1. Policy objective 3
2. Risk governance 3
3. Principal risk identification 4
4. Assess priority risks 5
5. Risk mitigation 5
6. Risk monitoring and review 6
7. Risk communication and reporting 6
Appendix 1: Charity Commission: Charities and Risk Management (CC26) 7
Appendix 2: Institute of Risk Management guidance 7
1. Policy objective
Risk in this policy describes the uncertainty surrounding events and their outcomes that may have a significant impact, either enhancing or inhibiting, on any area of the charity’s operations.
The Charity Commission strongly recommends that charities have a clear risk management policy and process. The charity should have a structured approach to risk management that is appropriate for its size and complexity.
The objective of this policy is to provide guidance on managing organisational risk to support the achievement of strategic objectives, protect beneficiaries, staff and business assets and ensure business operations and financial sustainability. The policy objective is to provide a framework to:
• Define risk governance
• Identify principal risks
• Assess priority risks
• Develop mitigating strategies and actions
• Monitor and review risk activities
• Communicate and report risks
The policy design and section headers are in line with Charity Commission guidance, Charities and risk management (CC26), and UK corporate governance requirements, FRC risk guidance (2014).
2. Risk governance
Council Trustees are required to identify and review the strategic, operational, regulatory, people, political and environmental risks to which the organisation is exposed and to assess the likelihood of such risks and the possible level of impact they would have.
Trustees must be satisfied that risk management is embedded in the organisation and adequate systems are in place to monitor, manage and, where appropriate, mitigate Ummah Care Foundation’ exposure to the major risks.
Audit committee Detailed review of priority risk log at every audit committee meeting.
Managers and staff Comply with risk management policy and processes and foster an environment where risks can be identified and escalated.
Management team Review of key management reports, issues and actions at every management meeting. Discuss and decide as to whether priority risks need to be introduced, amended or replaced in light of external events or operational challenges.
Promote risk management processes throughout the organisation and encourage transparency in reporting and speedy issue and risk escalation.
3. Principal risk identification
Risk is embedded within the organisation and risk management is factored into business planning, performance management, audit and assurance, business continuity management and project management. All projects and countries look at risks specific to their particular context. Enterprise wide risks that could have a major impact on Ummah Care Foundation as a whole are those reviewed by Council and management.
There are myriad enterprise risks to which Ummah Care Foundation is exposed. In 2009 the management team took time to identify a ‘long list’ of around 50 risks, split between six main categories:
Legal and regulatory
Political and environmental
The purpose of introducing categories is to stimulate thinking and ensure that a comprehensive list of potential risks is developed.
Categorisation is not an exact science and there is some debate over whether people risks should be included separately and whether there should be a separate category for reputational risk. Our preferred approach on reputation is to mainstream it by ensuring that any mitigation strategy should include reputational elements arising from the underlying risk.
The long list of risks is reviewed periodically. From this list a subset of 12 ‘priority risks’ are chosen, which are considered by management and trustees as particularly relevant and important at that point in time. These must have a high level of significance, and be relevant to the current operational challenges and external environment. Most link to an objective or objectives from our SIM card.
This process replaced a risk log that was far more comprehensive, but had become nothing more than a tick-box exercise. Focusing senior management and Council on a smaller number of critical risks means we are able to have far more in depth discussions about whether these are the correct principal risks, and what we should be doing to mitigate them. Each principal risk is entered into a risk log; it is dated, summarised, categorised, assigned an owner, and linked to specific SIM card objectives.
Priority risks change quite often, we recently brought in cyber security, media crisis given the assertive external environment that charities face, and full consideration of safeguarding matters when developing risk mitigation strategies.
4. Assess priority risks
Each priority risk is entered on the risk log. The risk is assessed by considering the following dimensions:
• Risk appetite (high, medium, medium/low, low)
• Significance of the risk (scale of 1-5, where 5 is the most significant)
• Probability of risk occurrence (scale of 1-5, where 5 is the most probable)
• Description of worst-case outcome, including a financial quantification if appropriate
In addition, ‘direction of travel’ is also noted, whether we think that overall the impact of the risk has stayed static since previous review or is changing for better or worse.
5. Risk mitigation
Each risk has an owner responsible for the mitigation strategy. The key elements of the mitigation strategy are noted on the risk log with summary associated comments. In addition, if a risk has been delegated to a specific committee of Council, this is also captured.
A key element of our approach is to capture ‘RAG’ status, which relates to our progress on mitigating the risk rather than on ‘retained risk’. Our view has been that this is far more useful as it indicates what management should be focusing on rather than simply ranking risks post mitigation. ‘Red’ means the strategy is not yet finalised (or can mean that the current strategy has not been found to be adequate to mitigate so we are ‘back to the drawing board’), ‘amber’ means we have a strategy but have not yet fully implemented it, and ‘green’ means we have taken all the actions we think are required.
It is designed to be a dynamic process, both in terms of considering what the top risks are and looking at strategies to mitigate them. These strategies provide the foundation for developing our key operational and financial processes such as safeguarding, reserves, investment and treasury management policies.
6. Risk monitoring and review
The Trustees are ultimately responsible for the system of risk management and internal control and through the audit committee reviews the effectiveness of this system.
Every year the trustees considers in depth the nature and extent of the principal risks that Ummah Care Foundation is willing to take to achieve its strategic objectives. For each principal risk, risk appetite is assessed to balance opportunities for business development and growth in areas of potentially higher risk, while maintaining reputation and reasonable levels of broad stakeholder support.
The audit committee reviews the risk log at each meeting.
Key management reports, issues and actions are reviewed at every monthly management meeting. There are discussions to decide as to whether priority risks need to be introduced, amended or replaced in light of external events or operational challenges. It is an accountability of senior management to promote risk management processes throughout the organisation and encourage transparency in reporting and speedy issue and risk escalation.
In addition, the risk list is reviewed in depth by senior management prior to each audit committee and annual review of risks by the trustees.
7. Risk communication and reporting
Trustees are required to report on the adequacy of the risk management framework under Charities SORP – Accounting and Reporting by Charities: Statement of Recommended Practice applicable to charities preparing their accounts in accordance with the Financial Reporting Standard applicable in the UK and Republic of Ireland (FRS 102) (effective 1 January 2015).
As well as a risk systems adequacy statement, a description of each priority risk is published by trustees in the annual report.
Risk management is factored into business planning, performance management, audit and assurance, business continuity management and project management and monitoring. All projects and countries look at risks specific to their particular context. Project risk logs are published on the programme portal alongside other relevant documentation.
Partner risk processes inclusive of safeguarding and financial control elements are assessed as a core element of partner due diligence. If their policy/processes are deficient, we will either not work with them. Where it is deemed essential that Ummah Care Foundation does partner, policies will be developed as part of the early stages of the partnership, led by the due diligence process. These should include child safeguarding and risk management elements, and partners could use our policies as a foundation, adapted to the legislation of the relevant country.
Ummah Care Foundation’ Risk Management Policy is also published on its external website, alongside myriad other key policies such as the Safeguarding Policy and Programme Partnership Policy.
Appendix 1 Charity Commission: Charities and Risk Management (CC26)
Appendix 2 Institute of Risk Management guidance
This document from the IRM summarises UK Corporate Governance Code requirements and notes selected company approaches to designing and implementing risk appetite statements.