Policy and Procedures
Doc. No. | 13 | Version No. | 1 |
Last Reviewed | Approved By | ________________ On behalf of Board | |
Next Review | Responsibility | (Manager) |
Table of Contents
2.3 Analyse and Evaluate the Risks. 5
2.3.1 Step One – Score the Likelihood. 5
2.3.2 Step Two – Score the Possible Impact 5
2.3.3 Step three: Calculate the Risk Level 5
2.4 Manage/Control the Risks. 7
Appendix A: Stakeholder and Other Risk Factors Form.. 10
Appendix B: Risk Register and Management Plan. 11
1. Policy 1.1 Policy Statement | Twilight Community Group recognises that the nature of our activities and the environment in which we operate expose us to risk which have the potential to impact or harm our staff, community, stakeholders, reputation, finances, operation and success of our organisation. It is our policy to adopt best practice in the identification, analysis, evaluation, control, monitoring and review of risk to ensure that they are avoided, reduced, shared or accepted. To ensure this, we will: Embed full and effective consideration of risk within the planning and management of new and existing activities across the organisation. Engage with our stakeholders and use our knowledge and understanding to identify our risks.Determine the level of risk for our organisation by considering the likelihood and impact of identified risks. Risks will be ranked in order of importance.Ensure that acceptable net risk thresholds are clearly defined and managed. Effectively manage risk to ensure that our objectives, goals and purpose are achieved.Create and maintain a risk register and management plan. Monitor and review the risk register on a regular basis.Put a contingency plan in place in case of a severe business disruption. |
1.2 Purpose | To provide a risk management framework to ensure levels of risk and uncertainty are identified and managed in a systematic, structured way, so any potential threat to the delivery of our service is appropriately managed and completed successfully. |
1.3 Scope | All operational activities and staff, Board members and volunteers involved in the delivery of those activities. |
1.4 Responsibilities | Board Determining the appropriate level of risk that the organisation is willing to accept. Ensuring that the organisation has effective risk management in place. Delegating authorities and responsibilities. Approving the completed Risk Management PolicyApproving the Risk Register and Management Plan. Agreeing the risk appetite having regard for the environment in which the organisation operates. Reviewing the ongoing effectiveness of the risk management process in achieving the organisation’s objectives. Reviewing the organisation’s risk profile against its agreed strategy ensuring that they are aligned and within the agreed risk appetite. Providing direction on the development of the criteria to use in analysing and ranking the impact of identified risk areas.Identifying, analysing and evaluating risk associated with strategies and activities. Advise on the level of risk acceptable to the organisation. Monitor and review the effectiveness of the risk management environment. Manager Ensuring the development of the risk management policy and procedures and the risk register and management plan.Ensuring the development, a reporting mechanism for all ‘critical’ and emerging risksDevelop operational policies for dealing with and reporting identified risk situations and status changes.Develop a culture of risk awareness – risks as innovation and strategic opportunity.Ensuring that the risk management policy and procedures are understood and effectively communicated to staff and internal volunteers.Ensuring staff are consulted in respect of risk management issues. Ensuring all activities under their supervision are performed in accordance with the Risk Management Policy and Procedures. Risk management procedures are effectively applied. Staff Being aware of those aspects of the risk management system that are immediately relevant to their jobs. Complying with all policies and procedures and communicate any breaches promptly and accurately to management. Reporting any real or perceived risks to the health, safety and working environment of themselves, their colleagues or associated stakeholders.Reporting any real or perceived risks that may significantly affect the performance or reputation of organisation or that may leave it exposed to legal or regulatory action. Looking for opportunities to improve operational efficiencies, optimise outcomes and minimise risk. Undertaking their part in, the actions and requirements of risk action and mitigation plans. |
. Procedures
Doc. No. | 13.1 | Version No. | 1 |
Last Reviewed | Approved By | ||
Next Review | Responsibility | ||
Procedure Title | 2.1 Analyse the Context | ||
Purpose | To consider the environment in which the organisation operates and to establish the context in which risk management will take place. | ||
Responsibility | Board, All Staff | ||
