Risk and Resilience Policy

Transcription

1 Risk and Resilience Policy Policy Implementation 1 March 2017 Policy Review Date 1 March 2018 Purpose and Scope This policy document has been created to define how our organisation will behave and its expectations regarding the behaviours of its workforce and other agencies and organisations with which it interacts. Definitions Risk can be understood as any activity or venture in which there is a possibility of a negative or adverse outcome. Such an outcome may be predictable or unpredictable. Risk is dealt with under the weaknesses and threats parts of a SWOT assessment. Resilience may be understood as an organisation s ability to continue its core activities in the event of an adverse change in the strategic environment, or its ability to respond appropriately to a crisis. Resilience is dealt with under the strengths and opportunities parts of the SWOT assessment. Our Attitude to Risk Our organisation recognises that a willingness to take considered risks, leads ultimately to competitive advantage. Therefore, we have designed a robust policy for managing risk, and supporting efficient decision-making. The practices agreed for the management of risk in our organisation are: A risk culture that is embedded throughout the organisation. Educating people about the importance of managing risk. Sufficient resources and investment, to deliver risk management objectives. The Board receives sufficiently regular, transparent and robust information on risk. People are measured and rewarded on managing risks. Level of focus placed on risk compliance. Level of focus placed on mitigating risk. Clearly defined ownership of risk.

2 Our Approach to Resilience We believe that resilience planning needs to be an organic set of principles or core values to be applied to any activity, rather than a rigid set of protocols to be followed in response to any given crisis. Resilience planning needs to be proactive rather than reactive, and needs to be built into every business plan, risk assessment and strategy, rather than existing as a back room function, or mode that we switch into in response to a crisis. Policy Content This policy aims to outline the ethos that we would like our workforce to adopt and integrate into their daily work, so that risk management and resilience planning become a natural part of any business activity. This policy does not provide a protocol or procedural guide to managing risk or resilience planning. Our organisation believes in empowering individuals rather than adopting a rigid command and control style of For this reason, this policy provides only guidelines on best practice. Whilst we are keen to adopt this approach, it must be emphasised that help, support and advice will always be available to any worker who needs it. Guidance for Managing Risk Whilst we encourage a willingness to take considered risks, and allowing freedom to act in an innovative manner, we do have a duty of care to our workforce, stakeholders, the Public, our customers, our insurers and our own Health, Safety & Security and CSR Policies. Therefore, as a minimum, we expect a full dynamic risk assessment to be carried out on all activities. Where activities are planned formally, we would expect that risk assessment to be documented. We suggest the use of the Red, Amber & Green (RAG) risk assessment template in Appendix 1 for this purpose. Where an activity has no formal planning phase, this risk assessment is likely to be undocumented, but the same mental process should be applied as in the RAG template. This policy does not exclude the use of other risk assessment templates. Where a planned activity reveals one or more RED likelihoods or outcomes, approval should be sought from a senior business partner. RED aspects will not necessarily exclude the activity, so when carrying out the risk assessment, it is important to be objective, and not actively try to reduce the seriousness of risks for fear of the activity being excluded or the plan being rejected. Most activities in Life and in Business would be expected to produce some RED risk elements. Where action can be taken to reduce risk elements, then of course our expectation is that these actions will be taken. This is called mitigation. Guidance for Planning Resilience In a manner of speaking, resilience planning is an advanced form of risk assessment. Resilience planning is only ever as effective as the quality of the information upon which it is based, and so every effort needs to be made to acquire quality information when making business plans. Plans based upon conjecture or a best guess, whilst not forbidden, will necessarily be less effective.

