Bournemouth Primary MAT Risk Management Policy 1. Introduction The Bournemouth Primary Multi-Academy Trust (the Trust) operates a risk management system in order to identify and manage key exposures and potential events that may threaten its ability to deliver its day-to-day activities and its strategic plan objectives. For the purpose of this policy, risk is defined as the threat that an event could adversely affect the Trust s ability to meet its day-to-day objectives and execute its strategies successfully. Risk Management plays an important role in the Trust for a number of reasons: It helps people make better quality decisions, by drawing attention to the positives and negatives associated with different options. Consideration of risk does not stop us doing what we need to do, to get the job done. It is an essential part of governance as it ensures decision makers and other stakeholders are kept informed of significant risks facing the business, and tells them how the organisation is managing these risks effectively. It is also recognised as a useful planning tool for identifying and managing risks, which could affect the Trust s performance in areas such as; o Achieving strategic objectives and priorities; o Complying with legislation or regulatory requirements; o Achieving value for money or high levels of performance; o Delivering projects; o Protecting the organisation s reputation. 2. Scope This policy applies to the Trust and all of its constituent schools. Any local procedures shall be consistent with this policy. 3. Statement of Intent Risk Management The Trust recognises that many of its activities involve risk and accepts that, whereas risk cannot be entirely eliminated, action must be taken to ensure risks are identified, properly assessed, mitigation strategies are agreed, responsibilities are clearly established and appropriate actions plans are implemented. The Trust Board has ultimate responsibility for the management of risk and for agreeing the Trust s annual Statement of Internal Control. It needs to satisfy itself that appropriate policies are in place and that internal control system is functioning effectively so that key risks, which threaten the Trust are identified, recorded and minimised. Members of the Audit & Risk Committee assist the Trust Board in this process by performing an annual review of the effectiveness of the risk management activities and this will be helped by the Internal Auditor s progression of their annual internal audit plan, and their report on the effectiveness of the Trust s systems of internal control. For the Trust to effectively manage risk: Risk Management is considered to be a key competency for Trust Board members and managers; The Trust will maintain a Risk Register showing the main risks faced by the Trust and the arrangements for managing them; Version: 1 December 2016 1
Everyone in the organisation must understand the risk implications of the activities that they perform, recognise the importance of internal controls and act accordingly. The Trust Board recognises that risk management is an integral part of good management practice and to be most effective should become part of the Trust s culture. Therefore the Trust Board is committed to ensuring that risk management forms an integral part of the Trust s approach, practices and strategic plans. Risk management is not viewed or practised as a separate programme and responsibility for implementation shall be at all levels of the organisation. Decisions regarding responses to and the acceptance of individual risks should always be made within the context of the risk appetite as determined by the Trust Board. The Trust Board believes that its general risk appetite fits across the medium risk classifications Minimalist/Cautious/Open (see Appendix A: Risk Appetite Statement). A small number of the Trust s activities, mainly some associated with compliance, need to operate in a low risk environment, e.g. health and safety. 4. Risk Management Approach The 'three lines of defence' has become a standard model in a modern organisation's approach to managing uncertainty and preventing risk. The first line consists of the Trust s front line staff. They are charged with understanding their roles and responsibilities and carrying them out correctly and completely. The second line of defence is the line managers. They set and define work practices and oversee them with regard to risk and compliance. The third and final line of defence is that of auditors and the Senior Management Team. o Internal and external auditors regularly review the Trust s core services and the oversight functions to ensure that they are carrying out their tasks to the required level of competence. o The Senior Management Team takes feedback from a variety of sources and act on any items of concern from any party; they will also ensure that the three lines of defence are operating effectively and according to best practice. In addition, the Trust uses a comprehensive range of internal controls with which to manage risk. These will include: External Audit Programme; Internal Audit Programme; Appropriate Governance Arrangements; Policies and procedures aimed at managing specific risks, e.g. Preventing Financial or other Losses, Health and Safety; Insurance Policies; Procurement requirement for minimum level of Insurance required from our suppliers (where appropriate); Appropriate Codes of Conduct for Trust staff and Trust Board members. The Trust will respond appropriately to each key risk identified. Where appropriate, a series of controls will be introduced by management in order to manage the risk. Whilst the response to each risk will depend on the nature and severity of the risk, the Trust s overall approach will be: Where possible the Trust should withdraw from activities that expose the organisation to unacceptable levels of risk; Introduce controls to prevent the risk event from occurring. These should be as effective as possible whilst giving consideration to the costs/benefits; Where preventative controls are not considered fully effective, introduce controls to promptly identify a risk event occurring and reduce its impact to an acceptable level. Version: 1 December 2016 2
