Risk Management Policy

Introduction

Absolute Ideas s.r.o. encounters numerous risks that could affect any aspect of its administrative or commercial business activities and it recognises that the management of risk is vital to ensure the Company is able to achieve its operational aims and strategic objectives.

The Risk Policy identifies a consistent approach towards risk across the institution, defines the responsibilities of senior managers and the Governing Body and outlines risk assurance and risk management processes.

The Risk Policy is designed to enable Absolute Ideas s.r.o. to:

minimize the likelihood and consequence of threat risks and
maximize the likelihood and benefit of taking opportunity risks through prioritized and targeted risk mitigation to ensure efficient and effective use of resources.

Aims of the Policy

To outline the Company’s underlying approach to risk assurance;
To document the roles and responsibilities of the Board of Directors, the Chief Executive Officer and other key committees and individuals;
To outline key aspects of the risk management process;
To identify the main reporting framework and procedures.

Definition of Risk Management

Definition of risk

Absolute Ideas s.r.o. defines risk as the possibility that an uncertain event, action or set of circumstances which, if to occur, would have a material adverse or beneficial effect on the likelihood of achieving the Company, Business, Professional Service or project objectives.

The Company’s intention is not to eliminate risk from its activities, but rather to enable managers to mitigate and manage it appropriately, within the established risk appetite of the Company.

What is Risk Management?

Risk management is the planned and systematic approach to identifying, analyzing, evaluating and treating risks at all levels of the organization.

Risk management involves determining the acceptable level of exposure to risk, which enables the achievement of the Company objectives whilst achieving a balance between the level of risk exposure and the cost of mitigating actions. Risk management is a process which provides assurance that:

objectives at all levels are more likely to be achieved;
damaging events are less likely to occur;
beneficial events are more likely to occur.

The Company’s approach to risk management supports the Chief Executive Officer and Professional Services Departments in determining actions for prioritization. The approach is aligned to the development and delivery of the Company’s Strategy, Strategic Programmes andProfessional Service Planning.

Levels of risk identified at the Company

Strategic risks – risks that affect the institution as a whole and the delivery of strategic objectives;
Tactical risks – risks related to achieving functional objectives;
Operational risks – risks that are related to the delivery of departmental operations;
Strategic programmes and their project outcomes – risks associated with, usually, time limited activities and medium- to long-term delivery of benefits.
The Company distinguishes between threat risk and opportunity risks.

Roles and Responsibilities

Overall responsibility for risk management within Absolute Ideas s.r.o. lies with the Chief Executive Officer, with responsibility for implementation delegated to the Chief of Staff and Clerk to the Board of Directors / Head of Policy and Strategy.

It should be noted that risk management is the responsibility of everyone at [Insert Company Name], not just a small number of named individuals. The Company maintains a register of strategic risks and tactical risks that inform the assessment of risk, which is integrated into the planning and budgeting process.

Role of the Board of Directors

The Board of Directors is accountable for ensuring there is an effective and proactive system of risk management in place by which risks are rigorously assessed, understood and effectively managed across the organization. It does this by approving the framework within which risk management is conducted and is advised by the Audit, Risk and Assurance Committee on the effectiveness of the framework and its operation.

Through approving the Risk Policy, the Board of Directors sets the tone and influences the culture of risk management within the Company. This includes determining:

the risk attitude of the Company – understanding the present and foreseeable context to determine how open to risk the Company should be.
the ‘risk appetite’ in relation to specific strategic risks - the evaluation of the strategic risks via the Audit, Risk and Assurance Committee also provides a regular review of the Company’s risk tolerance;
what types of risk are acceptable and which are not;
the standards and expectations of staff with respect to conduct and probity in relation to risk management.

The Board of Directors is also responsible for:

determining the appropriate level of risk exposure for the Company;
taking major decisions affecting the Company’s risk exposure;
monitoring the management of strategic risks;
assuring itself that tactical risks (Business, Professional Service and Strategic Programme) are being actively managed, with appropriate and effective controls in place;
biennially review the Company’s Risk Policy to ensure it remains fit for purpose.

Role of the Chief Executive Officer

The Chief Executive Officer is accountable for:

ensuring that strategic risk descriptions, and tactical risk descriptions for which they are responsible, are maintained;
implementing policies on risk management and internal control within the areas for which they are responsible to ensure risks are managed effectively;
Identifying and evaluating the strategic risks faced by the Company – including the financial and non-financial implications of those risks – as part of its ongoing management activity, for consideration by the Board of Directors;
providing adequate information in a timely manner to the Board of Directors and its committees on the status of risks and controls;
undertaking a review – at least annually – of the effectiveness of the system of internal control and provide a report to the Audit, Risk and Assurance Committee.

The Chief Executive Officer is accountable for risk management at the Company.

The Chief of Staff and Clerk to the Board of Directors / Head of Policy and Strategy is accountable for the day-to-day operation of risk management.

