FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449  Email: hirett.co.uk@gmail.com

Risk Management Policy & Procedures

1. Policy Statement

The Company are committed to ensuring that we understand and adhere to all regulatory and legal requirements regarding our risk management obligations. Whilst we accept that not all risks can be eliminated, we are committed to ensuring robust and effective controls, measures and processes to identify gaps and risks, have proportionate oversight functions and mitigate risk where possible.

Operational managers are tasked with risk mitigation and we utilise the Three Lines of Defence model in our approach, ensuring that effective management control, adequate risk control and compliance oversight functions and internal independent audits are established within our risk management framework. Effective lines of communication and collaboration across the Company, ensures that gaps are easily, and quickly identified and duplicated process or functions are removed.

This document states our risk management objectives and sets out our approach to managing and mitigating risks, as well as providing defined and detailed procedures for identification, assessment, mitigation and corrective actions. We are dedicated to ensuring that all employees are fully trained and understand the implications of risk and know that our structured procedures, systems and controls have been put into place to identify the risks, mitigate where possible and prevent unnecessary harm or damage to any individual or entity.

2. Purpose

The purpose of this policy is to provide our objectives, intent, approach and procedures for risk management and assessment, and to act as a guidance document for employees and third parties. Effective risk management requires a robust and defined framework, detailing the functions, actions and controls used to identify, assess and prevent risks.

In addition to standard business risks and those associated with our business type and industry, we also recognise the risks that result from processing personal data and understand our obligation to protect and secure personal data by identifying and mitigating the risks posed. The Company are committed to ensuring a risk-based approach towards personal data and the protection of individual’s rights and freedoms and utilise such an approach as an effective tool for securing personal data and mitigating associated risks. We have dedicated data protection policies in place for specific risk assessment around personal data.

3. Scope

This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

4. What is Risk?

The Company’s definition of a ‘risk’ is: –

An event, action or cause leading to uncertainty in the outcome of the Company’s operations. This risk may be financial, reputational, regulatory, legal or ethical and can affect one to many persons associated with the Company.

With regards to privacy and the protection of data, we define ‘risk’ in terms of the severity, impact and/or probability a breach, function or processing activity would have on individuals. When referring to business risks, we consider varying factors, including internal and external risks; those posed by systems and/or processing and those posed by employees or customers. We consider the systems, entities or individuals who will be affected or compromised, the severity of any impact (i.e. loss, threat, unauthorised disclosure) and whether mitigating controls and measures already in place (or able to be implemented) would reduce impact, severity and/or probability.

The stages in risk assessment are to: –

  • identify the main risks to your objectives, business and customers
  • assess/measure the importance, impact and likelihood of the risk
  • mitigate the risks through corrective actions, controls and operational measures
  • reassess the risk importance, impact and likelihood
  • carry out ongoing monitoring of the risk and mitigating controls

5. Objectives

The Company has developed several objectives for identifying, assessing, mitigating and monitoring risks.

The Company ensures that we: –

  • Identify and assess all risks and where necessary, treat/address them in a timely manner
  • Have effective processes to identify, manage, monitor and report the risks we are (or might be) exposed to
  • Establish, implement and maintain adequate risk management and security policies and procedures, including effective controls for risk assessment, identifying the risks relating to our activities, processes and systems, and where appropriate, set the level of risk tolerated by us
  • Apply adequate and effective controls to mitigate the identified risks within the agreed parameters and regularly test these controls to ensure that they remain effective and appropriate
  • Review risks (frequency determined by risk score) and related procedures for adequacy and relevance, as well as re-assessing new risks that we might me exposed to
  • Conduct reverse stress testing to ensure that the controls, systems and procedures put into place for risk management are effective and mitigate the risks of business failure
  • Have a compliant and robust remuneration policy and procedure in place to prevent internal risks associated with unfair business practices through competitive sales and/or advice
  • Provide staff with sufficient training and support to manage our risk management obligations and objectives
  • Conduct risk assessments on all new business ventures, systems, and functions to ensure that they are aligned with the goals and objectives in this policy
  • Assign responsibilities for risk management, security and data protection and ensure an unbiased, supported role for each
  • Ensure there are processes in place to analyse and log any identified threats, vulnerabilities, and potential impacts associated with our business activities and information (risk register)
  • Utilise a risk matrix for rating and scoring the impact and likelihood of nay identified risk and using this score for the frequency of monitoring, migration requirements and for making informed decision about the risk(s)
  • Identify and analyse the GDPR requirements for risks relating to personal data, with emphasis on any high-risk processing activities and processing special categories of personal data
  • Review all processing activities on a frequent basis to assess their risk rating and to identify any gaps or new risks associated with the processing of personal data
  • Define procedures and reporting mechanisms for data protection impact assessments (DPIA) where mandatory under the data protection laws
  • To have effective companywide risk assessment procedures for identifying, assessing and managing the risks associated with money laundering and terrorist financing
  • To have dedicated and robust due diligence procedures and controls in place to aid in risk reduction and management

