1. Introduction
ICYE UK recognises that the successful management of risk is fundamental to maintaining our ability to deliver on our key mission statement:
- Provide supported international volunteer opportunities that directly benefit local communities
- Encourage young people from around the world to live, learn and work together
- Engage volunteers in the on-going development of the organisation
ICYE UK will adopt a proactive approach to managing risk and an integrated risk management system to incorporate all kinds of risk including strategic, operational, financial, external and compliance.
This policy will outline relevant procedures and guidelines to ensure risk is considered, coordinated and managed in a positive, sensible and proportionate way, where a culture exists allowing stakeholders to feel empowered to report, manage and escalate risks as appropriate.
1.1 Aims of the Policy
This policy will provide structure and guidance to the relevant ICYE UK stakeholders to:
- Identify risks;
- Assess risks against a uniform framework;
- Report and escalate risks;
- Manage risks; and
- Maintain the ICYE UK Risk Register.
This policy does not cover risks or risk management systems in external partner organisations such as those hosting volunteers, but ICYE UK should seek assurance that effective management systems are in place.
2. Roles & Responsibilities
2.1 Board of Trustees
ICYE UK’s Board of Trustees (“The Board”) is responsible and accountable for endorsing the organisation’s system of internal control, including the arrangements for risk management.
The Board of Trustees has responsibility for providing leadership on the management of risk and ensuring that the risk management systems are effective and operational.
2.2 Risk Lead
The Risk Lead (RL) is the named Trustee accountable to The Board and The Chair for ensuring there is an effective system of risk management and internal control in place, and for meeting statutory, regulatory and governance requirements.
The RL has delegated responsibility for the maintenance of the systems of internal control and should ensure appropriate review of the same and of this policy.
2.3 Office Manager
The Office Manager (OM) is responsible for the day to day management of the ICYE UK Risk Register (“the Risk Register”) and for the escalation of delays or barriers in relation to any actions or mitigations.
The Office Manager will ensure provision of the necessary papers or extracts from the Risk Register in order for The Board to review in a timely manner before discussion according to the cycle detailed within this policy.
2.4 Risk Owner
Each risk must have a named Risk Owner (RO) responsible for:
- Ensuring effective controls are in place to mitigate the impact of the risk;
- Reviewing their risks according to the necessary review cycle;
- Taking or delegating any necessary actions against their risk;
- Escalating any concerns, delays or increases in risk grading;
- Reporting updates to the OM or nominated deputy in order to maintain the accuracy of the risk register.
2.5 All staff, interns, contractors, and volunteers
Everyone has a responsibility to identify and report risks promptly thereby allowing risks to be managed and, where necessary, added to the Risk Register.
In particular everyone must:
- Take steps to avoid injury and risk to people;
- Be alert to, identify and report risks, especially those that are or potentially may impact on the health, safety, or wellbeing of people; and
- Manage risk within their sphere of responsibility – it is a statutory duty to take reasonable care of your own safety and the safety of others who may be affected by your acts or omissions.
3. Processes
3.1 Identifying Risks
ICYE UK identifies the following types of risks, depending on where the impact would be felt most significantly:
- Compliance – risks that impact on ICYE UK’s ability to meet any of its legal or statutory requirements.
- External – risks that are dependent on non-ICYE UK stakeholders;
- Financial – risks that mainly impact on income streams or result in a cost to the organisation;
- Operational – risks impacting on the day-to-day running of the organisation, or disrupting standard operation procedures or processes; and
- Strategic – risks impacting on the strategic role of the Trustees or with a wholly long-term impact i.e. more than twelve months.
Risks can be identified in a variety of ways including proactively monitoring, conducting risk assessments, or through project set-ups, etc., or reactively responding to issues raised or information received internally or externally.
Any member of staff or Trustee who becomes aware of an actual or potential risk, should ensure that this is acted upon and communicated appropriately.
3.2 Assessing Risks
Once a risk has been identified, it is essential that it is assessed to ascertain the action required.