Role of Risk Owners

Each risk has a risk owner. The risk owner is accountable for:

ensuring the delivery of mitigating actions;
keeping the risk description up to date;
reporting on progress at least every 4 months to align with the Audit, Risk and Assurance Committee reporting cycle;
the escalation of risks through agreed channels:
for project risks, through the project governance process;
for tactical/operational risks, through the line manager/senior manager/Chief Executive Officer member, as appropriate.

Role of the Senior Management Team

The Senior Management Team is responsible for:

Ensuring the incorporation of risk into Strategic Planning and Business and Service Planning;
Recommending, where appropriate, the escalation of tactical risks onto the strategic risk register.

Role of the Head of Business Resilience

The Head of Business Resilience is responsible for:

Implementation of the risk management procedures

Approach to risk management

Risk and Internal Control

The system of internal control is closely related to the planning and budgeting process and is designed to manage and mitigate the risk of failure to achieve policies, aims and objectives in an efficient, effective and economic manner. Elements of this system include:

Policies

Related to significant risks are policies that underpin the internal control process. The policies are approved by the Board of Directors, implemented by the Chief Executive Officer and are supported by written procedures where appropriate.

Reporting

Reporting arrangements through senior line management are designed to monitor key risks and their controls. Decisions to rectify problems are made by the member of the Chief Executive Officer with responsibility for the risk, with reference to other staff and the Company committees and the Board of Directors as and where appropriate to do so.

Risks associated with major Company projects will be managed through the appropriate project boards adopting project management methodologies in line with the project management framework and have a distinct section within the risk management procedures document.

The strategic risk register is compiled by the Chief Executive Officer and reported to the Audit, Risk and Assurance Committee. The document is discussed in full at least every 4 months in line with the Audit, Risk and Assurance Committee reporting cycle, and presented to each meeting of the Committee. Emerging risks are added as required, and improvement actions and risk indicators are monitored on an ongoing basis through line management structures.

Planning and Budgeting

The strategic planning and annual budgeting process is used to set key objectives in support of the Company’s strategic ambitions, priorities and enablers, agree action plans and allocate resources. As the Company Strategy is aligned to the risk context of the Company, the targets and actions set out in Business and Professional Service planning documents also mitigate the risks faced by the Company. The annual estimates (macro budget) presented to the Board of Directors contain an analysis of risks inherent in them and how these are mitigated.

Faculties and Professional Services have an essential role in the identification, assessment, treatment and on-going monitoring of tactical level risks.

Audit, Risk and Assurance Committee

Audit, Risk and Assurance Committee is required to report to the Board of Directors on internal controls and alert it to any emerging issues. The Audit, Risk and Assurance Committee oversees internal audit, external audit and management as required in its review of internal controls. The Committee has responsibility, delegated by the Board of Directors, for governor oversight of risk assurance, ensuring that the Risk Policy is appropriately applied. It directly monitors the management of the most significant risks to the Company, as recorded in the Strategic Risk Register.

Internal Audit

The Chief Financial Officer is the Chief Executive Officer member responsible for ensuring that an effective internal audit process is in place.

In addition to its programme of probity and value for money work, internal audit is responsible for aspects of the annual review of the effectiveness of internal control systems. The internal audit plan is guided by, but not limited to, the assessment of risks identified through the Company’s risk management procedures.

External Audit

The Chief Financial Officer is the Chief Executive Officer member responsible for ensuring that an effective external audit process is in place.

External Audit provides feedback to the Audit, Risk and Assurance Committee on the operation of internal financial controls reviewed as part of the annual audit.

Annual Review of Effectiveness

The Chief Executive Officer prepares a report of its review of the effectiveness of the internal control system annually for consideration by the Audit, Risk and Assurance Committee.

The Audit, Risk and Assurance Committee is responsible for reviewing the effectiveness of internal control of the institution, based on information provided by auditors, senior management and the Chief Financial Officer.

For each strategic risk, the Audit, Risk and Assurance Committee will:

review the previous year and examine the institution’s track record on risk management and internal control;
consider the internal and external risk profile of the coming year and consider if current internal control arrangements are likely to be effective.
In so doing, the Audit, Risk and Assurance Committee will consider:
the Company’s objectives and its financial and non-financial targets;
the Company’s performance in the timely identification, assessment and reporting of significant risks;
prioritization of risks and the allocation of resources to address areas of high exposure;
the effectiveness of the control environment.

Setting the Risk Attitude of the Company

The Board of Directors sets the risk attitude of the Company based on an assessment of current performance within the context of the Company’s operating environment including political, economic, societal, technological, legal and environmental factors. Risk attitude is reviewed annually by the Board of Directors, or following a significant event.

Risk attitude describes an organization’s overarching attitude to risk and establishes its capacity to tolerate an overall level of risk.

The Company uses a heat map to describe its risk attitude. A risk averse organization will present a heat map with more zones coloured red and amber, with less green. A risk aggressive organization will present a heat map with more green.

The capacity of an organization to tolerate risk is indicated by the green and yellow zones on the heat map. The more risks that are plotted within the red and amber zone the more an organization is exceeding its capacity to tolerate risk.