6. Data Protection Risks

Where the Company processes personal information as part of our business activities, we have risk assessment measures in place with the specific purpose of assessing the risk posed to individual’s when their data is processed and the risk of the processing activity itself.

Recital 74 of the GDPR states that: “the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should consider the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.”

Whilst the risk measures and management around data protection and privacy are within the scope of this risk assessment document, any activity identified as high-risk or meeting the Article 35 requirements are subject to our separate Data Protection Impact Assessment (DPIA) Procedures.

7. Money Laundering Risks

The Company has dedicated Risk Assessment procedures and controls for the company-wide identification and management of the risks associated with financial crime. Whilst the risk measures and management around money laundering and terrorist financing are within the scope of this risk assessment document, we utilise our AML Risk Assessment and AML Policy & Procedures to mitigate and management our obligations in preventing financial crime.

8. Approach to Risk Management

The Company utilises the Three Lines of Defence approach in our risk management, which provides an effective framework for our 3-tiered method of identifying, assessing and managing risk. It is essential to the functioning and compliance of our business that all risks are identified and managed and that reporting lines and communication are effective and efficient. Using an ownership, oversight and audit framework allows a multi-faceted approach to risk, preventing gaps and removing duplications.

Our Three Lines of Defence framework is: –

  • Operational and line managers are given responsible for identifying, assessing, managing and owning risk in their defined area and are tasked with developing and implementing corrective actions where applicable. Managers are responsible for the employees in their department and for supervising procedures and tasks associated with any defined risks. Risk controls, measures and the day-to-day monitoring fall within the managers remit. Operational managers are also responsible for training employees in risk management and the Company’s risk approach.
  • [Senior Management/Compliance Officer] are responsible for the oversight of the managers and their approach to risk, ensuring that a second line of defence is in place. This second level monitors and assesses the controls, measures and corrective actions that are in place and report directly to the [Directors/Governing Bodies/Oversight Committee]. The [Senior Management/Compliance Officer] are responsible for the quality management of the risk functions of all managers and are tasked with ensuring the appropriate, adequate and effective operation of those functions. Senior Management are also responsible for providing training and support to the operational managers.
  • We have [a dedicated Auditor/Audit Team] who act as the third line of defence and provide independent monitoring and analysis of the overall risk management functions and approach. The auditor reports directly to the [Directors/Governing Bodies/Oversight Committee] and provides management information reporting on any issues and/or areas for improvement. Having an independent audit role enables the Company to assess, review and improve our risk management function and to ensure that we take a universal approach when assessing and managing risk. The auditor is also responsible for assessing regulatory functions and processes against the relevant standards, regulations and legislation and ensuring their compliance and adequacy

8.1 Response to Risk

The Company employs 4 main options in response to any risks: –

  • Tolerate – if we cannot reduce the risk in a specific area, we can decide to tolerate the risk (i.e. do nothing further to reduce the risk). Tolerated risks are to be noted on the Risk Register, without any intended further actions. If the risk is shown as ‘green’ after existing mitigating actions are taken, it is usually okay to tolerate it. Tolerated risks are those with low or no impact effect and/or probability of future recurrence.
  • Treat – if we can reduce the risk in a reasonable way by identifying mitigating actions and implementing them, we do so. For most risks on the Risk Register, this is the action that is/will be taken. If there is any probability of the risk occurring again, it must be treated, and the necessary mitigating actions put into place to prevent further occurrence.
  • Transfer – in this case, some risks can be transferred to other organisations (i.e. by way of using insurance or outsourcing certain tasks/services).
  • Terminate – this applies to risks we cannot mitigate other than by no longer carrying out work in that area. (i.e. if a planned project is deemed too high risk and the risks cannot be mitigated, we may decide to cancel the project).

