FORUM HOUSING ASSOCIATION RISK MANAGEMENT

Transcription

1 FORUM HOUSING ASSOCIATION Forum Housing Association is fully committed to all principles of Equality and Diversity and takes an approach which recognises the importance of the nine Protected Characteristics covered by the Equality Act (Age, Disability, Gender Reassignment, Pregnancy and Maternity, Race, Religion or Belief, Marriage and Civil Partnership, Sex, Sexual Orientation). As a demonstration of our commitment, this policy and procedure has had an Equality Impact Assessment undertaken on it to ensure we offer a service and employment that is inclusive for all. RISK MANAGEMENT POLICY Risk is any event, action or inaction that prevents an organisation from maximising gain and / or achieving its plans / or impedes its performance and / or can cause it to incur loss. Risk Management is the process, practice and corporate mindset that enables an organisation to maximise gain, achieve its plans, improve or sustain performance and minimise loss. Forum Housing Association will manage its business in accordance with the Tenant Services Authority Standards and having regard to risk management reports and best practice publications. Responsibility for the strategic direction and financial viability of Forum Housing Association lie with the Board, who will discharge their obligations in accordance and compliance with Governance documents and a framework of clearly defined policies and procedures. The Board will ensure that the Association s structure supports an approach, which ensures that sound internal controls to review effectiveness are in place. Day to day management of the organisation is the responsibility of the Chief Executive and the Executive Team who, through delegated powers and authority, will ensure financial viability, deliver quality services, measure and monitor performance against corporate objectives, and provide sufficient resources to maintain operational capacity. The Association s culture promotes appropriate risk taking as defined within the parameters of each job function within the Association. The risk management programme and plan will support the Association in meeting its business objectives as defined within the Business Plan and the Strategies. In summary the Association s Risk Management Framework will focus on the identification, evaluation and assessment of risk; the measures to minimise or eliminate risk and the procedures and controls to manage risk. 1 of 5

2 PROCEDURES 1. Responsibilities Board has ultimate responsibility for the control and direction of the business and will: - Designate specific responsibility to the Association s Risk and Audit Committee for the direction of this area. Undertake an annual evaluation, review and appraisal of risk, which shall result in the compilation of findings the Board s response. Publish an annual review of the Association s effectiveness with a statement regarding business risk in the Association s Annual report. Receive regular reports from the Executive Team and other senior officers. Monitor performance and compliance with `best practice`, Performance Standards and good Governance. The Chief Executive and the Executive Team will be responsible for the management of major risks and ensuring that risks are responded to in an appropriate manner; that new and potential risks are identified, evaluated and reported on; that risks are monitored and the Board appraised of changes to the risk environment. Service Managers will be responsible for the day-to-day management of operational risks and the supervision of staff involved in related activities. The Association structure ensures that clear reporting lines are in place. All Association staff will conduct their duties within the agreed framework, which shall include: their job description, their agreed objectives and the Association s policies and procedures. Association staff will work within the agreed parameters of risk relevant to their specific function as communicated to them through the above framework. All staff shall have some responsibility for internal controls as part of their accountability for achieving objectives. 2. Risk Profile The 4 High Level Risks identified by Board Members will form the key elements of the Risk Profile and any specific risk identified in the Profile will be aligned with one or more of these: The 4 High Level Risks are: Reputation Financial Impact Service Delivery Growth and Development The Risk Profile is both a structured process and simple mechanism and this tool will be the over-arching document that enables the Association to identify, analyse and manage risk. The Risk Profile will include: The identification of actual and potential opportunities and risks An assessment of their probability and impact The identification of the appropriate control measures An assessment of the potential opportunities or the risks posed 2 of 5

3 3. Risk Identification The Head of Service (Estates and Risk Management) will have responsibility for populating and reviewing the Risk Profile. All risks will be categorised in one of the following 5 areas:- Compliance risk Custodial risk Strategic risk Operational risk Communication risk All senior staff are responsible for communicating any perceived risk as a result of their specific activities which may impact on other departments and also to be aware of risks which fall into their area and the consequences other areas may have on them. If senior staff become aware of new and emerging risks then they must inform the Head of Service (Estates and Risk Management) who will incorporate this new risk into the Risk Profile. 4. Assessing Risk The risk assessment will be an objective evaluation of each risk in which assumptions and uncertainties will be fully considered and presented. Risks and opportunities will be measured in terms of likelihood and probability and a scoring matrix will be used to identify high, medium and low risk. Impact Severe Significant Minor Likelihood Probable Possible Remote Using the criteria of the scoring matrix, all risks will be given a numerical risk score. The higher the score will indicate the higher the risk to the Association: High x High (HH) High x Low (HL) Low x High (LH) Low x Low (LL) 3 of 5

4 HH risks are those with the potential to have a major impact on the Association s ability to function effectively and these risks will be actioned and managed closely. The Chief Executive and the Executive Team will manage these and report them to relevant Committees and Board. HL risks are those, which have the potential to have a significant impact on the Association and the primary control will be monitoring. This will be undertaken by the Head of Service (Estates and Risk Management). LH risks are those, which have the potential to have a significant impact on the Association and the primary control will be housekeeping. This will be undertaken by the Head of Service (Estates and Risk Management). LL risks are those with minimal impact, which can be managed by Project staff and/or Service Managers. The parameters of appropriate risk taking will be communicated to all staff who will be discouraged from risk avoidance but rather to identify and communicate perceived risk. All Association staff are responsible for managing risk within the parameters of their role within the Association and will communicate any perceived risk not identified within their remit to their immediate line manager. All senior staff will communicate to Chief Executive any perceived risk emerging as a result of any external change. Any emergency risk situations that are not specifically detailed within the Association s policies should automatically be reported to a senior manager who will in turn communicate the risk to the Chief Executive. 5. Controls Controls are individual actions, procedures or operations taken or set up by the Association s management to ensure that activities and systems achieve their maximum potential. Sound systems of internal control are essential to the management of risk and will ensure against poor judgement in decision making, human error, control processes being deliberately circumvented by employees and others and unforeseeable circumstances. The appropriate controls for the risk will be identified and fully considered and will have the right match between risk taking, enabling and risk control. Each risk will have a primary control identified on the Risk Profile. Effective control measures will be identified using the following: Enabling (These controls are people reliant. Visions, Values and Training) Preventative (These controls are designed to prevent an error or restrict) Detective (These controls are designed to detect or indicate an error) Corrective (These controls enable risk to be corrected. Insurance business continuity) 4 of 5

5 Key controls are embodied in, but not restricted to:- Board reports Business Plan Embedded business processes including effective financial controls accounting practices, Health and Safety practices Financial reports Governance Documents Internal/external audit reports and internal reviews Internal policies and procedures (encompassing relevant laws and regulations) Performance monitoring reports Reporting processes proper records and processes, information and communication processes Insurance and liability coverage All Association staff will continue to sign in agreement of compliance with all Association policies. The Association s Disclosure Policy ensures the obligation by staff to disclose known risks. Risk management will be a standard item at all Association staff meetings. The risk management programme will be linked with the Continuous Improvement quality programme. 6. Monitoring The Risk and Audit Committee will receive regular reports on the effectiveness of internal controls and the monitoring/assessment of risk. The Board will receive regular reports on the effectiveness of internal controls and the monitoring/assessment of risk. The Board will undertake an annual risk appraisal. The Executive Team will contribute to the annual risk appraisal by reporting on relevant matters to the Board. This policy will be reviewed on at least a 3 year cycle, or sooner as directed. Date of next review September Staff non-compliance with this policy may result in disciplinary proceedings. 5 of 5