All risks should be graded against the potential impact (I) and the likelihood of occurrence (L), each on a scale of 1 – 5 as outlined in Appendix A. The risk (R) is then finally scored by multiplying I x L with the potential outcomes detailed below:
Risk = I x L | Likelihood (L) | ||||
Impact (I) | 1. Remote | 2. Unlikely | 3. Possible | 4. Likely | 5. Almost Certain |
5. Extreme | 5 | 10 | 15 | 20 | 25 |
4. Major | 4 | 8 | 12 | 16 | 20 |
3. High | 3 | 6 | 9 | 12 | 15 |
2. Moderate | 2 | 4 | 6 | 8 | 10 |
1. Low | 1 | 2 | 3 | 4 | 5 |
Score 15 – 25 | Critical Risk |
Score 8 – 12 | High Risk |
Score 4 – 6 | Medium Risk |
Score 1 – 3 | Low Risk |
3.3 Registering Risks
Any identified risks will be added to the organisational Risk Register by the OM or other nominated individual, with notification made to the responsible person as soon as reasonably practicable.
Information required to complete the risk register entry includes:
- Risk title
- Risk description
- Risk type (see Section 3.1 for more details)
- Original risk score & grading (see Section 3.2 for more details)
- Current controls / mitigations
- Action(s) required
- Current risk score & grading (see Section 3.2 for more details)
- Next review date
- Current status
- Risk owner.
3.4 Managing Risks
The mechanisms for reviewing and managing risks is outlined in the table below according to their grading.
Addition of a new risk of any grade or any increase in grading at any level, should be notified as soon as possible to the Risk Lead and Chair, by the Risk Owner.
Grading | Review Schedule | Reporting Mechanism |
Critical (15 – 25) | Monthly | Chair & Risk Lead to be notified in the event of any update, plus presentation at subsequent Board meeting |
High (8 – 12) | Every 2 months | Updates presented at subsequent Board meeting |
Medium (4 – 6) | Every 6 months | Updates recorded only on Risk Register |
Low (1 – 3) | Annually | Updates recorded only on Risk Register |
3.5 Closing Risks
A risk can be considered for closure on the Risk Register when one or both of the following criteria have been met:
- All identified actions have been closed;
- The risk has been eliminated.
The risk should then be presented at the subsequent Board meeting for authorisation to either:
- Close the risk; or
- Accept the risk in its current state with the review routine according to its current grading; or
- Accept the risk in its current state with a different review routine.
4. Review of Policy and Procedures
The RL will be responsible for ensuring the review of this policy and applicable procedures noted within, at least every three years, or following the issuance of new or changed relevant guidance or following an incident that appropriately warrants an earlier review.
The reviewed policy will then be submitted to the Board of Trustees for review and ratification.
Appendix A: Risk Grading Matrix
A risk score is calculated by assessing the potential impact (I) and the likelihood of occurrence (L), each on a scale of 1 – 5. The risk (R) is then finally scored by multiplying I x L and subsequently graded from Low to Critical:
Likelihood (L) | |||||
Impact (I) | 1. Remote | 2. Unlikely | 3. Possible | 4. Likely | 5. Almost Certain |
5. Extreme | 5 | 10 | 15 | 20 | 25 |
4. Major | 4 | 8 | 12 | 16 | 20 |
3. High | 3 | 6 | 9 | 12 | 15 |
2. Moderate | 2 | 4 | 6 | 8 | 10 |
1. Low | 1 | 2 | 3 | 4 | 5 |
Score 15 – 25 | Critical Risk |
Score 8 – 12 | High Risk |
Score 4 – 6 | Medium Risk |
Score 1 – 3 | Low Risk |
The tables on the following pages provide examples and guidance on the scoring criteria.