8.2 First Line Procedures

8.2.1 Identify the Risk

All first line procedures are the responsibility of the operational managers. All areas of a manager’s department are reviewed to identify risk, including: –

  • All staff, including due diligence, background checks, [insert any employee checks you do]
  • All tasks and activities carried out within the business as part of its functioning
  • Systems and controls
  • Existing procedures relating to legal and regulatory obligations, rules and requirements
  • Suppliers and other third-party associations
  • Customers and clients
  • Compliant logs
  • Previous insurance claims
  • [Add/delete as applicable]

Identified risks are recorded on the risk register, regardless of rating, impact or likelihood. The identification stage includes: –

  • Defining the risk in a clear and simple statement
  • Recording the risk on the risk register
  • Deciding who has overall responsibility for the risk

8.2.2 Assess the Risk

A risk assessment is carried out on all risks, regardless of impact or likelihood. Risks are recorded on the register and the assessment also rates the risk in terms of the probability and impact.

During the risk assessment stage, we: –

  • Define the risk in a clear statement
  • Identifying if the risk does/could adversely affect the function or delivery of the project that the risk relates to
  • Record the objectives and benefits of the function/project to enable risk acceptance decision
  • Assess the importance, probability and the impact of each risk
  • Decide whether the level of risk is acceptable
  • Identify possible mitigating or corrective actions that can be taken to eliminate or reduce the risk impact and/or likelihood
  • Review whether any existing control measures are effective
  • Decide what action should be taken to control or mitigate the risk
  • Decide how urgently the action needs to be taken

8.2.3 Risk Rating

Part of the risk assessment is to rate the risk in terms of impact and likelihood (probability of the risk occurring). We use a predefined Risk Matrix to give each risk a rating, which assists in manging the risk and deciding on further actions. The rating provides a colour code for how severe the risk is and therefore the necessity of putting mitigating/corrective actions into place.

Risks will usually fall into one of three categories: –

  • Risks to Individuals – Any risk that affects an individual (data subject, employee, client etc). The main risks to individuals are posed by data protection risks and information processing
  • Compliance Risks – These can arise where the assessment response indicates that a breach of standards, legislation and/or regulations will occur if the function, activity or processing goes ahead. This can also include breaching codes of conduct as relevant to a company’s business type or the services/products offered
  • Corporate Risks – Risks that will affect the business, including reputation, revenue, fines and sanctions

The risk rating table below uses the common ‘Red, Amber, Green (RAG)’ matrix, where each risk is given a RAG score based on the likelihood versus the impact. This rating is also provided in more detail in our Risk Matrix.

LIKELIHOOD

IMPACT

 

Trivial (1) Minor (2) Moderate (3) Major (4) Severe (5)
Certain (5) Low Med Medium High Very High Very High
Likely (4) Low Low Med Med High High Very High
Possible (3) Low Low Med Medium Med High High
Unlikely (2) Low Low Med Low Med Medium Med High
Rare (1) Low Low Low Med Medium Medium

Impact Score x Likelihood Score = Risk Rating

  • GREEN – Where an assessment outcome is Green, we still work to see if we can develop and implement any solutions or mitigating actions that can be applied to reduce the risk impact down as far as possible. However, most green rated risks are acceptable and so focus should be placed on those with higher ratings. Even where a green RAG rating has been given at the identification stage, this risk will still be added to the mitigating actions template for continuity and to ensure that all risks have been recorded and assessed.
  • AMBER – Where an assessment outcome is Amber, mitigating actions are always proposed and outcomes envisaged, before the activity is approved. The aim is to reduce all risks down to a green (acceptable) level, however there will be occasions when the activity must take place for business/legal/best interest reasons and so some of the risks associated with running a business will persist and must be accepted into the project. All solutions and mitigating actions must first be considered, tried and applied if possible. If the risk is associated with the processing of personal data, the risk should be escalated to the Data Impact Assessment screening questions to ascertain if a complete DPIA is required.
  • RED – Where an assessment outcome is Red, it indicates that either or both impact and/or likelihood scores are unacceptable, and that complete solutions and mitigating actions would be required to bring both indicators down to an acceptable level. Some activities are eliminated at this point as the impact is considered too high risk to proceed.

