How To Ensure That Sovini Is A Successful Business

Transcription

1 Group Risk Management Policy Originator: Approval date: Policy and Strategy Team Sovini Board PCHA Board OVH Board/EMT 6 th December st October th October 2013 Review date: December Introduction This document sets out Sovini s, Policy for Risk Management. For the purposes of this Policy Sovini incorporates One Vision Housing (OVH), Pine Court Housing Association (PCHA), Sovini Property Services (SPS), Sovini Limited (SL), Sovini Homes (SH) and Sovini Trade Supplies (STS). The management of risk is an essential part of good Governance. Ultimate accountability for the control and management of risk rests with the Sovini Board and Partner Boards. The application of this Policy will ensure that the Executive and Senior Management Teams comply with the Sovini Board s approved Financial Management Policy and Risk Statement, which forms one part of Sovini s adopted Governance Framework. This Policy recognises that all organisations face a range of risks which can affect the achievement of their corporate objectives. Sovini is committed to the proactive management of risk, and view this as a key responsibility of all employees. Discharging these responsibilities through implementation of this Policy will significantly assist Sovini to continue to meet and deliver its corporate objectives without jeopardising its: Reputation Financial Viability Assets and Resources, and the Provision of affordable, high quality housing services 1.5 This Policy provides a framework and guidance within which the Executive and Senior Management Teams can measure, assess, mitigate, manage and monitor risk, ensuring that a proactive risk management culture is embedded across the Group. Moreover, it facilitates the development and implementation of actions aimed at improving current assurance and internal control systems. These interventions will be assessed to ensure that

2 they are both proportionate, targeted and focussed on reducing or mitigating the threat of risk. 1.6 Implementation of this Policy will help to ensure that Sovini: Creates a focus towards the achievement of corporate objectives Adds value to the business and assists with the strategic prioritisation of risk as well as its identification, management and mitigation Keeps informed, adapts flexibly to emerging issues and effectively manages change Protects and enhances its assets, people, resources and wider reputation Supports a learning, innovative and creative culture Ensures accountability and clarifies individual responsibilities for risk management Has robust and effective risk reporting, assurance and internal control systems Stakeholder reporting contains sufficient and accurate disclosure(s) Links risk to the Group s corporate planning, business planning and annual budget setting processes Improves transparency and justifies decisions Informs the insurance renewal process The application of this Policy ensures the RegisteredProviders within the Group meet compliance with the outcomes of the Regulatory Framework for Social Housing in England adopted by the Homes and Communities Agency (HCA) as outlined below: Registered Providers shall ensure effective governance arrangements thatdeliver their aims, objectives and intended outcomes for tenants and potentialtenants in an effective, transparent and accountable manner. Governancearrangements shall ensure they: adhere to all relevant legislation comply with their governing documents and all regulatory requirements are accountable to tenants, the regulator and relevant stakeholders safeguard taxpayers interests and the reputation of the sector have an effective risk management and internal controls assuranceframework Access and Communication Sovini is committed to ensuring that our services are accessible to everyone. Sovini will seek alternative methods of access and service delivery where barriers, perceived or real may exist, that may make it difficult for people to work for us or use our services. Equality, Diversity and Human Rights Sovini is committed to ensuring that no person or group of persons will be treated less favourably than another person or group of persons and will carry out our duty with positive regard for the following core strands of equality; Age, Disability, Gender, Race, Transgender, Sexual Orientation and Religion and/or Belief. Sovini also recognises that some people experience disadvantage due to their socio economic circumstances, employment status, class, appearance, responsibility for dependants, unrelated criminal activities, being HIV positive or with AIDS, or any other

