Risk Management Policy


October 2019 

Why a policy? 

It is difficult to identify GCBR activities that do not involve some form and level of risk. In fact,  to be creative and innovative GCBR-related projects and relationships often need to take  calculated risk. The objective of this policy is therefore to establish the way that the Board  approaches risk and to communicate when staff need to consult the Chief Executive or the  Board before undertaking activities that may be detrimental to the GCBR. Asking for  permission afterwards is not an acceptable way of doing things.  

Risk management 

Risk management is the process of identifying, evaluating and controlling risks. The GCBR is  not risk-adverse, but it is risk-sensible. Risks can be viewed and reviewed under the following  headings and looked at through the lens of the organisation’s strategic goals. 


Is the GCBR governance set up, skills and documents sufficiently risk-aware? 


On what is the GCBR’s reputation founded and what is it sensitive to? 

How might changes in government policy affect GCBR’s ability to reach its goals? 


Where is there a risk that failing to comply with legislation will damage reputation and  finances? 


How vulnerable are the GCBR’s finances to discontinuation– funder dependency,  inadequate reserves, potential for fraud, etc? 


Is the organisational culture conducive to risk-sensible innovation? 

Does the organisational set up enable good and timely communication about project  processes and challenges? 

Do the staff, their roles and aptitudes give confidence in their ability to assess risks of  the decisions they make, the relationships they rely on and what they do practically? 

Risk assessment 

In practice risks can be assessed against two criteria: (i) likelihood that it will occur; (ii) level  of impact/ consequences. Each can be ranked or scored and the risk quantified. Once each risk  has been ranked the process of risk mitigation should be applied to consider how the level of  risk can be reduced to an acceptable level. The risk mitigation process only needs to be applied  to risks that are ranked as “high” so as to reduce these to “medium” or “low”. 


Score Likelihood of risk occurring 

1 Rare: not likely to happen or will only happen in exceptional circumstances

2 Unlikely: not expected to happen, but there is a remote possibility that it will occur

3 Possible: may occur on some occasions, but not frequently 

4 Likely: is likely to occur or will happen on more occasions than not

5 Certain: Likely to occur in the majority of cases 


ScoreLevel of ImpactPossible consequences if risk occurs 
1Insignificant∙ No impact on functioning 
∙ No impact on reputation
∙ Complaint unlikely 
∙ Litigation risk remote
2Minor∙ Slight impact on functioning 
∙ Slight impact on reputation
∙ Complaint possible 
∙ Litigation possible
3Moderate∙ Some disruption to functioning 
∙ Potential for adverse publicity – avoidable with careful handling 
∙ Complaint probable 
∙ Litigation probable
4Significant∙ Functioning disrupted 
∙ Adverse publicity not avoidable (local media)
∙ Complaint probable 
∙ Litigation probable
5Major∙ Functioning interrupted for significant time 
∙ Major adverse publicity not avoidable (national media)
∙ Major litigation expected 
∙ Resignation of senior management and board 
∙ Widespread loss of stakeholder confidence

A simple risk score would multiply the likelihood by the impact. More complicated is to  assign greater importance to impact than to likelihood.

Risk Mitigation 

Score Control effectiveness 

1 Very good: Controls and management properly designed and implemented 2 Good: Controls implemented with room for improvement 3 Satisfactory: Key controls implemented with moderate room for improvement. 4 Weak: Limited controls in place, high level of risk 

5 Unsatisfactory: Controls are non-existent 

Risk ranking Level Action level 

1– 10 Low risk Accept risk. To be managed at the activity level. 11–20 Medium risk Management action required to reduce risk level to low 21–25 High risk Significant risk. Board action/awareness required.

Communicating these three levels could help staff decide when what they have in mind should  be discussed with management or by the board. 

Practical application 

Having a risk policy is not intended to cramp creativity, but to prevent damage to the GCBR’s  reputation and work.  

All the identified risks and their ranking should be recorded in a risk register which is a simple  list of each risk, its ranking and what controls are in place to mitigate the impact of the risk. This register should be subject to audit on an annual basis.  

At best this approach can increase staff awareness and help translate their judgment into  informed risk-taking. The policy should be made known to all staff and updated as experience is gathered.  Approved by the GCBR Board of Directors – 27 November 2019