Every social business should have a process that provides it with a systematic view of the risks it faces over the course of its activities.
As part of this process, establish all relevant risk registers to identify the risks that the organisation faces, grading them in terms of likelihood of occurrence and seriousness of impact. Then, create plans for managing each risk.
Below, we look at ways to mitigate risk in a social business using the Wales Co-operative Centre as a case study.
The purpose of a risk register
The purpose of having a risk register is to ensure levels of risk and uncertainty are properly managed so that the organisation can achieve its objectives.
Below are outlines of the process by which the Wales Co-operative Centre’s risk registers are established, maintained and reviewed.
For the purposes of this example:
- Risk is taken to mean the chance that an event will occur that will impact on the Centre’s objectives. It is measured in terms of impact and likelihood.
- Risk Assessment is taken to mean the process used to determine risk management priorities by evaluating and comparing the level of risk against predetermined acceptable levels of risk.
- Risk Management is taken to mean the systematic application of a management system (policies, procedures and guidelines) to the task of identifying, analysing, treating and monitoring risk.
- Risk Register is taken to mean a register which records details of all the risks identified for an organisation or programme, their grading in terms of likelihood of occurring and seriousness of impact on the organisation, initial plans for managing each high level risk and subsequent results.
- Impact (also known as consequence) is taken to mean the outcome of an event expressed as a loss, injury, disadvantage or gain.
- Likelihood is taken to mean a qualitative description of probability or frequency.
- Control is taken to mean that portion of risk management that involves the implementation of actions to eliminate or minimise adverse risks.
The Management Board oversees risk management at the Wales Co-operative Centre. It is supported in this role by the Audit and Risk Committee which scrutinises and advises the Board on matters relating to risk management.
The Chief Executive Officer is required to ensure that a corporate risk register, as well as programme, project and function risk registers are established, implemented and maintained. Directors are required to develop risk registers for the functions that they manage e.g. HR, IT and finance.
Programme Directors are required to develop risk registers for the programmes which they lead. Managers are required to develop risk registers for the projects which they lead.
There will be a corporate risk register as well as programme, project and function risk registers at the Centre. These will be developed using the Centre’s standard risk template. The risk register assesses the likelihood and impact of each risk.
The risk register methodology includes the date the risk was identified, a description of the risk and clearly defined impact, as well as likelihood and impact scores, risk score and class. You should also outline the control measures, target risk score and target date, risk owner and dependencies.
A copy of the corporate risk register will be distributed to the Board, SMT and managers. Programme registers will be shared with SMT and managers. Project and function risk registers will be shared with the relevant managers and programme directors.
Matters are that not deemed to be a risk but need to be considered and kept under review should be recorded in an issues log.
The corporate risk register will be reviewed by the SMT on a monthly basis and it will go to the Management Board to be reviewed at each meeting.
Each programme risk register will be reviewed by the relevant Programme Director and managers on a monthly basis. Programme risk registers will then be reviewed by SMT on a 6 monthly basis as well as by any relevant Programme Management Board, such as the Social Business Wales Management Board. The Board will review programme risks at each meeting as part of the progress report.
Project and function risk registers should be reviewed at team meetings on a monthly basis and be part of the agenda of meetings with managers.
The Audit and Risk Committee will review the content of all Wales Co-operative Centre risk registers, as well as the related processes for managing risk, as often as it chooses but on at least an annual basis.
SMT members and managers are required to ensure they report any new risks, or changes to existing risks as soon as they are aware of them for incorporation into the relevant risk register. Corporate risks should be reported to the Chief Executive, programme risks should be reported to the relevant Programme Director and project or function risks should be reported to the relevant Director or Manager.
Any risk deemed to be a very high risk (or a red risk) on a programme, project or function risk register will automatically be escalated for inclusion in the corporate risk register. Such a risk will remain on the corporate risk register until such time as the risk is deemed to have been reduced to have been reduced to high risk.