3 matter which causes a person to be treated with injustice This Policy is linked to: Sovini Group Governance Framework (Code, Conduct, Rules etc) Sovini Group Financial Management Policy Sovini Group Anti Fraud and CorruptionPolicy Sovini Group Health and Safety Policy Sovini Group Business Continuity/Disaster Recovery Policy 2 Statement of intent It is the Sovini and Partner Board s responsibility to determine its appetite to risk and to ensure that robust risk management systems are in place and operating within acceptable levels. Sovini will assess appetite for risk according to its risk appetite procedure (included as an appendix) Sovini recognises that it has responsibilities to protect and safeguard the use and application of public funds and will therefore take all reasonable measures to prevent, minimise and where possible mitigate the impact and likelihood of risks from crystallising. A key requirement of Sovini s governance arrangements is that the Soviniand Partner Boardswill ensure that they take informed decisions which are based on full and complete disclosure of all financial and risk considerations. This is embedded in the Group s reporting systems and risk culture. It is the responsibility of the Group Business Assurance Committee (GBAC) and Partner Executive Management Teams (EMT) to ensure that intelligent and SMART systems and processes are in place for the identified, assessment, prioritisation, management and reporting of risk. This is achieved in practice through use and application of the Group s risk management system (Covalent - Risk Module). This is a real time, interactive module which allows Nominated Risk Owners to update and assess/ reassess risks linking key risk action and control improvements, with Key Performance Indicators and other risk and assurance processes. The benefits of which, is that the system is evidence based, and allows Sovini to visually track the impact of residual risk upon the achievement of corporate objectives. It also facilitates the embedding and updating of key risks at the most appropriate level within the Group. As well as operating the risk module, Sovini will ensure that there is a Designated Person who is a Risk Champion. This person will co-ordinate the Group s risk management activities, the reporting and assurance needs of the GBAC and respective EMT s and also take a lead role in ensuring that a risk management culture is embedded across Sovini and its people.

4 3 Policy 3.1 For the purposes of this Policy risk is defined as: Any event which may adversely affect Sovini s ability to operate effectively, maintain its financial strength, positive public image and the overall quality and / or deliverability of services to customers Risk Exposure Definition Risk exposure is defined as: The combined likelihood of an event occurring and also the potential impact of this event upon activities In identifying and determining the level of risk exposure faced by Sovini or any Partner it is necessary to assess both the untreated (Gross), current (Residual) and acceptable (Target) risk exposure. This is necessary to determine the risks prioritisation and also the determination and design of proportionate risk mitigation activities. The definition of each risk exposure type is: Gross Risk the level of risk that would occur had no management controls been put into place or had these controls failed to prevent the risk from crystallising. Residual Risk the level of risk that remains in existence once a full and complete assessment of internal controls is made. This assessment must consider the assurance provided by these controls and also the level of reliance that is being placed upon these controls working effectively. Target Risk the level of risk which is considered acceptable to the Sovini GroupBoard. This exposure needs to maintained with the SoviniBoard s Risk Appetite threshold(s) and it is the point atwhich the risk is assessed as being under control, with reasonable assurance being provided that the current controls are designed and working effectively. Risk Identification And Categorisation Sovini recognises that it faces risks from a wide variety of sources which includes: Government Policy impacting on Sovini businesses economic environment affecting viability demographic change affecting demand for services market forces affecting Sovini businesses operational resources (rents, lettings and effects of Welfare Reform) impacting on revenue ensuring financial and treasury management meets all business requirements the need to keep pace with changes in information technology natural, environmental and ecological hazards fraud and error