Procedure | The manager consults with all internal stakeholders and convenes a risk assessment board group.The group convenes and will consider the following:The organisations purpose and objectives and what it takes to achieve them.The structure and key activities the affect the way the organisation operates.Who the internal and external stakeholders are and the potential impact any change in their contribution might have. The risk factors associated with stakeholders and activities. Questions to help identify risk factors:What relationships do you have that are necessary for your organisation to operate successfully?What relationship does the organisation have with those stakeholders?What do they contribute and how important are they?How do those stake holders effect or influence your organisation’s achievement of its purpose and objectives?What changes or trends may affect your stakeholders or your operation?What perceptions do your external stakeholders have about your organisation and your activities?What are your contractual relationships and obligations with your stakeholders?What legislation, regulations, rules or standards apply to the organisation?The risk categories associated with the organisations strategic and operational activities. Common risk categories include:GovernanceHuman ResourcesReputationFinanceLegalTechnologyHealth and SafetyCompliance The group completes the Stakeholder and Other Risk Factor Form. | ||
Records | Record of Meetings, Stakeholder and Other Risk Factor Form |
Doc. No. | 13.2 | Version No. | 1 |
Last Reviewed | Approved By | ||
Next Review | Responsibility | ||
Procedure Title | 2.2 Identifying the Risks | ||
Purpose | To identify and rate organisational risks. | ||
Responsibility | Risk Assessment Group | ||
Procedure | Give all participants in the group a copy of the stakeholder and other risk factors form.Ask participants to consider the risk factors on the form, one at a time. For each risk factor, group members should consider the following questions:What could go wrong in relation to this risk factor?Has it happened before, and what did we learn?What is already in place to mitigate against this risk?What could change in relation to each risk factor?What could harm people?What legal obligations could we be at risk of breaching?What might a natural event or disaster mean?What might affect our assets or systems?Make decisions about which factors are potential risks.Write each risk on to the risk register and management plan under the identified category.For each risk identified record the possible consequences for the organisation if it were to happen on to the risk register and management plan. | ||
Records | Record of Meetings, Risk Register and Management Plan |
Doc. No. | 13.3 | Version No. | 1 |
Last Reviewed | Approved By | ||
Next Review | Responsibility | ||
Procedure Title | 2.3 Analyse and Evaluate the Risks | ||
Purpose | To establish the probable Impact of the risk on organisational objectives. | ||
Responsibility | Risk Assessment Group | ||
Procedure | Analyse the risks in terms of likelihood and impact using the following steps: 2.3.1 Step One – Score the Likelihood Consider the likelihood that each risk identified may occur, using the criteria below to support consistency of the score. Record the level under the column heading – (Likelihood “L”) on your Risk Register and Management Plan. Likelihood Criteria The following applies when considering the likelihood of the event taking place:Remote – The event may only occur in exceptional circumstances. Unlikely – The event will probably not occur.Possible – The event might or could occur at some time. Likely – The event will probably occur in most circumstances.Highly Likely – the event is expected to occur in most circumstances. 2.3.2 Step Two – Score the Possible Impact Consider the possible that each risk identified may have, using the criteria below to support consistency of the score. Record the level under the column heading – (Impact “I”) the Risk Register and Management Plan. Impact Criteria The following applies when considering the impact of the event taking place: Insignificant – Low level impact with negligible consequences on the objectives that can be controlled by routine management procedures. Minor – The consequences would threaten the efficiency or effectiveness of achieving some aspects of the objectives, requiring management effort to minimise impact. Moderate – A significant/medium potential of affecting the achievement of the objectives with moderate financial loss or medium – term Loss of some essential infrastructure/data). Major – A very high potential to impair the achievement of GGA’s aim or activity objectives (major financial Loss or political Impact, significant occupational, health, safety and welfare incident/s, long term Loss of some critical infrastructure/ data). Catastrophic – An extreme potential to threaten the sustainability of activities, huge financial loss or political Impact, very serious occupational health, safety and welfare incident/s, permanent loss of critical infrastructure/data). 2.3.3 Step three: Calculate the Risk Level Use the risk matrix below to determine the overall risk level for each risk. For example, a risk with a likelihood score of 3 and an impact score of 2 achieves a risk level of acceptable. 