Risk Management Policy

Risk Management Policy

1. Purpose

1.1 This Risk Management Policy ("the Policy"):

  • sets out the high level arrangements for risk management, control and assurance at Common Purpose;
  • provides a definition of risk and risk management;
  • sets out the arrangements for approval and maintenance of the Policy;
  • defines Common Purpose's approach to risk appetite and tolerance;
  • defines Common Purpose's risk management strategy/framework ; and
  • describes the governance arrangements and responsibilities for managing risk.

1.2 This Policy is reviewed annually by the Audit and Risk Committee to ensure fitness for purpose. It is approved by the Board of Trustees and has the full support of the Group CEO and senior management of the Organization.

1.3 Understanding and controlling risk is important to Common Purpose. Effective and efficient risk governance and oversight provide management with assurance that Common Purpose’s business activities will be positively enhanced by opportunities but not be adversely impacted by threats that could have been foreseen. This in turn reduces the uncertainty of achieving Common Purpose’s strategic ambitions as defined in the Strategic Plan.

2. What is Risk?

2.1 Risk can be defined as the uncertainty around the organizations ability to achieve its objectives and execute its strategy effectively. Risks can be positive (opportunities) and negative (threats) and are a combination of the likelihood of an event and the impact of the consequence. Events with a negative impact represent risks that can prevent value creation or erode existing value. Conversely opportunities could, if exploited, offer valued improvements to the organization and the customers it serves.

2.2 The organization groups risks into the following categories: a) Reputation b) Business and c) Legal and Compliance.

2.3 Although any given risk can impact more than one of the above categories, the categorization is helpful in the process of identifying the risks that the organization faces and for distinguishing the risk appetite across the different categories of risk.

3. Risk Management

3.1 Risk management can be defined as the systematic application of principles and approach, and a process by which the Organization identifies and assesses the risks attached to its activities and then plans and implements risk responses. A key component of realizing the practice of risk management is enabling a risk culture; section 6 provides more detail on this.

3.2 Effective risk management underpins the Organization's long-term success. As such, it is essential that risk management is incorporated into all key Organization processes, including but not limited to strategy, unit business planning, operations, and programme and project management. It applies in both business and learning environments. Common Purpose accepts that Risk cannot be totally eliminated. The purpose of the policy is to support the development of a consistent approach to managing risk.

4. Risk Appetite Statement

4.1 Risk appetite is the amount and type of risk that the Organization is willing to take in order to achieve its strategic objectives.

4.2 The risk appetite statement is in relation to the risk categorizes set out in paragraph 2

4.3 The annual review of the Policy will include the opportunity for The Board of Directors to review its risk appetite statement in light of the context in which the Organization is operating.

5. Approach to Controls Maturity

5.1 Controls Maturity is a framework for appraising risk management competency. The Organization is currently assessed against the five definitions below across what is a continuum.

  • Unreliable Adequate control activities are not designed or are not fully in place
  • Informal Control activities are designed and in place but are not adequately documented
  • Standardized Control activities are designed, in place, consistently applied and are adequately documented
  • Monitored Standardized controls with periodic testing for effective design and operation with reporting to management
  • Optimized Integrated controls with real-time monitoring by management and continuous improvement

5.2 It is not always appropriate to aspire to 'optimized' controls. However, it is expected that controls should at least be 'standardized', except in the year in which new business processes are being introduced. There is an expectation for management to move control maturity higher within the "standardized" category and into the "monitored" category over time as part of a process of continuous improvement. However, control maturity expectations also depend on the likelihood and impact of risks materializing, and on the Organization's risk appetite and risk tolerance levels. In an area assessed as having a lower risk tolerance level, the focus on control maturity will be higher in order to mitigate the inherent risk.

6. Risk Management Culture

6.1 The Organization strives to embed a culture where risk management is a key component in all its decision-making. This will enable individuals and teams to take the right risks with an informed manner.

6.2 The Organization's risk culture builds upon its values of serious, passionate and real.

6.3 The following key characteristics have been adapted from the Institute of Risk Management which recommends these components of a successful key culture:

a) A distinct and consistent tone from The Board of Directors and Senior Management Team in respect of risk taking and avoidance;
b) A commitment to the Organization's core values of serious, passionate and real;
c) A common acceptance through the Organization of the importance of continuous risk management, including clear accountability for and ownership of specific risk and risk areas;
d) Transparent and timely risk information flowing up, down and across the Organization;
e) A commitment to ethical principles, reflected in a concern with the ethical profile of individuals and the application of ethics as well as the consideration of wider stakeholder positions in decision making;
f) Actively seeking to learn from mistakes and near misses;
g) Appropriate risk taking behaviours encouraged and inappropriate behaviours challenged and sanctioned;
h) Risk management skills and knowledge valued, encouraged and developed;
i) Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged; and
j) Alignment of management culture with employee engagement and people strategy to ensure staff are supported and strongly focused on the task in hand.

7. Risk Management Framework

7.1 The Risk Management Framework sets out the controls and or mitigations in place, which together facilitate an effective response to a variety of Operational, Financial and commercial Risks. These elements include:

Business planning and budgeting

7.2 The business planning and budgeting processes are used to set objectives, agree action plans and allocate resources. The identification and management of risk in this process is a key part of this process and progress towards meeting organizational objectives is monitored regularly.

Risk Register

7.3 The Risk Register has been developed to record any area of risk that presents a threat to the aims/ objectives/business of Common Purpose, the level of risk they present and the agreed actions being taken to manage and mitigate those risks. Each area of risk has a risk owner assigned to it. The risk register is reviewed at a monthly meeting where risk owners are responsible for highlighting any significant changes and recommending any improvement actions. It is also formally reviewed by the board each quarter with final risk scores given for each area of risk identified. It is viewed as a working document and changes are made to the register when required to reflect the status of a risk area.

