Risk policy purpose
• Is a formal acknowledgement that the board is committed to maintaining a strong risk management framework. The aim is to ensure that Training 2000 makes every effort to manage risk appropriately by maximising potential opportunities whilst minimising the adverse affects of risks.
• Should be used to support the internal control systems of Training 2000, enabling the charity to respond to operational, strategic and financial risks regardless of whether they are internally or externally driven.
Risk policy objective
• To confirm and communicate Training 2000’s commitment to risk management.
• To establish a consistent framework and protocol for determining appetite to and for managing risk.
• To assign accountability to management and staff for risk within their control and provide a structured process for risk to be considered, reported and acted upon throughout the organisation.
Risk policy statement
• The Board and executive management of Training 2000 believe that sound risk management is integral to both good management and good governance practice.
• Risk management should form an integral part of Training 2000’s decision-making and be incorporated within strategic and operational planning.
• Risk assessment will be conducted on all new activities and projects to ensure they are in line with Training 2000’s objectives and mission.
• Any risks or opportunities arising will be identified, analysed and reported at an appropriate level.
• A risk register covering key strategic risks will be maintained and updated at least twice a year and more frequently where risks are known to be volatile.
A more detailed operational risk register will be maintained in aspects where this is considered appropriate, taking account of the impact of potential risk and the cost benefit of the exercise.
• All staff will be provided with adequate training on risk management and their role and responsibilities in implementing this. Training 2000 will regularly review and monitor the effectiveness of its risk management framework and update it as considered appropriate.
• Reports will be made to the Board and CEO each quarter of continuing and emerging high concern risks and those where priority action is needed to effect better control.
• Individual error and incident reports will be required from individual staff where a reportable event is identified. The procedures for this are set out in the Crisis Communications (PR/GN.58) and Business Continuity, Disaster Recovery procedures (PR/GN.222). Such incidents which are considered to pose a significant threat to Training 2000, financial or otherwise, will be escalated in accordance with the crisis management plans.
The role of the Board
• To ensure that a culture of risk management is embedded throughout Training 2000
• To set the level of risk appetite for the organisation as a whole and in specific circumstances
• To communicate Training 2000’s approach to risk and set standards of conduct expected of staff
• To ensure risk management is included in the development of business plans, budgets and when considering strategic decisions
• To approve major decisions affecting Training 2000’s risk profile or exposure
• To satisfy itself that less fundamental risks are being actively managed and controlled
• To regularly review the charity’s approach to risk management and approve any changes to this
• To receive reports from internal audit, risk subcommittee, external consultants and any other relevant parties and to make recommendations on this.
The role of the chief executive officer and the executive management team
• To ensure that the risk management policy is implemented throughout the organisation
• To anticipate and consider emerging risks and to keep under review the assessed level of likelihood and impact of existing key risks
• Provide regular and timely information to the Board on the status of risks and their mitigation
• To implement adequate corrective action in responding to significant risks; to learn from previous mistakes and to ensure that crisis management plans are sufficiently robust to cope with high level risk.
The role of business and team leaders
Business and team leaders are responsible for managing project specific operational risks and for ensuring that risks are reported upon in a timely fashion through designated lines of reporting.
Interaction with internal control systems
Risk management forms part of Training 2000’s system of internal controls and should be read in conjunction with the policies and detailed controls procedures specified in our Financial Controls set out in detail operational limits within which individuals may act in particular circumstances in order to minimise the risk of fraud or error. These limits cover amongst other things – control over bank payments and receipts, authorisation of and processing of expenditure and approval required at particular levels of decision making.
In addition Training 2000 expects to meet minimum standards required by legislation and best practice in operational areas covering the following:
• IT and data protection
• Health and safety • Governance
• Financial accounting and reporting
The risk of falling short of these standards is mitigated as far as possible by ensuring that appropriate policies and working practices are adopted in each of these key areas and that staff are adequately experienced and trained to manage this.
Where necessary, external advice is sought to supplement internal expertise.
Statement of Risk Appetite
Training 2000’s approach is to minimise its exposure to reputational, compliance and financial risk, whilst accepting and encouraging an increased degree of risk in pursuit of its mission and objectives. It recognises that its appetite for risk varies according to the activity undertaken, and that its acceptance of risk is subject always to ensuring that potential benefits and risks are fully understood before developments are authorised, and that sensible measures to mitigate risk are established.
Complete the following details and we will get in touch.