2.3.4 Risk Matrix Risk Matrix – Acceptable “Net Risk” after mitigating action has been taken. Impact Likelihood Remote Unlikely Possible Likely Highly Likely Score 1 2 3 4 5 Catastrophic 5 Major 4 Moderate 3 Minor 2 Insignificant 1 Legend Acceptable Marginal – Activities considered marginal can only be undertaken after detailed scrutiny and with the approval of the Board. Marginal activities include: Catastrophic, considered unlikely. Major, considered possible or likely. Moderate, highly likely. Unacceptable Record the scores and the overall “Gross Risk” level on the Risk Register and Management Plan.Discuss the actions to be taken to mitigate against each risk and record on the Risk Register and Management Plan.Record the scores and the overall “Net Risk” level on the Risk Register and Management Plan.When you have rated all your risks, prioritise the highest rated risks and sort them in order of importance to your organisation. Present to the Board/Steering Committee for review. | ||
Records | Record of Meetings, Risk Register and Management Plan |
Doc. No. | 13.4 | Version No. | 1 |
Last Reviewed | Approved By | ||
Next Review | Responsibility | ||
Procedure Title | 2.4 Manage/Control the Risks | ||
Purpose | To identify the appropriate response to managing/controlling the risk. | ||
Responsibility | Risk Assessment Group | ||
Procedure | Consider one of the following four options to manage a risk:Avoid the riskReduce the riskShare the riskAccept the risk. 2.4.1 Avoid the Risk Avoiding a risk is considered when the consequence of a risk is too much to accept and it cannot easily be reduced or shared. Avoiding might involve: Not undertaking the activity that would create the risk.Engaging in an alternative activity.Removing the source of the risk. Note: If a decision is to avoid the risk, consider what the potential consequences of that decision are for the organisation. 2.4.2 Reduce the Risk Exposure to risk may be limited by reducing or controlling the likelihood of an event occurring. The following may reduce or control the likelihood of an event occurring: Policies and Procedures Internal and External Audits Contractual Conditions Project Management Preventive Maintenance Continuous Quality Improvement ActivitiesAdherence to Quality Standards Technological development Structured TrainingSupport and Supervision Preparations to reduce, control or mitigate the impact of an event can aid in making a particular risk more acceptable. The following may reduce or control the impact of an event occurring: Contingency Planning Contractual Conditions Financial Control Planning Minimisation of Exposure to Sources of Risk Separation or Relocation of an Activity and Resources Reserving Resources Public Relations. Note: These lists are not exhaustive or exclusive – there may be other options. 2.4.3 Share the Risk The following should be considered for sharing risk: Using a third party to complete a specialist or difficult activity. (Any third party needs to be competent and suitably qualified).Using Insurance (Check that the insurer and insurance policies are suitable and will cover specific risks).Limiting liability by using waivers and disclaimers.Partnerships or Joint Ventures. Note: Legal or regulatory risks cannot be shared. Waivers and disclaimers cannot be used to avoid statutory obligations. Seek legal advice when developing and intending to rely on waivers or disclaimers. 2.4.4 Accept the Risk The acceptable net risk (i.e., the risk level after mitigation measures have been put in place) threshold for risks is described as follows: We will not undertake any activities that would have a catastrophic impact on the organisation unless the likelihood of occurrence is considered to be at worst unlikely after mitigation measures have been taken. We will not undertake any activities that would have a major impact and are highly likely to occur after mitigation measures have been taken. Activities considered marginal (highlighted in amber on the matrix) can only be undertaken after detailed scrutiny and with the approval of the Board. Marginal activities include: Catastrophic risks where the likelihood of occurrence is considered unlikely. Major risks where the likelihood of occurrence is considered possible or likely. Moderate risks where the occurrence is considered highly likely. Activities highlighted in yellow, green or blue on the risk matrix are considered acceptable. Questions to assess risk management options:How adequate are our current ways of managing this risk?Is more than one option necessary to reduce the risk to an acceptable level?Does the option reduce the risk but also reduce our opportunities?How do the costs of an option weigh up against its benefits?Does the option fit with the expectations of stakeholders?Has the risk been reduced to an acceptable level? Assign responsibility for carrying out mitigating actions and set timelines for completion. (Document these on the Risk Register and Management Plan)Complete the Risk Register and Management Plan and submit to the board for approval). | ||
Records | Record of Meetings, Risk Register and Management Plan |
3. Monitoring and Review