The guide below should be used to ascertain the potential Impact score of a reasonable worst-case scenario, according to the most appropriate type identified for the risk:
Impact (I) | |||||
Risk Type | 1. Low | 2. Moderate | 3. High | 4. Major | 5. Extreme |
Compliance | No or minimal impact or breach of guidance / statutory duty | Breach of internal policy or statutory legislation Reduced external ratings if unresolved | Single breach in statutory duty Challenging external recommendations / improvement notice | Enforcement action Multiple breaches in statutory duty Improvement notices Low performance rating Critical report | Multiple breaches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report |
External | Loss of supply with minimal impact without intervention | Loss of supply for 5 days or less manageable with additional internal interventions | Loss of supply Impacting for more than 5 days or requiring external support or wider ICYE support for resolution | Loss of key supply causing disruption that requires alternative provider to be sought | Permanent loss of key or critical supply with no alternative available |
Financial | Loss < £XX Expenditure < £XX | Loss £XX – £XX Expenditure £XX – £XX | Loss £XX – £XX Expenditure £XX – £XX | Loss £XX – £XX Expenditure £XX – £XX Potential / minor contractual impacts | Loss > £XX Expenditure > £XX Loss of / significant contractual impacts |
Operational | No disruption or losses requiring intervention | Minimal delays, disruptions or losses with internal interventions required Low staffing levels or inadequate processes requiring Trustee advice or support | Impacting for more than 5 days with internal interventions required Prolonged, reduced staffing levels or multiple process disruptions requiring Trustee intervention or short-term recruitment | Disruption impacting for more than 1 week or occurring at a critical time Loss of key staff or skill mix requiring mutual aid and substantive recruitment External support required such as an emergency service provider, and localised external reporting | Disruption requiring significant external support and national-level external reporting such as RIDDOR |
Strategic | Potential for public concern or rumours | Local media coverage or short-term reduced public confidence | Local or regional media coverage; long-term reduced public confidence Potential for interest or concern from ICYE Federation | Uncertain delivery of key objective National media coverage <3 days; local MP interest; well below reasonable public expectations | Non-delivery of key objective National media coverage >3 days; local MP interest, questions in the House; total loss of public confidence |
The table below should be used to calculate the likelihood of an impact occurring according to either frequency or probability as appropriate:
Likelihood (L) | |||||
1. Remote | 2. Unlikely | 3. Possible | 4. Likely | 5. Almost Certain | |
Frequency | May occur in exceptional circumstances | The situation is not expected to occur | The situation should occur at some time or occasionally recur | The situation will occur in most circumstances or recur persistently | The situation is more than likely to occur in most, if not all circumstances |
Probability | 1 – 5% | 6 – 30% | 31 – 70% | 71 – 90% | >90% |
ICYE UK Risk Management Policy
1. Introduction
ICYE UK recognises that the successful management of risk is fundamental to maintaining our ability to deliver on our key mission statement:
- Provide supported international volunteer opportunities that directly benefit local communities
- Encourage young people from around the world to live, learn and work together
- Engage volunteers in the on-going development of the organisation
ICYE UK will adopt a proactive approach to managing risk and an integrated risk management system to incorporate all kinds of risk including strategic, operational, financial, external and compliance.
This policy will outline relevant procedures and guidelines to ensure risk is considered, coordinated and managed in a positive, sensible and proportionate way, where a culture exists allowing stakeholders to feel empowered to report, manage and escalate risks as appropriate.
1.1 Aims of the Policy
This policy will provide structure and guidance to the relevant ICYE UK stakeholders to:
- Identify risks;
- Assess risks against a uniform framework;
- Report and escalate risks;
- Manage risks; and
- Maintain the ICYE UK Risk Register.
This policy does not cover risks or risk management systems in external partner organisations such as those hosting volunteers, but ICYE UK should seek assurance that effective management systems are in place.
2. Roles & Responsibilities
2.1 Board of Trustees
ICYE UK’s Board of Trustees (“The Board”) is responsible and accountable for endorsing the organisation’s system of internal control, including the arrangements for risk management.
The Board of Trustees has responsibility for providing leadership on the management of risk and ensuring that the risk management systems are effective and operational.
2.2 Risk Lead
The Risk Lead (RL) is the named Trustee accountable to The Board and The Chair for ensuring there is an effective system of risk management and internal control in place, and for meeting statutory, regulatory and governance requirements.
The RL has delegated responsibility for the maintenance of the systems of internal control and should ensure appropriate review of the same and of this policy.
2.3 Office Manager
The Office Manager (OM) is responsible for the day to day management of the ICYE UK Risk Register (“the Risk Register”) and for the escalation of delays or barriers in relation to any actions or mitigations.
The Office Manager will ensure provision of the necessary papers or extracts from the Risk Register in order for The Board to review in a timely manner before discussion according to the cycle detailed within this policy.
