Professional Documents
Culture Documents
Purpose
8.1 This document sets out the organisation’s Risk Management Policy and
includes:
• Relative responsibilities;
8.1 It has been approved by the Director, Chief Executive and the Director’s
Board.
8.1 The improvements and benefits which effective Risk Management should
provide are:
Definitions
8.1 The definition of risk reflects that already in circulation and used by
business units at the operational level for Control & Risk Self-Assessment
reviews and by Internal Audit Services for their internal audit reviews.
8.1 The principles contained in this policy and strategy will be applied at both
corporate and operational levels within the organisation.
8.1 The organisation’s Risk Management Policy and Strategy will be applied
to all operational aspects of the Organisation and will consider external
strategic risks arising from or related to our partners in the Criminal Justice
System, other government departments and the public, as well as wholly
internal risks.
8.1 All risk management activity will be aligned to corporate aims, objectives
and organisational priorities, and aims to protect and enhance the
reputation and standing of the organisation.
8.1 Risk analysis will form part of organisational strategic planning, business
planning and investment/project appraisal procedures.
8.1 Our risk management approach will inform and direct our work to gain an
assurance on the reliability of organisational systems and will form the key
means by which the Board gains its direct assurance.
8.1 Managers and staff at all levels will have a responsibility to identify,
evaluate and manage or report risks, and will be equipped to do so.
8.1 We will foster a culture which provides for spreading best practice, lessons
learnt and expertise acquired from our risk management activities across
the organisation for the benefit of the entire organisation.
8.1 The aim is to anticipate, and where possible, avoid risks rather than
dealing with their consequences. However, for some Key areas where the
likelihood of a risk occurring is relatively small, but the impact on the
organisation is high, we may cover that risk by developing Contingency
Plans, eg. our Business Continuity Plans. This will allow us to contain the
negative effect of unlikely events which might occur.
8.1 We also recognise that some risks can be managed by transferring them
to a third party, for example by contracting out, Public Private Partnership
arrangements, or possibly, but unlikely for our organisation, by insurance.
Responsibilities
8.1 All personnel have a responsibility for maintaining good internal control
and managing risk in order to achieve personal, team and corporate
objectives. Collectively, staff in business units need the appropriate
knowledge, skills, information and authority to establish, operate and
monitor the system of internal control. This requires an understanding of
the organisation, its objectives, the risks it faces and the people we deal
with. Everyone should be aware of the risks they are empowered to take,
which should be avoided and which reported upwards.
8.1 The responsibilities of the Director, Chief Executive and the Director’s
Board; Operational/Business Unit Managers; the Audit Committee; and
Specialist Central Functions are set out in Appendix 2.
Risk Tolerance
8.1 The Director, Chief Executive and the Board encourage the taking of
controlled risks, the grasping of new opportunities and the use of
innovative approaches to further the interests of the organisation and
achieve its objectives provided the resultant exposures are within the
organisation’s risk tolerance range.
Acceptable risks
8.1.1 All personnel should be willing and able to take calculated risks to
achieve their own and the organisation's objectives and to benefit the
organisation. The associated risks of proposed actions and decisions
should be properly identified, evaluated and managed to ensure that
exposures are acceptable.
8.1 Subject to the conditions set out in Annex B to the Framework Document
specifying the principles governing the relationship between Headquarters
and the Area Offices, Area managers may take risk management
decisions on the basis of their delegated financial authority and the
devolved responsibilities set out in the Framework Document.
Risk Framework
8.1 The Board will maintain a current ‘Corporate Risk Profile’ as a basis for
implementing and monitoring the risk management activities. This profile
will include detail of the Impact and Likelihood of each of the risk
identified, indicate Ownership/Responsibility and specify an Action Plan
for treatment. This will be reviewed and updated half yearly. Progress of
the risk management programme will be a standing Board agenda item.
8.1 The use of this risk management approach should help to identify aspects
for detailed review within the Area (for example using Control & Risk Self-
Assessment) and inform and support the Area/HQ Directorate Annual
Certificate of Assurance.
8.1 The Corporate Risk Profile will inform Internal Audit Services of the work
necessary to provide the annual assurance. For the corporate risks
identified by the Board, IAS will evaluate the effectiveness of the existing
controls and risk management responses. The IAS assurance will include
an assessment of the reliability and effectiveness of the organisation’s
overall Risk Management arrangements.
Appendix 1
RISK MANAGEMENT is the culture, processes and structure that are directed
towards the effective management of potential opportunities and threats to the
organisation and its contribution to the public sector.
2. The Board is responsible for ensuring that corporate risks are properly
managed and will require evidence that risk is being managed, and results
are properly measured. Other Board responsibilities are: