Sport England: Risk Policy for a Small Association

Page 1

Sport England: Risk Policy for a Small Association (adapted for County FAs)

Risk management procedures

Owner Chief Executive Officer

Board approved

Supersedes N/A

Version number 1.1

Date of issue [insert date]

Review body Audit & Risk Committee

Next review date [insert date] Original date of issue N/A

Version Date Author Stat us Comment

1 [insert date] Company Secretary Draf t Shared with SMT on [insert date]

2 [insert date] As above

Draf t Recommended for adoption by the Board on [insert date]

1. Introduction

The purpose of this document and of the following risk management procedures is to ensure there is a consistent and effective approach to the process of identification and management of risks across the Association. Some level of risk is inevitable, but the aim of these procedures alongside the approved risk management policy is to ensure that every effort is made to manage risk appropriately by minimising any adverse effects and maximising potential opportunities.

2. Identifying risk to the Association

There are many different types of risks that an organisation may face including damage to the organisation’s reputation, poor governance, physical risks to people, breaches of regulations and poor management of resources.

There are a number of different risk categories related to our organisation’s operations and structure. These are listed below with accompanying examples of the types of risks within these categories (these are not exhaustive):

Students

Contracts

Management

Assets

Political

Financial

Governance

Regulatory

Reputation

• Any harm or potential harm to our students whilst in our care

• Safeguarding issues, abuse or neglect of a vulnerable student.

• Failure of partner or partners to deliver

• Failure to adhere to monitoring arrangements

• Loss of key staff, recruitment & retention issues.

• Failure to deliver strategic or business plans.

• Misuse or loss of our assets

• Damage, loss, impact on our Property – land, buildings & equipment either owned or leased by the Association

• Information – security, retention, timeliness, accuracy, intellectual property rights.

• Change in government priorities which lead to adverse impact on Association

• Misalignment with government strategy/funding

• Loss of/reduction in funding

• Fraud or other criminal financial loss

• Ineffective or inefficient controls in place

• Lack of or failure of decision-making

• Failure to meet regulatory/statutory deadlines

• Negative publicity either locally or nationally about the Association or one of our staff, students or volunteers

• Damage to credibility

Escalation of risk

The escalation of risk within an organisation is a key mechanism for ensuring that risk is managed at the appropriate level by the appropriate individuals. Relating this to Association’s risk governance framework, the escalation channels are

DIRECTORS/ TRUSTEES

SENIOR MANAGEMENT TEAM W/SUPPORT FROM SUBCOMMITTEES

DEPARTME NTS

TEAM S

INDIVIDUALS AND VOLUNTEERS

illustrated below:

Escalation of the risk should occur in the following circumstances:

• If the risk is exceeding the risk appetite set by the Directors/Trustees for that type of risk and there are no further actions available to reduce it;

• If the current risk owner does not have the delegated authority to manage the risk; and,

• If the risk is shared with other departments/business units, or with external organisations, and agreement is not being reached on how to manage it effectively.

Risks are escalated to the next accountable body i.e. a risk deemed to be too great for the risk owner at a business unit/head of level will then be escalated and considered for inclusion on the department risk register.

3. How to escalate risk

It is important to note that risk does not just increase or materialise once a quarter, and Association’s procedures need to be agile in responding to emerging risks.

These should occur in 1:1 meetings with line managers, at team meetings and at department meetings. Where timely, these should be captured in the regular review of the department registers and of the Association registers. Where this is not possible, a risk escalation form should be completed and shared with the respective Director.

In the case of any potential new or increased risk which needs to be escalated to the Corporate Risk Register, the Head of Corporate Governance/Company Secretary should

be informed as soon as practically possible so this can be recorded.

4. Reviewing and reporting risk within the organisation

Risks are rated at three different levels; red, amber, green, depending on their likelihood and impact, and the management attention and resource committed to mitigating each of these categories of risk should also be allocated proportionately.

The table below outlines an approach for this for the Association Wide Register:

Frequency of Risk Reviews

These are significant risks which may have a serious impact on the achievement of objectives if not managed. Immediate management actions need to be taken to reduce the level of residual risk. All red residual risks, at strategic and business unit level, should be reported to the Executive.

As a minimum review monthly at an SMT level until the risk is reduced. This review should include the cumulative/progressing impact of the mitigating actions. Decision will need to be taken on whether these risks should also be reported from the Audit & Risk Committee to the Director/Trustee Board.

These risks may require some additional mitigation to reduce the likelihood of their occurrence, if this can be done cost effectively. Reassess to ensure conditions remain the same and existing actions are operating effectively.

As a minimum review quarterly at an SMT level.

These risks are being effectively managed and any further action to reduce the risk would be inefficient in terms of time and resources. Ensure conditions remain the same and existing actions are operating effectively.

As a minimum review six-monthly – risks may reduce further and fall from the Association Risk Register

At a department level or business function level, Directors and Heads of may also wish to replicate this process for reviewing risks within their own areas, then using the escalation process when necessary (as stipulated).

5. How the Association register and sub-registers fit together

Sitting underneath the Corporate Risk Register are a number of functional risk registers owned by each respective team. On a monthly basis, the owner of each functional risk register is prompted to report any necessary escalations to the main corporate risk register, and on a quarterly basis, present to the respective sub-committee, where appropriate.

6. Using the Post-Incident Review process to manage risk

As a tool for managing ongoing risk and mitigating future materialisation of risk, the Association operates a Post- Incident Review (PIR) process, part of which records and logs corrective actions and learnings from each ‘incident’ occurrence in order for the organisation to rectify any outstanding issues before they crystallise.

Any incident reported or referred to the Regulator or an external supervisory body, must be taken through a post- incident review process. The number of open PIRs, and the number of complete and incomplete corrective actions will be reported to the Audit & Risk Committee on a quarterly basis.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.