
Why a policy?
It is difficult to identify GCBR activities that do not involve some form and level of risk. In fact, to be creative and innovative GCBR-related projects and relationships often need to take calculated risk. The objective of this policy is therefore to establish the way that the Board approaches risk and to communicate when staff need to consult the Chief Executive or the Board before undertaking activities that may be detrimental to the GCBR. Asking for permission afterwards is not an acceptable way of doing things.
Risk management
Risk management is the process of identifying, evaluating and controlling risks. The GCBR is not risk-adverse, but it is risk-sensible. Risks can be viewed and reviewed under the following headings and looked at through the lens of the organisation’s strategic goals.
∙ Governance
Is the GCBR governance set up, skills and documents sufficiently risk-aware?
∙ External
On what is the GCBR’s reputation founded and what is it sensitive to?
How might changes in government policy affect GCBR’s ability to reach its goals?
∙ Regulatory
Where is there a risk that failing to comply with legislation will damage reputation and finances?
∙ Financial
How vulnerable are the GCBR’s finances to discontinuation– funder dependency, inadequate reserves, potential for fraud, etc?
∙ Operational
Is the organisational culture conducive to risk-sensible innovation?
Does the organisational set up enable good and timely communication about project processes and challenges?
Do the staff, their roles and aptitudes give confidence in their ability to assess risks of the decisions they make, the relationships they rely on and what they do practically?
Risk assessment
In practice risks can be assessed against two criteria: (i) likelihood that it will occur; (ii) level of impact/ consequences. Each can be ranked or scored and the risk quantified. Once each risk has been ranked the process of risk mitigation should be applied to consider how the level of risk can be reduced to an acceptable level. The risk mitigation process only needs to be applied to risks that are ranked as “high” so as to reduce these to “medium” or “low”.
Likelihood
Score Likelihood of risk occurring
1 Rare: not likely to happen or will only happen in exceptional circumstances
2 Unlikely: not expected to happen, but there is a remote possibility that it will occur
3 Possible: may occur on some occasions, but not frequently
4 Likely: is likely to occur or will happen on more occasions than not
5 Certain: Likely to occur in the majority of cases
Impact
Score | Level of Impact | Possible consequences if risk occurs |
1 | Insignificant | ∙ No impact on functioning ∙ No impact on reputation ∙ Complaint unlikely ∙ Litigation risk remote |
2 | Minor | ∙ Slight impact on functioning ∙ Slight impact on reputation ∙ Complaint possible ∙ Litigation possible |
3 | Moderate | ∙ Some disruption to functioning ∙ Potential for adverse publicity – avoidable with careful handling ∙ Complaint probable ∙ Litigation probable |
4 | Significant | ∙ Functioning disrupted ∙ Adverse publicity not avoidable (local media) ∙ Complaint probable ∙ Litigation probable |
5 | Major | ∙ Functioning interrupted for significant time ∙ Major adverse publicity not avoidable (national media) ∙ Major litigation expected ∙ Resignation of senior management and board ∙ Widespread loss of stakeholder confidence |
A simple risk score would multiply the likelihood by the impact. More complicated is to assign greater importance to impact than to likelihood.
Risk Mitigation
Score Control effectiveness
1 Very good: Controls and management properly designed and implemented 2 Good: Controls implemented with room for improvement 3 Satisfactory: Key controls implemented with moderate room for improvement. 4 Weak: Limited controls in place, high level of risk
5 Unsatisfactory: Controls are non-existent
Risk ranking Level Action level
1– 10 Low risk Accept risk. To be managed at the activity level. 11–20 Medium risk Management action required to reduce risk level to low 21–25 High risk Significant risk. Board action/awareness required.
Communicating these three levels could help staff decide when what they have in mind should be discussed with management or by the board.
Practical application
Having a risk policy is not intended to cramp creativity, but to prevent damage to the GCBR’s reputation and work.
All the identified risks and their ranking should be recorded in a risk register which is a simple list of each risk, its ranking and what controls are in place to mitigate the impact of the risk. This register should be subject to audit on an annual basis.
At best this approach can increase staff awareness and help translate their judgment into informed risk-taking. The policy should be made known to all staff and updated as experience is gathered. Approved by the GCBR Board of Directors – 27 November 2019