Monitoring and Review | The risk management policy and risk register and management plan will be systematically reviewed to ensure they are adequate, suitable and effective. The board/Steering committee will review this policy every three years or sooner if required. In addition, they will review and sign off on the risk register and management plan and monitor the implementation of actions identified in it at regularly scheduled meetings. The risk assessment group will meet annually, or sooner if required, to review the risk register and management plan and procedures. They will provide a report to the Board/Steering committee at the next scheduled meeting. Should an unexpected incident or event associated with identified risks occur the risk assessment group will meet to discuss and update the risk register and management plan as required. The manager will have responsibility for monitoring activities on a day- to -day basis. Regularly scheduled staff meetings will provide an opportunity for staff to highlight an issue. The manager will report to the Board/Steering committee at regularly scheduled meetings. |
Records | Record of Meetings, Risk Register and Management Plan. Document Control Matrix. |
Appendix A: Stakeholder and Other Risk Factors Form
Identify all the internal and external people, organisations and other factors that are involved in, influence, or contribute to the organisation’s operation and achievement of objectives. | ||||
Who is the stakeholder and what do they do? | Are they internal or external? | What is the relationship, contribution or influence of this stakeholder or factor and why does it matter? | What could go wrong? | What would the impact be if the relationship or contribution changed or something went wrong? |
Staff/ Volunteers of TCG | Both | Staff of TCG – fundamental to day to day running of service | Experienced staff could leave employment Sickness, Covid -19 | Loss of experience and skills Staff shortage |
DRCD | External | Main funding source for TCG | Funding reduced | Reduction in staff hours Reduction in staff pay Closure of Twilight Community |
Service users (Volunteers and VIOs) | External | Principal service users of TCG | Poor experience of TCG service | Reputation of TCG tarnished PR crisis |
Landlord | External | Provider of premises for TCG | Lease not renewed | Need to locate new premises accessible to the public Increase in rent and overheads |
Board members | Internal | The smooth every day running of TCG | Retirement of Board members | The experience, knowledge and skill will be lost. |
CRO | External | TCG needs to be always compliant with both the Charities regulator and Companies registration office | Non-Compliance | Noncompliance audits/ bad reputation/fines |
Appendix B: Risk Register and Management Plan
Risk Register and Management Plan | |||||||||||
# | Description/Risk Area | Gross Risk | Mitigating Actions Taken | Responsibility | When | Net Risk | Action taken if risk materialises | ||||
L | I | S | L | I | S | ||||||
Governance | Governance code | ||||||||||
1 | Governing body lacks relevant skills and commitment | Possible | Major | 7 | Board members recruited according to key skillsSkills audits carried out regularlyBoard handbookClear role descriptions provided to Trustees | Trustees | Ongoing | Unlikely | Minor | 4 | Recruit additional board member with relevant skills / commitment if needed |
2 | Conflicts of Interest are not managed | Possible | Moder | 6 | Conflict of Interest Policy Declaration of Interest form completed annually at AGMRegister of Interests kept | Trustees and Manager | Ongoing | Unlikely | Moder | 5 | Board member with Conflict of Interest will not take part in decision making relating to their interest as outlined of C of I policy |
3 | Organisation lacks direction and forward planning | Unlikely | Major | 6 | Strategic Plan 2021-2022 Annual Workplan drawn up annuallyFinances of KVC monitored Feedback sought from stakeholders to inform planning and operations | Managers Trustees | Ongoing | Remote | Minor | 3 | Board will revisit governing document and strategic plan to ensure TCG has a clear direction moving forward |
4 | Loss of key trustees | Likely | Major | 8 | Succession planning Board handbook outlining time commitment and terms of officeEnsuring adequate notice period and handover | Trustees | Ongoing | Possible | Moder | 6 | Strategically recruit new board member with key skillsProvide adequate inductionFacilitate handover |
5 | Accuracy and relevance of reporting to governing body | Possible | Moder | 6 | Ensure timely and accurate reporting to boardRegular board meetingsRegular contact with between manager and boardTimely and accurate financial reportingAdequate strategic planning in place | Manager Trustees | Ongoing | Unlikely | Minor | 4 | Skills audit and retraining of board membersRetraining and appraisal of TCG manager |
Finance | |||||||||||
6 | Cash flow issues | Possible | Major | 7 | Projected cash flow statements annually which are monitored by board at each board meetingReservesFinancial management policyEnsure adequate information flow and monitoring / reporting mechanisms | Manager Board | At each board meeting | Unlikely | Moder | 6 | Use of ReservesReview of financial proceduresReview and revise reporting mechanisms |