5 negative publicity failure to comply with legislation The level of exposure to risk will change over time and needs to be kept under constant review. Members of theexecutive and Senior Management Teams will be regarded as Risk Owners and allocated specific responsibility for the identification, assessment, control and management of risk. As a nominated Risk Owner it is these Officers responsibility to ensure that within their service areas that they: Identify, categorise, record and assess all areas of risk (both Gross and Residual) Identify and record what management controls and sources of assurance exist Quantify the level and if possible, allocate a financial value to the level of Residual Risk exposure Record the year/period in which the risk was first identified and assessed Identify, design and implement the most appropriate action(s)/intervention(s) to reduce/mitigate the risk, so that it can be realigned to that of its target (acceptable level) Conduct a periodic re-assessment of each risk to evidence and record the impact that risk mitigation is having upon the residual risk score Continually monitor, review and manage each area of risk Make recommendations to thesovini Partner Boards and GBAC, to assist implementation of measures to mitigate and manage risk Operate SMART risk reporting processes Sovini will ensure that all of its risks are categorised. This is to facilitate a structured approach to its overall risk management activities and enhance risk reporting processes. The following categories will be applied: Threats to ongoing Financial Viability Failure or Disruption to Assets or Neighbourhoods Breaches in Legislation Failure to Recruit, Retain, Develop and Monitor its People External Factor(s) having an adverse impact upon efficient Service Provision Emerging Issues/ New Risk Areas Risk Assessment The accurate and timely identification, assessment and reassessment of risk(s) is a critical activity endorsed within this Policy as is the communication of these risks within and where relevant externally to Sovini. Risk Assessment is the process in which risk(s) are scored and ranked. The purpose of which is to determine and identify the most appropriate course of action to take. It is also to ensure that each risk exposure is managed effectively and that key strategic risks are easily and efficiently reported to the Sovini Partner Boards and GBAC.

6 LIKELIHOOD RISK SCORE/RANKING By scoring and ranking risks, Soviniis better able and informed to prioritise its response. It also assists (using exception based reporting) to highlight and bring to the urgent attention of EMT and Boards and the GBAC, those risks which have the highest Residual Risk scores which by their very nature have a serious or major impact and a high likelihood or very likely probability of occurring. Sovini will identify, score and rank risks as follows: IMPACT RISK SCORE/RANKING REMOTE 1 UNLIKELY 2 LIKELY 3 VERY LIKELY 4 MAJOR SERIOUS SIGNIFICANT MINOR Sovini will proactively (not less than once per month) assess /reassess, score and rank its risks. Risk Assessment Criteria The following impact and likelihood criteria will be used to review, assess, calculate and allocate Risk Scores: Assessing the Impact of Risk 1 MINOR 2 SIGNIFICANT Minor service disruption (1 day) Significant service disruption (up to 5 Minor injury (employee or service user) days) Litigation/Claim/Fine ( 12k - 25k) Significant Injury (employee or service Financial loss (up to 100k) user) Complaints/Satisfaction Levels Litigation/Claim/Fine ( 25k - 50k) contained within targets Financial loss ( 100k to 500k) Adverse local press/public awareness 3 SERIOUS 4 MAJOR Serious service disruption (5+ days) Major injury (employee or service user) Total loss of service (5+ days) Will require the invocation of the Group

7 Litigation/Claim/Fine ( 50k - 250k) Financial loss ( 500k to 1 million) Adverse national media/public awareness May Require the invocation of the Group Incident Management Team Plan and relevant Business Recovery Plans. Incident Management Team Plan and relevant Business Recovery Plans. Fatality (employee or service user) Litigation/Claim/Fine (Legal action against Officers / Board Members or fine > 250k) Financial loss (more than 1 million) Officers /Members forced to resign Criteria for Assessing the Likelihood of a Risk Occurring Risk Score Likelihood of Risk Occurring 4 Very likely 3 Likely 2 Unlikely 1 Remote Estimation Description Indicators High - (Probable) Medium - (Possible) Low - (Remote) Likely to occur each year or more than 25% chance of occurrence Likely to occur in a ten year time period or less than 25% chance of occurrence. Not likely to occur in a ten year period or less than 2% chance of occurrence. Has occurred recently or their is potential for it occurring several times within the time period. Has a history of occurrence. Could be difficult to control due to some external influences. Has not occurred and is unlikely to occur Risk Prioritisation It is the responsibility of the Executive and Senior Management Teams to ensure that timely and accurate risk and assurance reporting processes are operated and that the Sovini Boardand GBAC are kept fully informed of the key strategic risks faced by the Sovini Group and of the risk actions being taken/implemented to address them. Risks will be prioritised using the following criterion and the recommended course of action will be implemented in accordance with the timescales indicated: Residual Risk Risk Ranking Recommended Course of Action Assessment (SCORE) (PRIORITY) High Immediate action to be taken to mitigate and reduce the level of risk exposure (within 1-6 Weeks of trigger) 3 9 Medium Urgent review of Internal Controls and appropriate risk actions, control improvements and/or contingency plans put into place (within 4-12 weeks of trigger 1 2 Low Limited intervention / action required, including