Programme Risk

7.4 Risk associated with programme delivery is managed through risk assessments. Risk policies have been created for both online and in person programme delivery and all teams are required to undertake risk management to identify the risk requirements of a programme and if a risk assessment is essential. Risk assessment templates have been created so that teams are able to record the risks that have been identified and ensure the correct mitigations are in place. The risk associated with any programme must be evaluated to ensure we uphold our duty of care to our participants, staff and contributors. Any risk assessment required for a programme is held in a central location and is reviewed and signed off by the Operations team.

Third Party

7.5 External sources are necessary in areas such as health and safety and Covid 19. The use of specialist third parties can ensure the effectiveness in enabling a good risk management process and prevent unnecessary threats within the organization.

8. Governance and Responsibilities

8.1 An effective risk management structure requires governance, oversight and management. The governance role sets strategy and approves the Policy, and receives assurance that they are operating effectively. Risk oversight involves establishing a framework of rules and mechanisms to measure, monitor and report risk exposures. It also provides a process to ensure that risk is managed effectively, as set out in the Framework.

9. Risk Governance

The Board of Directors

9.1 The Board of Directors has overall responsibility for risk management, sets the tone for risk management within the Organization and takes an overall perspective of compliance with the Organization's policies. The Board of Directors determines the Organization’s overall parameters for the institution’s risk appetite and tolerance. The Council assures itself that risk management requirements are consistently and rigorously applied through receipt of risk reports considered by the Senior Management Team, the committees reporting to The Board of Directors or The Board of Directors itself. The Board of Directors is assisted in fulfilling its responsibility for risk management by the Audit and Risk Committee.

Audit and Risk Committee

9.2 The Audit and Risk Committee on behalf of The Board of Directors considers:

  1. Regular assurance reports from management on compliance with the policy and
    management of risk exposure relative to risk appetite and tolerance;
  2. Independent assurance reports from internal audit on the quality of internal controls, and on the adequacy and effectiveness of the Framework;
  3. Independent reports from the external auditors and other sources of assurance; and
  4. Revisions to the Policy and recommends changes to The Board of Directors.

Executive Accountability and Oversight


9.3 The CEO is accountable to The Board of Directors for implementing an appropriate risk
management framework and for allocating responsibilities to individuals within that framework so that The Council’s Policy requirements are met.

Chief Operating Officer

9.4 The Chief Operating Officer is responsible for setting the tone and influence the culture of risk management across the Organization. This includes the following:

a) Monitoring day to day risk management activities;
b) Advising The Board of Directors on the overall assessed level of risk appetite and tolerance, and reviewing breaches of risk appetite and tolerance;
c) Approving major programmes/projects that affect the Organization's risk profile or exposure, deciding what types of risk are unacceptable/acceptable;
d) Actively reviewing the Organization’s Strategic Risk Register and risk "deep dives" into the Organization's principal risks and monitoring significant risks including the effectiveness of controls; and
e) Agreeing actions, changes or improvements to key elements of the process and framework.

Executive Responsibilities

Chief Operating Officer

9.5 The Chief Operating Officer has executive accountability and responsibility for risk management across the Organization. All updates and reviews of the Policy and risk appetite statement must be approved by the Organization Secretary.

9.6 Operational responsibility for the development and maintenance of the Policy and the
Framework and all associated activity is delegated to the Chief Operating Officer, holding
responsibility for monitoring implementation of the Policy and Framework through the
Organization’s planning processes and reporting to the CEO.

Heads of Unit

9.7 Heads of Units are responsible for managing risks inside their own areas of accountability and articulating them within the unit planning process by maintaining a risk register. Whilst Heads of Unit maintain responsibility for their areas they may delegate responsibility for specific risks to named Risk Owners.

Risk Owner

9.8 Risk Owners are responsible for the management and control of all aspects of the risks assigned to them, including implementation of risk response actions to address threats and maximize opportunities. The responsibility for implementation of risk response actions may be delegated to a named individual who supports and takes direction from the risk owner.

All staff

9.9 Staff throughout the Organization are responsible for complying with the Policy and for
managing the risks associated with their operational activities and processes. The Framework describes the method for applying Policy requirements, including the tools and techniques for risk identification, assessment, planning, implementing, monitoring and reporting. The Organization uses risk registers and heat maps to document consideration of risks. These should be reviewed regularly to ensure threats are being managed and opportunities exploited.

10. Risk Assurance

10.1. Assurance is provided through transparent, timely and objective risk reporting. High quality and accurate risk management information helps to ensure that senior management is fully aware of material risks to which the Organization is exposed.

10.2. The Chief Operating Officer provides regular reports and insight to management and the Audit and Risk Committee on governance, risk management and internal control. Additionally an annual report on the overall effectiveness of governance risk management systems and controls across the Organization, (which helps to inform the Audit and Risk Committee's opinion on the effectiveness of risk management) is provided to The Board of Directors.

11. Approval and Maintenance

11.2 The Policy is approved by the Board of Directors on the recommendation of Audit and Risk Committee. The Policy is reviewed by Audit and Risk Committee at least annually to ensure that it continues to be relevant to the Organization's current and planned activities. Changes are recommended to The Board of Directors for approval.

You can also download the policy document here

Common Purpose Charitable Trust
38 Artillery Lane,
London E1 7LS
United Kingdom

Last updated: September 2021