7 | Dependency on one source of income | Likely | Catast | 9 | Reserves policyEnsure funding diversification e.g. training, Garda Vetting | Manager Board | Ongoing | Possible | Major | 7 | Use reserves fundingUtilise funding raised from training, Garda Vetting and other projects |
8 | Lack of financial skills in the governing body. | Possible | Moder | 6 | Board members recruited in accordance with key skillsBoard Handbook outlines roles and responsibilitiesTraining for board on regular basis | Board | When needed | Unlikely | Moder | 5 | Additional board members with relevant skills recruited through targeted recruitment drive |
9 | Fraud or Error | Unlikely | Major | 6 | Financial management policy in place with authorisation limits in placeReserves policyExpense policy Adequate insurance in place | Board Manager | When needed | Unlikely | Moder | 5 | Full review of circumstancesRe-evaluation of financial management policies and procedures |
Reputation | |||||||||||
10 | Complaint by service user (Volunteer / VIO) | Possible | Moder | 6 | Complaint Policy and Complaints resolution protocolUse of Service Policy Policies in place to make sure that the Community is compliant with all the procedures | Manager Board | Ongoing | Unlikely | Minor | 4 | Complaints procedure will be followed and complaint fully investigatedNo comments will be made publicly until complaint fully investigated If complaint upheld about volunteer / VIO – TCG service will be withdrawn as per Use of Service policy |
11 | Public trust in charity sector low | Possible | Moder | 6 | Audited annual accounts and annual report published to demonstrate transparencyCommunications plan in place to increase transparency | Manager | Unlikely | Moder | 5 | Accounts and work report will be made available on our website and TCG will stress how organisation is fully transparent and compliant with all regulatory requirements | |
12 | TCG name brought into disrepute | Unlikely | Major | 6 | Communications policy and strategy in place | Manager Board | Unlikely | Minor | 4 | Board will be informed of any potential crisis and will lead on any communications to the public on the situation | |
Legal | |||||||||||
13 | Lack of compliance with legislation and regulation | Unlikely | Major | 6 | Responsibility for compliance allocated to Officers on Board Audited accounts as per CRO requirementsCompliance with Governance CodeAnnual returns filed with CROGDPR policy in placeHealth and Safety in Workplace policyEquality and Diversity policyAnti-Bullying and Harassment policyContracts and Employee handbook Insurance policy in placeSafeguarding and Under 18’s policy in place | Manager/ Board of Directors | Yearly | Unlikely | Moder | 5 | Board notified of all compliance issuesBoard investigates circumstances Seek and access professional advice if requiredStaff of TCG to follow relevant procedures as outlined in operational policies |
Health and Safety | |||||||||||
14 | Risk to health and safety of staff | Possible | Major | 7 | Health and Safety policy in placeLone Working policy and procedures in placeDriving for Work policyInsurance policy | Manager Board | Ongoing | Possible | Minor | 5 | All health and safety issues brought to attention of manager who will notify boardIncident reports completed Procedures reviewed in light of incident |
Human Resources | |||||||||||
15 | Staff performance issues | Possible | Major | 7 | Staff appraisals and monthly meetingsStaff recruitment, management, and development policy in placeRobust training procedures for staff | Manager Board | Ongoing | Possible | Moder | 6 | Performance issues raised during appraisalsStaff offered additional training and supportProtocol followed as per staff handbook |
16 | Low morale and high staff turnover | Possible | Moder | 6 | Staff appraisals and monthly meetingsStaff recruitment, management, and development policy and procedures in placeEffective feedback systems Training and team building days | Manager Board | Ongoing | Unlikely | Minor | 4 | Exit interviews Board kept appraised of staff feedback / issuesReview relevant policies and procedures to address issues |
Technology | |||||||||||
17 | Breakdown / Out of Date equipment | Possible | Major | 7 | Technology serviced regularly by a support team and updated when needed.Reserves to deal with unforeseen expensesAll information backed up and saved to SharePoint | Manager/ Board of Directors | Ongoing | Possible | Moder | 6 | Reserve funds used to update technologyReview of current systems |
18 | Cyber security threat | Possible | Catast | 8 | All technology is firewalled, and password protected Cyber security policy in place | Manager/ Board of Directors | Ongoing | Unlikely | Catastr | 7 | Review of current systems Data Commissioner notified if personal data is breached |
Environmental | |||||||||||
19 | Covid – 19 | Possible | Major | 7 | Covid 19 Response Plan in placeReturn to Work Safely protocol in placePPE and sanitisation equipment provided | Manager/ Board | Unlikely | Major | 6 | Any incidents recorded in incident reportBoard notifiedCurrent policies / procedures reviewed in light of incident |