2.4 Risk Owner
Each risk must have a named Risk Owner (RO) responsible for:
- Ensuring effective controls are in place to mitigate the impact of the risk;
- Reviewing their risks according to the necessary review cycle;
- Taking or delegating any necessary actions against their risk;
- Escalating any concerns, delays or increases in risk grading;
- Reporting updates to the OM or nominated deputy in order to maintain the accuracy of the risk register.
2.5 All staff, interns, contractors, and volunteers
Everyone has a responsibility to identify and report risks promptly thereby allowing risks to be managed and, where necessary, added to the Risk Register.
In particular everyone must:
- Take steps to avoid injury and risk to people;
- Be alert to, identify and report risks, especially those that are or potentially may impact on the health, safety, or wellbeing of people; and
- Manage risk within their sphere of responsibility – it is a statutory duty to take reasonable care of your own safety and the safety of others who may be affected by your acts or omissions.
3. Processes
3.1 Identifying Risks
ICYE UK identifies the following types of risks, depending on where the impact would be felt most significantly:
- Compliance – risks that impact on ICYE UK’s ability to meet any of its legal or statutory requirements.
- External – risks that are dependent on non-ICYE UK stakeholders;
- Financial – risks that mainly impact on income streams or result in a cost to the organisation;
- Operational – risks impacting on the day-to-day running of the organisation, or disrupting standard operation procedures or processes; and
- Strategic – risks impacting on the strategic role of the Trustees or with a wholly long-term impact i.e. more than twelve months.
Risks can be identified in a variety of ways including proactively monitoring, conducting risk assessments, or through project set-ups, etc., or reactively responding to issues raised or information received internally or externally.
Any member of staff or Trustee who becomes aware of an actual or potential risk, should ensure that this is acted upon and communicated appropriately.
3.2 Assessing Risks
Once a risk has been identified, it is essential that it is assessed to ascertain the action required.
All risks should be graded against the potential impact (I) and the likelihood of occurrence (L), each on a scale of 1 – 5 as outlined in Appendix A. The risk (R) is then finally scored by multiplying I x L with the potential outcomes detailed below:
Risk = I x L | Likelihood (L) | ||||
Impact (I) | 1. Remote | 2. Unlikely | 3. Possible | 4. Likely | 5. Almost Certain |
5. Extreme | 5 | 10 | 15 | 20 | 25 |
4. Major | 4 | 8 | 12 | 16 | 20 |
3. High | 3 | 6 | 9 | 12 | 15 |
2. Moderate | 2 | 4 | 6 | 8 | 10 |
1. Low | 1 | 2 | 3 | 4 | 5 |
Score 15 – 25 | Critical Risk |
Score 8 – 12 | High Risk |
Score 4 – 6 | Medium Risk |
Score 1 – 3 | Low Risk |
3.3 Registering Risks
Any identified risks will be added to the organisational Risk Register by the OM or other nominated individual, with notification made to the responsible person as soon as reasonably practicable.
Information required to complete the risk register entry includes:
- Risk title
- Risk description
- Risk type (see Section 3.1 for more details)
- Original risk score & grading (see Section 3.2 for more details)
- Current controls / mitigations
- Action(s) required
- Current risk score & grading (see Section 3.2 for more details)
- Next review date
- Current status
- Risk owner.
3.4 Managing Risks
The mechanisms for reviewing and managing risks is outlined in the table below according to their grading.
Addition of a new risk of any grade or any increase in grading at any level, should be notified as soon as possible to the Risk Lead and Chair, by the Risk Owner.
Grading | Review Schedule | Reporting Mechanism |
Critical (15 – 25) | Monthly | Chair & Risk Lead to be notified in the event of any update, plus presentation at subsequent Board meeting |
High (8 – 12) | Every 2 months | Updates presented at subsequent Board meeting |
Medium (4 – 6) | Every 6 months | Updates recorded only on Risk Register |
Low (1 – 3) | Annually | Updates recorded only on Risk Register |
3.5 Closing Risks
A risk can be considered for closure on the Risk Register when one or both of the following criteria have been met:
- All identified actions have been closed;
- The risk has been eliminated.
