Risk Management Policy
1. Policy Statement
This policy sets out the principles Versus Arthritis (VA) uses to improve risk literacy (this means the ability to understand and make informed decisions about the likelihood and impact of different outcomes) across the organisation. Risk management is the responsibility of everyone within the organisation not just a few key personnel.
Appropriate risk management is key to good business practice. The definition of a risk is an uncertain event that may have an impact on our organisational objectives. Our policy highlights how we manage uncertainty, which falls under a potential opportunity or a potential threat, as risk can be either of these. Our aim is to increase the number of opportunities and reduce the amount and/or severity of risk in the charity. We assess our risk tolerance by determining how much risk VA can cope with and we assess our risk appetite by determining how much risk we can pursue that will bring value to VA (further guidance about what we deem to be within our risk tolerance and risk appetite is contained in our Risk Management Procedure, on page 7 and 8 of the document).
The Risk Management Procedure also outlines the risk management processes at VA, including key roles and responsibilities.
SCOPE
This policy and associated procedure apply to:
- employees of VA, including permanent or temporary, casual and agency staff (Employees);
- members of the VA Board of Trustees when acting in that capacity (Trustees);
- volunteers, including branch and group members, secondees and contractors when working in, or directly on behalf, of the Charity.
Key terms and definitions
Compound Risk: this occurs when multiple related risks are identified simultaneously, or one after another.
Opportunity: A situation that allows VA to meet its objectives and/or brings value to it.
Risk: An uncertain event that may impact VA’s objectives or delivery outcomes positively or negatively.
Risk Appetite: the level of risk VA is willing to accept in order to achieve its business objectives, before needing to take steps to reduce the risk.
Risk Management: The formal process of identifying, monitoring and mitigating a risk, in which the risk is measured by determining the impact and probability of the risk, and the results are used to calculate the overall risk score.
The aim is to reduce the impact and probability (and overall risk score) of a risk through management processes and procedures.
For the avoidance of doubt, where a risk occurs, it is no longer referred to as a risk, but as a live issue/event, because the risk has materialised.
Risk Tolerance: How much deviation from VA’s risk appetite and business objectives is deemed acceptable, including the level of uncertainty it will tolerate. Risk tolerance sets the limits of risk-taking that VA will not exceed in pursuit of its goals. For example, a project must be completed within an estimated budget and timeline, but at a 10% overrun in budget and time is tolerated.
Threat: The possibility that an uncertain event may cause VA (including its Employees, Trustees and volunteers) to come into harm's way or cause it to get into trouble, for example reputationally, or with its regulators.
2.Rationale
Good risk management is essential to mitigate risks. VA uses a risk management model originally developed by Sayer Vincent called Re-Thinking Risk. Risks are categorised using thematic pillars - there are currently 7 thematic risk pillars applied across VA as follows:
| THEMATIC RISK PILLAR | WHAT THIS MEANS | EXAMPLES |
| 1. FINANCIAL SUSTAINABILITY | Risk that prevents VA delivering its objectives. | Charity fails to define and implement a fit-for-purpose, sustainable business model, leading either to fundamental failure or serious reduction of activity (business model risk). |
| 2. PEOPLE | Risk that affects individuals at VA in the areas of work and recruitment. | Charity is unable to attract and retain appropriately skilled workforce and volunteer cohort (talent risk).. |
| 3. COMPLIANCE | Risk that results in a breach of regulation or legislation that may lead to VA being prosecuted. | Charity has a non-systematic approach to regulation. |
| 4. IMPACT | Risk that prevents VA from achieving its desired outcomes for people with arthritis. | Charity is unable to measure, evaluate and report its impact. |
| 5. SAFEGUARDING | Risk leading to a breach of VA’s duty of care to vulnerable adults, young people and children. | Charity fails to embed safeguarding practices into its everyday operation. |
| 6. REPUTATION | Risk of VA being viewed negatively. | Charity engages in activities that are controversial or likely to provoke public hostility with negative impact on both Income and Influencing ability. |
| 7. CYBER AND DATA | Risk that VA’s control of data and/or boundaries are non-compliant or breached. | We fail to respect a person’s data privacy or other GDPR rights. A member of staff leaves unsecure data in a public place or responds inappropriately to a phishing attempt. Our IT firewalls and therefore our ICT systems are overwhelmed by a denial-of-service attack. |
3.Making it Happen
VA adheres to the following principles when identifying and managing risk:
a) We recognise risk is inherent in any successful organisation – and that not accepting risk could ultimately lead to failure of the sustainability of the Charity or the failure of our organisational mission for people with arthritis;
b) It’s essential that our risk processes are workable at an everyday level. We therefore take an active but not over-complicated approach to risk management by identifying, categorising, recording, reviewing and embedding mitigation actions into our core work;
c) We recognise that risks sit across VA in our different areas of work, so we have created registers where risks are recorded on each type of register (some risks appear on multiple registers), based on severity level and ability to effect legal and business continuity. The registers are not an end in themselves – but a tool to help us monitor and manage those risks. And so, the registers will evolve from time to time.