8 general housekeeping and long term action plans (within 6 12 months of trigger) Risk Response The level of response required will be dependant and related to the level of Residual Risk exposure that remains following the risk assessment stage. This response needs to be proportionate to the level and material value of the risk and prioritised so that the organisation can more effectively manage and co-ordinate its risk management activities: PRIORITISING WORK & BUDGETS CONTINGENCY PRIORITY IMPACT IRRELEVANT HOUSEKEEPING LIKELIHOOD Sovini will ensure that each risk is classified as follows: Tolerate - Accept a particular risk where the exposure is considered to be acceptable and where efforts to mitigate it or reduce it will be sustained into the longer term Treat - Manage the risk and act to implement actions aimed at reducing the risk to more tolerable levels. This would include improving or implementing new Internal Controls Transfer - Reduce the level of risk exposure by taking appropriate action and insuring or transferring the risk to a third party by changing contractual terms Terminate Reduce, modify or cease the risk exposure, by re examining how Sovini carries out its business, thus eliminating the risk In all cases other than that of Tolerate, risk action(s) will be determined as deemed necessary to reduce the level of Residual Risk to that of the accepted Target Risk. These actions will be incorporated intoservice Delivery Plans and prioritised accordingly. Once determined these actions will be mapped (cross referenced) to the risk, so that the ongoing impact of this intervention / improvement can be measured and subsequently assessed / reassessed. These actions will consider the prevention, reduction or transferring of risk. Cross Functional and Partner Operational Risk Risks can and do accumulate, this can occur over a short period of time and as such can make the combined impact and probability of the risk more significant upon the Group s

9 activities and corporateobjectives By definition, it is difficult to predict with absolute certainty how and when such an accumulation of risks may occur. To address this, Sovini will: Consider the future exposure of cross functional and Partner Operational risks as part of the risk review processes Ensure that all risks are cross referenced, especially new or emerging risks, so that the EMTs and GBAC can consider the full impact of any changes in risk actions Allocate responsibility to nominated Directors to asses and validate cross functional risks Internal Audit The GBAC will on behalf of the Sovini Partner Boards, determine and appoint an Independent Internal Auditor. The primary focus of the Internal Auditor will be to review, strengthen and improve the Group s System of Internal Control and this includes a review of the appropriateness of Sovini srisk Management and Assurance monitoring and reporting processes. The functions and reviews carried out by the Internal Auditor will complement the actions of the Executive and Senior Management Teams and will be used to independently review and test the adequacy and effectiveness of this Policy.The appointment and existence of the Internal Auditor does not reduce or otherwise affect the responsibilities of the Sovini Partner Boards, GBAC or EMTs. The Internal Auditor will independently plan, prioritise and report activity directly to the GBAC using a Risk Based Methodology and hold In Camera sessions with Members of the GBAC to discuss and clarify any disclosure, issues or concerns. Management, Monitoring and Reporting Progress Risks will be robustly and sensitively managed, monitored and reported to ensure that: Strategic Risks are highlighted, quantified, prioritised and cross referenced Operational Risks are identified, updated and re assessed at regular periods The EMTs, Sovini Partner Boards and GBAC have sufficient assurance reports to enable them to discharge their risk management responsibilities and evidence that Sovini s risks are being managed and mitigated effectively Reporting systems have sufficient capacity to support the external reporting and risk disclosure needs of the business A risk register is maintained which identifies all risks and the mechanisms for controlling and managing them,including the breadth and scope of any detailed risk assessment work/ actions A Nominated Risk Owner, is assigned to each risk to ensure its review and management Half yearly risk updates will be provided to GBAC and risk reviews will be conducted at least monthly by risk owners. Partner Boarsd will review their risks annually as part of the groups internal controls reporting / assurances processes.