The risk should then be presented at the subsequent Board meeting for authorisation to either:
- Close the risk; or
- Accept the risk in its current state with the review routine according to its current grading; or
- Accept the risk in its current state with a different review routine.
4. Review of Policy and Procedures
The RL will be responsible for ensuring the review of this policy and applicable procedures noted within, at least every three years, or following the issuance of new or changed relevant guidance or following an incident that appropriately warrants an earlier review.
The reviewed policy will then be submitted to the Board of Trustees for review and ratification.
Appendix A: Risk Grading Matrix
A risk score is calculated by assessing the potential impact (I) and the likelihood of occurrence (L), each on a scale of 1 – 5. The risk (R) is then finally scored by multiplying I x L and subsequently graded from Low to Critical:
Likelihood (L) | |||||
Impact (I) | 1. Remote | 2. Unlikely | 3. Possible | 4. Likely | 5. Almost Certain |
5. Extreme | 5 | 10 | 15 | 20 | 25 |
4. Major | 4 | 8 | 12 | 16 | 20 |
3. High | 3 | 6 | 9 | 12 | 15 |
2. Moderate | 2 | 4 | 6 | 8 | 10 |
1. Low | 1 | 2 | 3 | 4 | 5 |
Score 15 – 25 | Critical Risk |
Score 8 – 12 | High Risk |
Score 4 – 6 | Medium Risk |
Score 1 – 3 | Low Risk |
The tables on the following pages provide examples and guidance on the scoring criteria.
The guide below should be used to ascertain the potential Impact score of a reasonable worst-case scenario, according to the most appropriate type identified for the risk:
Impact (I) | |||||
Risk Type | 1. Low | 2. Moderate | 3. High | 4. Major | 5. Extreme |
Compliance | No or minimal impact or breach of guidance / statutory duty | Breach of internal policy or statutory legislation Reduced external ratings if unresolved | Single breach in statutory duty Challenging external recommendations / improvement notice | Enforcement action Multiple breaches in statutory duty Improvement notices Low performance rating Critical report | Multiple breaches in statutory duty Prosecution Complete systems change required Zero performance rating Severely critical report |
External | Loss of supply with minimal impact without intervention | Loss of supply for 5 days or less manageable with additional internal interventions | Loss of supply Impacting for more than 5 days or requiring external support or wider ICYE support for resolution | Loss of key supply causing disruption that requires alternative provider to be sought | Permanent loss of key or critical supply with no alternative available |
Financial | Loss < £XX Expenditure < £XX | Loss £XX – £XX Expenditure £XX – £XX | Loss £XX – £XX Expenditure £XX – £XX | Loss £XX – £XX Expenditure £XX – £XX Potential / minor contractual impacts | Loss > £XX Expenditure > £XX Loss of / significant contractual impacts |
Operational | No disruption or losses requiring intervention | Minimal delays, disruptions or losses with internal interventions required Low staffing levels or inadequate processes requiring Trustee advice or support | Impacting for more than 5 days with internal interventions required Prolonged, reduced staffing levels or multiple process disruptions requiring Trustee intervention or short-term recruitment | Disruption impacting for more than 1 week or occurring at a critical time Loss of key staff or skill mix requiring mutual aid and substantive recruitment External support required such as an emergency service provider, and localised external reporting | Disruption requiring significant external support and national-level external reporting such as RIDDOR |
Strategic | Potential for public concern or rumours | Local media coverage or short-term reduced public confidence | Local or regional media coverage; long-term reduced public confidence Potential for interest or concern from ICYE Federation | Uncertain delivery of key objective National media coverage <3 days; local MP interest; well below reasonable public expectations | Non-delivery of key objective National media coverage >3 days; local MP interest, questions in the House; total loss of public confidence |
The table below should be used to calculate the likelihood of an impact occurring according to either frequency or probability as appropriate:
Likelihood (L) | |||||
1. Remote | 2. Unlikely | 3. Possible | 4. Likely | 5. Almost Certain | |
Frequency | May occur in exceptional circumstances | The situation is not expected to occur | The situation should occur at some time or occasionally recur | The situation will occur in most circumstances or recur persistently | The situation is more than likely to occur in most, if not all circumstances |
Probability | 1 – 5% | 6 – 30% | 31 – 70% | 71 – 90% | >90% |