3 Unlike risk assessment, resilience planning not only identifies risks, but also seeks ways to neutralise those risks, and make contingency plans for when adverse situations present themselves. A good approach is to use the RAG risk assessment template and/or the SWOT assessment in Appendix 2, to identify all potential risks. This may require some imaginative effort. Do not be afraid to include extreme situations such as terrorist attack or earthquake scenarios, because these events, although rare, do happen! The idea is to try to plan for any eventuality, no matter how unlikely. The essential considerations for resilience planning are: How the organisation will continue its core activities How the organisation will respond to a crisis In an organisation such as ours of course; the continuity of our core activities in the event of a national disaster is rather irrelevant. Its response to a crisis such as this however, is highly relevant, and may involve such important activities as providing support to members of our workforce or our customers who are affected by the situation. In the event of a crisis affecting the organisation, such as a litigation, financial difficulty or some other threat to our business continuity, crisis response is important in order to avoid panic and poor decision-making. In the event of such an incident, there will be a strong emphasis on leadership qualities rather than command and control style Although it is important to manage a crisis, this is most effectively achieved through effective leadership. It is therefore possible that a crisis leader will emerge from a position in the organisation that is not normally associated with management activities, but where the necessary expertise exists to deal with the crisis. In these situations, we would seek to nurture that emerging leadership, rather than usurp it. A summary of the core values of resilience planning within our organisation would be the following: To embed a culture of risk and resilience awareness within our workforce and business planning To always be in a state of preparedness for responding to adversity when it arises To afford our workforce a freedom to act innovatively, but safely with support from the management team To cultivate leadership qualities where they emerge, both during a crisis, and during our normal business operation To encourage a culture of openness and transparency toward risk To encourage our people to take ownership of risk and its mitigation, without fear of blame To learn from adverse outcomes, without apportioning blame, and to use that learning to improve future risk and resilience planning

4 Appendix 1 - RAG Risk Assessment Template Risk Identified: Details: Likelihood: Impact Mitigations: Severity: LOW LOW Seek mitigations but safe to proceed MODERATE MODERATE Seek proceed HIGH HIGH Seek advice LOW MODERATE Seek proceed. LOW HIGH Seek advice MODERATE LOW Seek proceed. MODERATE HIGH Seek advice HIGH LOW Seek advice HIGH MODERATE Seek advice When assessing likelihood and impact severity, refer to below table: Likelihood LOW: MODERATE: HIGH: Very unlikely to occur, but possible. There is a reasonable probability that this could occur. Too significant a risk to ignore. Impact Severity LOW: MODERATE: HIGH: Highly likely to occur. Only acceptable if the impact severity is LOW.

5 A minor inconvenience, maybe slightly disruptive. No significant personal or organisational consequences. Very unlikely to result in litigation. A significant threat to business continuity, or with significant personal, business or legal consequences. Increased chance of resulting in a litigation. An unacceptably high level of impact. Threatens the very existence of the organisation, or likely to result in lifechanging injury, death or prosecution. The above are examples only, and do not constitute an exhaustive list. The risk assessor is expected to use their own initiative. Appendix 2 SWOT Analysis Strengths: Enter in this cell, all of the strengths of your business plan, or of the organisation when planning resilience. Bullet-points are the best way to enter these. Don t forget USPs, competitive advantages, and benefits to the organisation and its stakeholders. Strengths are largely intangible. Opportunities: In this cell you need to think of all the other opportunities that your plan could create for the business, or if planning resilience, consider the opportunities that often arise out of adversity, as well as opportunities to strengthen the organisation s resilience. Weaknesses: Enter in this cell, all the weaknesses of your business plan, or of the organisation if planning resilience, Be objective. Don t try to hide weaknesses they may not exclude the plan, but just need to be mitigated or considered. All plans and ideas have weaknesses, show that you have considered them. Threats: Threats will come from the risk assessment. If your risk assessment is thorough and honest, you should be able to enter a number of threats in this cell. Be honest and objective, and never try to hide threats. The organisation needs to know what threats it needs to mitigate. The existence of threats will not necessarily exclude your plan, but you need to demonstrate that you have been thorough in your assessment of threats, to inspire confidence in your plan. About this Policy Policy owner: RyeBrook Space Science Services Approved by: The Board All rights reserved. No part of this policy document may be reproduced in any form without the prior written consent of the policy owner. This document has been created in accordance with our Learning Difference Policy. If you have a learning difference, and you require this document in a different format, please contact us at theryebrook@gmail.com and we will be pleased to help in any way we can.