However, in instances where the activity or project is essential or is a legal requirement, the proposed solutions and mitigating actions are applied, and a further risk assessment carried out to see if the risk score can be reduced to an acceptable. If the risk is associated with the processing of personal data, the risk should be escalated to the Data Impact Assessment screening questions to ascertain if a complete DPIA is required.

Once the risk assessment has been carried out, we use the overall risk rating to make the decision whether to: –

  • PREVENT: High-probability/high-impact risk (we actively work to mitigate these)
  • ACCEPT: Low-probability/low-impact risks (maintain vigilance)
  • CONTAIN: High-probability/low-impact risk (minimise likelihood of occurrence)
  • PLAN: Low-probability/high-impact risks (plan steps to take if this occurs)

8.2.4 Manage the Risk

Managing risks involves: –

  • Eliminating them as far as is reasonably practical
  • If it is not possible/practical to eliminate a risk, we aim to minimise it as far as is reasonable to do so
  • Applying corrective actions to mitigate a risk where possible

Where a risk or its affects can be managed, or controlled, we operate a hierarchy system based on the risk matrix rating. We prioritize those risks with the highest rating (therefore most likely to occur and/or could have the most impact) as those that should have controls put into place to immediately eliminate/minimise them. We then work through the risk register putting controls into place based on a descending rating order.

To control or eliminate the assessed risk, we use a hierarchy of control. Where possible, we always aim to eliminate a risk, as we recognise that this is the most effective form of control. However, where elimination is not an option, we aim to minimise the risk by working through the alternatives in our hierarchy system.

[If you have a system/controls in place already for managing risks, replace the below with your own approach.]

Level 1 Risk Mitigation Measures RISK REMOVAL
The most effective control measure involves eliminating the risk altogether along with any associated affects. Where possible, we will either opt to not introduce the risk into the business in the first place, or if already in place and the risk has been assessed as an elimination option, we will take steps to remove the risk/activity altogether.
Level 2 Risk Mitigation Measures RISK SUBSTITUTION/ISOLATION
If total removal of the risk is not possible due to business or external factors, we will aim to substitute the risk object/situation with an appropriate alternative that produces less of a risk.

Level 2 measures include: –

  • Using different systems
  • Altering the existing procedures of a function or activity
  • Using alternate suppliers
  • Isolating tasks/systems from certain staff and/or departments
  • Outsourcing the risk to a third-party
Level 3 Risk Mitigation Measures RISK REDUCTION
Where the impact and/or probability of a risk is medium to low and where possible, we try to reduce the likelihood of the risk occurring and/or the effects and impact that the risk might have. This is done through mitigating and correction actions, including: –

  • Quality control measures and procedures
  • Frequent monitoring and audits
  • Continuous compliance with legal, regulatory and business obligations
  • Staff training and assessments
  • Changes to procedures
  • Off-site back-ups and through our Business Continuity Plan
Level 4 Risk Mitigation Measures ACCEPT THE RISK
Where the impact and/or probability of a risk is low and where we are unable to apply any of the measures for levels 1-3, we accept the risk and its implications. Level 4 is only applied where a risk is unlikely to cause any measured damage or harm to the business, its customers and/or any associated entity or individual.

Where a risk is accepted, we still have an incident response plan and business continuity plan in place to ensure that if a low-probability risk occurs, we have the procedures, resources and controls in place to manage it.

8.2.5 Risk Mitigating Actions

When risks are identified and assessed as being acceptable to the functioning of the business and cannot be eliminated, we develop and implement mitigating actions where possible, to reduce the impact and/or likelihood of the risk. Managers use the Risk Mitigating Action Plan for each risk, detailing what actions, processes and controls can be used to reduce the risk.

8.3 Risk Corrective Actions

Corrective actions are defined as those required where there has been an issue or breach. A new or first identified risk is given mitigating actions to reduce the impact and likelihood, however where those actions fail to prevent the risk from occurring, managers are required to carry out a reassessment of the risk and any failing processes or functions that contributed to it occurring. Some risks are expected during business and cannot be eliminated, however as time, resources and technology develops, it is possible to put new actions into place to mitigate risks.