d) We use a system to transfer risks between registers, ensuring proper resource allocation for monitoring and management. For example, if a risk score decreases or falls within our risk appetite though the mitigation actions we put in place, we move it to a lower-level risk register. We raise awareness to ensure Employees know it is their duty to consider risks as part of their objectives and responsibilities and to understand how to deal with risks;
e) Accountability is clear through the allocation of a risk owner to each risk – this person is responsible for monitoring and managing the risk and ensuring the impact and probability of the risk decreases through mitigation actions;
f) We apply best practice risk management procedures by using advanced tools such as SharePoint Lists, which allow us to monitor and share risk scores and mitigation actions;
g) We recognise the need to raise awareness and provide the necessary training and support;
h) We perform mandatory risk assessments;
i) We have insurance policies where we are legally obliged to do so, or they are commercially sensible; and we provide regular risk reporting to the Senior Leadership Team, Trustees and the wider organisation for transparency and feedback.
Risk Appetite
VA has an appetite to accept risk and/or tolerate risk under our 7 thematic risk pillars mentioned earlier, as follows:
Safeguarding We work with people who are often more vulnerable than the typical population and we strive to provide activities that are relevant and beneficial. To work with the public in this way we accept a certain amount of uncertainty. We accept that we owe duties of care towards beneficiaries who may be children, young people or vulnerable adults and that their circumstances each present unique risk. The risks may be physical or psychological; and in the real world or online. We manage those risks with safety as our highest priority. We do what we can to avoid putting those we have a direct relationship with, in harm’s way, whether they are employees, volunteers, or service users etc.
Reputation
We want to stand with people impacted by arthritis, and we have a higher appetite for risk if what we are doing or saying is necessary or important to our beneficiaries. We have a very low appetite for incidents of misconduct or unsanctioned behaviour, especially those risks with individual, legal and financial consequences.
Financial Sustainability
We aim to deliver stability, especially to those who are front-line facing or directly supporting customers.
It is essential that we manage the charity in a way that allows us to deliver our social mission both now and into the future. However, we rely on fundraising for a proportion of our income which is by nature uncertain. We also must manage our long-term reserves in a way that yields income reliably for the charitable purpose but preserves their core value against the risks of the volatile markets where they are invested.
To achieve diverse income streams, we accept proportionate and defensible risk when we test new investment streams/funding streams/ideas that may generate higher return (while protecting vulnerable people, avoiding proceeds of crime and in line with our ethical policy).
Compliance
We aim to have a proportionate approach to managing regulatory breach, avoiding an excessively bureaucratic operation model but erring on the side of caution. We follow best practice and prudent approaches wherever possible.
Impact
We look for opportunities and ways to deliver innovatively and effectively for people with arthritis. To achieve the highest standards, we must accept a high level of uncertainty and acknowledge that success may be different from an initial plan and that not everything we try to do to create positive impact for people with arthritis will succeed.
It is impossible to control all external risks, but we try to influence others (such as UK government and devolved governments) to reduce uncertainty for people with arthritis.
Cyber and data
We try to ensure we have proper systems, policies and procedures in place to protect the data we hold. We recognise that lowering the risk of a data breach in accordance with National Cyber Security Centre and Information Commissioner’s Office guidelines requires awareness raising and improving risk literacy through delivering training to our Employees and Trustees. However, there may be brief periods of uncertainty, for example at times when new personnel are learning their responsibilities or when there are gaps in key personnel.
Approach
Risk management does not include managing or addressing live/real time issues that have already taken place or are taking place - other management tools exist for these. VA’s risk management approach provides valuable tools to proactively reduce and manage risks before they become real-time issues.
This is a systemic approach to risk management. Further information about the three types of risk registers and the risk movement process is provided in the risk management procedure.
Review
This policy will be reviewed every year and relevant supplementary information is distributed to all relevant staff. Suggestions for inclusion, corrections, and revisions for future editions of this document should be sent to the Risk and Compliance Manager and the Head of Governance, Assurance and Legal.
Appendix:
Charity Commission Guidance:
- How to report a serious incident in your Charity
- What Ofsted means by a serious incident
- Charity Commission: “Examples table: deciding what to report”
Related VA policies and Procedures
All VA policies can be found at Policy Hub - Home (sharepoint.com)S
- Antibribery and Corruption Policy
- Anti-Fraud Policy
- Business Continuity and Disaster Recovery Policy
- Fundraising Policy
- Modern Slavery policy
- Procurement Policy
- Whistleblowing Policy