If the risk attitude of the Company changes, the heat map will be updated to be either more risk averse or more risk aggressive. Risk owners will be required to establish the actions required to mitigate the risk to the level appropriate to within the revised heat map.

Risk Management Procedure

The Company’s risk management procedures are approved by the Chief Executive Officer.

Risk identification

The Company identifies and considers emerging risk through the following means:

Senior Management engagement in internal and external networks
Board of Directors meetings and Strategic Away Day
Board of Directors Committee meetings
Chief Executive Officer meetings
Strategic Implementation Working Group
The Company Management Groups
Internal Audit reviews
Deep dive strategic risk reviews
Tactical risk updates
Business and Professional Service exec meetings
Escalation of operational risks
Identification of risk by any individual at the Company

Risk Registers

The Company maintains several levels of risk registers:

Strategic Risk Register

The strategic risk register contains risks considered to be a threat or opportunity relating to the achievement of strategic objectives and is owned and reviewed by the Chief Executive Officer.

Tactical Risk Register

The tactical risk register contains risks considered to be a threat or opportunity relating to key functions of the Company. Risk owners are responsible for reviewing and updating tactical risks. The tactical risk register is reported to the Chief Executive Officer. Any tactical risks rated high or very-high risk are reviewed by the Chief Executive Officer.

Operational Risk registers

Operational risk registers contain risks considered to be a threat or opportunity relating to Business and Professional Service operational objectives. Operational risk registers are managed locally. Operational risks can be escalated to appropriate the Company management groups and where necessary on to the tactical risk register.

Programme and Project Risk Registers

Programme and project risk registers contain risks considered to be a threat or opportunity relating to strategic programmes and projects. Programme and Project risk registers are maintained by the appropriate project or programme board.

Risk Descriptors

All strategic and tactical risks must be adequately described using the risk descriptor template.

Threat Risks

Threat risk descriptors identify the significant threats that are likely to cause the risk to be realized. Current controls, control gaps and further actions are identified for each threat to achieve adequate risk mitigation within risk appetite.

Opportunity Risks

Opportunity risk descriptors identify the opportunities that need to be achieved to enable the benefits to be realized. Current controls, control gaps and further actions are identified to achieve adequate risk mitigation within risk appetite.

Risk Appetite

Each strategic and tactical risk has its own, specific, risk appetite statement, which is recorded on the risk descriptor. The risk appetite statements shape the extent of controls necessary to achieve the tolerable or target risk level. The target risk level relates to where on the heat map the risk must be mitigated to , which will vary depending on the risk attitude of the Company.

Risk appetite and accompanying risk appetite statements are reviewed annually (or following a significant event) by the risk owner.

If the risk appetite of the Company changes, risk owners will be required to mitigate the risk to within the updated risk appetite level.

Risk Scoring Methodology

The level of risk is quantified using the Company’s risk scoring methodology. The risk level is calculated by multiplying the likelihood score by the impact score to give a risk level between 1 and 25, which can be plotted on a heat map.

Scoring of risk likelihood

The risk descriptor is used to score the current likelihood of each significant threat or opportunity being realized (individually) based on the current level of controls, i.e., before further mitigations. The score from the highest scoring threat is used to set the overall risk likelihood level; this is to ensure that all significant threats are sufficiently mitigated before the risk level is reduced.

Scoring of risk impact and risk benefit

The risk impact or benefit is scored using a methodology incorporating the level of financial, operational and reputational impact or benefit that could be experienced taking into account the current level of controls.

Risk Assurance

Board Assurance Framework

A Board Assurance Framework is in place to ensure that assurance across the Company’s strategy, strategic risks and legislative/statutory requirements is captured appropriately through the responsibilities and business of the Board of Directors and its Committees.

Management Group and Committee oversight of all strategic and tactical risks

Each strategic and tactical risk is reported for discussion to an appropriate Company Management Group every four months prior to reporting to the Chief Executive Officer and Board of Directors Committee as appropriate.

Assurance reports

Necessary assurance reports have been identified for each strategic and tactical risk and these are recorded on each risk descriptor.

Key Risk Indicators (KRIs)

Key risk indicators are identified for each strategic and tactical risk and these are recorded on each risk descriptor. In most cases KRIs will align to relevant Corporate Scorecard indicators.

Update and review

Strategic and tactical risks are reviewed and updated every four months. Strategic risks are reviewed on a four-monthly basis by the Chief Executive Officer, to consider the adequacy of risk descriptions, the external assurance processes in place, and if any new risks have been identified. In addition, where significant changes occur on a more frequent basis, revisions to the strategic risks are recommended to the Chief Executive Officer for consideration and approval.

The Director of Professional Service or Chief Executive Officer is responsible for their risk register, but may delegate the maintenance of the register to another member of the management team.

Annual Deep Dive

On an annual basis a full review of strategic risks is held with the Chief Executive Officer, the risk owner, the Chief of Staff and Clerk to the Board of Directors and the Head of Business Resilience.

Internal Audit

The strategic and tactical risk registers are utilized to set the annual internal audit programme with the Company’s internal auditors.