10 4 Implementation Sovini Boards The Sovini Group and Partner Boards have ultimate responsibility and accountability for the management of risk. The Sovini Group Board determines the group appetite for risk in conjunction with the EMTs and SMTs of the various partners. The Sovini Group Board approves operational responsibility for risk management as follows: Group Business Assurance Committee (GBAC) The GBAC has responsibility for the design of risk management and assurance reporting processes and for ensuring SMART systems for risk management are in place in conjunction with the EMTs and SMTs of the various partners. Executive Management Teams and Senior Management Teams The EMT s and SMT s of subsidiary partners are nominated risk owners within the group structure and conduct a monthly review of all identified risks. The EMT s and SMT s will make recommendations to the Sovini Group Partner Board and GBAC on any new risks to be developed. Group Risk Champion Sovini will have a designated risk champion who will co-ordinate the Groups risk management activities and ensure a risk management culture is in place. All Employees All employees within the Group have a collective responsibility for the proactive management of risk and to alert Executive and Senior Management Teams of any risks they believe are uncontrolled or any negative impacts of risk activity that is permitted within Sovini risk thresholds. This responsibility is embedded and communicated to all new employees as part of the Group s induction programme. Internal Audit The Sovini Group will appoint an Internal Auditor to review, strengthen and improve the internal systems of risk control and provide an independent assessment of the adequacy of this Policy. An annual report will be produced by the Internal Auditor which will provide an opinion on the Group s Risk Management and Internal Control System 5 Performance 5.1 Working towards an annual audit plan, the appointed Internal Auditors recommendations for action to address all identified risks will be uploaded into the Group performance management system (Covalent).Individual officers or teams will then be assigned responsibility and will be required to complete these actions by agreed dates. 6 Consultation 6.1 The Sovini Group s Operations Director (Finance) and Risk and Assurance Officerhave been consulted in the development of this Policy.

11 6.2 Due to the mandatory nature of the Risk Management Policy, it is not open to influence by customers and it has not been necessary to consult with customers in the development of the Policy. 7 Review 7.1 The Risk Management Policy will be reviewed every year (from the date of approval) by the Sovini Group Board. The review process will ensure its continuing suitability, adequacy and effectiveness or as required by the introduction of new legislation or regulation that impacts on the Sovini Group s obligations in regard to risk management,changes to Sovini business practices or in the light of management system audits. 8 Equality Impact Assessment 8.1 Was a full Equality Impact Assessment (EIA) required?no 8.2 When was EIA conducted and by who?an Equality Impact Assessment Relevance Test was Conducted by Sovini soperations Director (Finance) and the Sovini GroupPolicy and Strategy Officer 8.3 Results of EIATheSovini Group Risk ManagementPolicy has no adverse or differential impacts on any group or individual with protected characteristics. 9 Scheme of delegation 9.1 Responsible committee for approving and monitoring implementation of the Policy and any amendments to it 9.2 Responsible officer for formulating Policy and reporting to committee on its effective implementation 9.3 Responsible officer for formulating, reviewing and monitoring implementation of procedures Sovini Board Sovini Operations Director (Finance) Sovini Operations Director (Finance) 10 Amendment log Date of revision: Reason for revision: Consultation record: Record of amendments: July 2013 The Sovini Group2013 Risk Management Policy replaces all previous risk policies operated by Sovini or its subsidiary organisations Partner Boards The Sovini Operations Director (Finance) and the Risk and Assurance Officer have been consulted in the development of this Policy Policy updated in line with revised Group Structure

12 December 2013 Reviewed in line with review schedule See section 6 above Policy now incorporates appetite for risk process Sovini Risk Management Structure Sovini Board Group Business Assurance Committee Registered Provider Partner Boards Group Risk Champion Commercial Partner Boards Executive or Senior Management Team Executive or Senior Management Team Risk Owners Risk Owners Internal / External Audit (and other forms of assurance)

13