Responsibilities The Trust Board retains overall responsibility for the management of risk. However the Trust Board has delegated responsibility for the oversight of the Trust s risks to the Audit & Risk Committee which reviews the most significant risks faced by the organisation and changes to the Risk Register at each of its meetings. The Trust looks to the Senior Management Team to manage the risks on a day-to-day operational basis. Their aims are to: Encourage a culture of risk awareness amongst the wider staff; Ensure risks remain well managed by their risk owners; Ensure accountability and responsibilities are clear; Create a structure for reporting on appropriate risks to the Trust Board and to the Audit & Risk Committee. In order to raise awareness of Risk Management throughout the organisation, Risk Management should be considered at every level of the business. Risk Management should be introduced to new employees through the Staff Induction process; Risk management should form part of team discussions at all levels in the Trust. Risk Identification The identification of risk involves all Trust Board members, management and staff and should take place in a variety of ways, including: Regular planned discussions between staff and their line managers; Regular, planned discussions by the Senior Management Team; The Audit & Risk Committee will review management s assessment of key risks in the light of developments and current knowledge of changes/risks in the sector. Risk Reporting and Monitoring In order to provide a consistent approach to the management of risk across the Trust: A 5 x 5 matrix, (see Appendix B: Risk RatingAppendix B: Risk ), is used to assess the risks facing the Trust. Risks with a net score of 8 and above (Red and Amber) are considered to be the Trust s key risks. The Audit & Risk Committee will review the key risks as part of a standing agenda item. The Trust Board and Audit & Risk Committee will review the whole risk register annually. Internal Audit A central aim of the Trust s Risk Management Policy is to continually improve risk management throughout the Trust. The Trust has outsourced the Internal Audit function and views the independence of the Internal Auditors as a key factor in obtaining independent validation of the risk management process. The Internal Auditor: Provides an objective evaluation of, and opinion on, the overall adequacy and effectiveness of the Trust s governance, risk management and internal control; Establishes risk based plans for periodic planning purposes based on the Trust's risk register. The Internal Auditor will determine whether the risk management system is effective resulting from an assessment that: Organisational objectives support and align with the Trust's risk appetite; Relevant risk information is captured and communicated in a timely manner across the Trust; Significant risks are identified and assessed; Appropriate risk responses are selected that align with the Trust's risk appetite; Follows up the implementation of recommendations accepted by management to improve the risk management and control environment; Version: 1 December 2016 3
5. Review This policy will be reviewed regularly (at least every 3 years) to ensure that it remains fit for purpose and meets all current statutory requirements. Version: Date: 1 December 2016 Agreed by Audit & Risk Committee: Date: Approved by the Board of Trustees: Date: Next review date: December 2019 Version: 1 December 2016 4
Appendix A: Risk Appetite Statement When making a business decision (e.g. new investment, new project, reviewing policies) there is a need to understand the Trust s attitude to risk, dependant on the nature of the area (Risk Categories) that the decision could impact on. A.1: Risk Appetite Map The following table has been developed to identify the Trust s risk attitude in order to assist in the strategic planning process, as well as, the on-going day-to-day management of the Trust s activities. RISK CATEGORIES Compliance Risk RISK APPETITE Curriculum Data protection Employment Environment Fraud Governance Health & safety Safeguarding LOW MEDIUM HIGH Averse Minimalist Cautious Open Hungry Finance Risk Accounting & budgetary control Cash flow Income Pensions Property & fixed assets Procurement Operational Risk Demand HR - Management behaviours & capabilities HR - Staff retention & succession HR - Staff skills & competences IT & management information Suppliers Strategic & Reputational Risk Academic excellence Brand identity / reputation Community engagement Growth Value for money External Risk Macro-economic changes Natural disaster Version: 1 December 2016 5
A.2: Risk Appetite Guidance Risk Appetite Averse Minimalist Cautious Open Hungry Subjective Description Zero Tolerance The avoidance of risk and uncertainty is a key organisational objective. Minimal Tolerance A preference for an ultra-safe organisation that selects delivery options which have a low degree of gross risk and limited potential for reward. Balanced Tolerance A preference for selecting safe delivery options with a low degree of net risk. They may therefore have only a limited potential for reward. Enquiring Tolerance Willing to consider all potential delivery options and choose the one that is the most likely to result in the successful delivery of objectives whilst also providing an acceptable level of net risk. Entrepreneurial Tolerance Eager to be innovative and to choose options offering potentially higher organisation rewards, despite these having greater inherent risk. BPMAT Example Health & safety Governance Property management Growth - Version: 1 December 2016 6
Appendix B: Risk Rating B.1 Scoring a risk An identified risk should be summarised into a short descriptive title that succinctly describes the issue. The identified risk, for either a Strategic or Operational risk, needs to be measured with respect to its impact on the organisation and the probability of its likely occurrence. Guidance for the appropriate selection of an impact and probability score is given below (see Error! Reference source not found.). Risk register entries, for either Strategic or Operational risks, will require: A gross risk score: The gross score of impact and probability is made before the consideration of organisational controls. A net risk score: The net risk score is made after the consideration of controls that the Trust has put in place. Impact Score 1 2 3 4 5 Probability Score 1 2 3 4 5 Subjective Description Insignificant - Lack of operational effectiveness / efficiency - Budgetary issues that can be resolved within Service Minor - Noticeable impact, but the trust would remain on course to achieve priorities - Localised reputational damage - Budgetary issues that can be resolved within the Trust Moderate - Major impact on the direction of Trust - Long term regional damage to reputation - Significant stakeholder concern with potential for legal intervention - Major budget issue Major - Non-delivery of strategic plan - Regulatory intervention - Irretrievable breakdown of relationships with major stakeholders Catastrophic - Potential to threaten the existence of the Trust Subjective Description Rare - It is unlikely that the event will occur in the next 12-24 months - It is unlikely that the event will occur Unlikely - It is possible that this event will occur within the next 12-24 months Possible - There is a fair chance that this event will occur in the next 12-24 months Likely - It is more likely that the event will happen than not in the next 12-24 months Almost Certain - Unless immediate action is taken, the event will almost certainly occur within the next 12-24 months Impact values 0,000-50,000 50,001-100,000 100,001-250,000 250,001-500,000 > 500,000 Probability of occurrence 0% - 5% 6% - 25% 26% - 50% 51% - 75% >75% Version: 1 December 2016 7
B.2: Risk Rating Matrix A standard 5x5 matrix has been adopted by the trust for the interpreting the risks it faces. The matrix is colour coded to reflect the potential impact of the risk on the organisation and the potential response that is required. All risks in the top right hand corner (Red) are deemed to be the main exposures facing the Trust. These need to be managed and the aggregate impact of their potential occurrence needs to be effectively mitigated. Failure to mitigate these will render the Trust as being high risk. Care is required not to lose sight of the high impact, low probability risks bottom right of the matrix. Such risks may only occur once in a generation, but if left unprotected; their incidence may cause the Trust to fail. Almost Certain 5 10 15 20 25 PROBABILITY Likely Possible Unlikely 4 8 12 16 20 3 6 9 12 15 2 4 6 8 10 Rare 1 2 3 4 5 Insignificant Minor Moderate Major Catastrophic IMPACT Risk Score Risk Rating Recommended Response 15-25 High Immediate action required, including cost benefit analysis / as reasonably practical analysis followed by decision to progress action or authorisation to tolerate risk at this level 8-14 Medium Incorporate improvement actions into existing management & planning processes / monitor & review 1-7 Low Limited action & review to be taken / consider relaxing current level of controls if not proportionate Version: 1 December 2016 8
B.3: Risk Treatment Guidance In addition the Trust uses 4 standard terms to classify its stance regarding the treatment of individual risks: Tolerate - The ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained. This course of action is common for large external risks. In these cases the response may be toleration but the risk should be tracked so managers are ready to reconsider should it start to escalate. Treat - By far the majority of risks will be in this category. The purpose of taking action to reduce the chance of the risk occurring is primarily to contain it to an acceptable level rather than mitigate it entirely. Risk responsibility will beat the most suitable part of the management chain. It is important to decide what criteria will result in the risk being passed up the management chain. Transfer - For some risks, the best response may be to transfer them. This might be done by conventional insurance or by supporting a third party to take the risk in another way. Terminate - The risk may be removed by doing things differently or by exiting a particular activity thus removing the risk. Version: 1 December 2016 9