Managers use the below Risk Management Corrective Action Plan for assessing a risk that has occurred and to put new corrective actions into place.

RISK MANAGEMENT CORRECTIVE ACTION PLAN

Assessor Name: Date: Risk:
Did the risk occur due to it not being previously identified? YES/NO
Had the risk previously been assessed and had mitigating actions implemented? YES/NO
Cause/s Identified:

 

 

 

 

Cause/s to be Corrected:

 

 

 

 

 

 
New Mitigating Strategies Indicators of Success Monitoring Methods
e.g. 2 persons check team prior to data upload e.g. zero upload errors e.g. audits
  e.g. consistent data results from both team checkers e.g. 3rd person checks prior to upload
 

 

8.4 Risk Register

The Company uses a Risk Register to record the details of all the risks identified within the business. These include internal and external risks, ongoing risks and those defined at the beginning and during the life of a project. All risks are rated based on their impact and probability, with the risk then being added to the register and the rating being used to make decisions on mitigating and corrective actions. Managers are responsible for adding each identified risk to the register and for reviewing the risks monthly.

Our Risk Register includes: –

  • A unique identifier for each risk
  • A description of the risk
  • Risk Score/Rating
  • Assessment of probability and/or impact
  • Who is responsible for managing the risk?
  • Summary of proposed corrective and/or preventative actions

9. Second Line Procedures

9.1 Review & Monitor the Risks

The controls and procedures that operational managers put in place to identify, assess and manage the risks associated with our business are monitored and reviewed regularly to make sure they work as planned and are adequate and effective. Senior Managers/Compliance Officer are responsible for monitoring and auditing the risks and their corrective actions, as well as the support and training provided by the managers to employees in their respective departments.

Senior Managers/Compliance Officer are tasked with ensuring the effective risk management functions and practices by operational management and to support and assist those managers in setting targets, defining the risks and reporting requirements. Quality management forms a large part of the second line of defence approach, which aims to remove gaps and duplicated processes.

Senior Management/The Compliance Officer establishes processes and functions to ensure that managers and the first line of defence is adequate, effective and is operating as intended. This level is essential to the Company for ensuring an added oversight function and reducing the human error element that is present in all processes and actions.

Senior Management/The Compliance Officer use several methods and controls in their oversight capacity, including (but not limited to): –

  • Carrying out audits and tests to ensure that the controls in place work and are effective
  • Disaster Recovery tests to ensure that back-ups and controls are effective and appropriate
  • Manager and team meetings are held each month to keep the staff informed of any changes to the risk management program and to ensure that staff know and understand their risk management responsibilities
  • Scenario testing is carried out on staff and systems so that any gaps can be identified and rectified
  • Identifying and communicating known and new issues and gaps
  • Assisting management in developing and implementing effective risk controls and measures
  • Supporting and training managers in their risk management functions and duties
  • Reporting to the [Directors/Governing Bodies/Oversight Committee]

10. Third Line Procedures

10.1 Audits

To ensure a complete and effective approach to risk management, The Company uses the Three Lines of Defence model, which incorporates an independent auditor/audit committee who review, audit and report to the [Directors/Governing Bodies/Oversight Committee].

The auditor(s) is provided with the budget, tools and resources to carry out independent, unbiased and objective audits of all risks, their identifications, assessment, classification and management as well as assessing and auditing the Senior Management functions and approach. This third level of defence enables us to objectively review our risk management processes and ensure that all areas are operating effectively, adequately and proportionately.

The auditor(s) uses multiple methods to assess and review the functions and employees to ensure the effectiveness of governance, risk management and internal controls. Their remit includes: –

  • Reporting to the [Directors/Governing Bodies/Oversight Committee]
  • Assessing all elements and facets of the risk management framework
  • Reviewing the support and training provided by the managers to employees and the Senior Managers/Compliance Officer to the Managers
  • Reviewing the Risk Register and Mitigating/Corrective Action plans and assessing their ratings and outcomes
  • Auditing the functions and processes in place to reduce/mitigate risk and ensure they are appropriate, effective and adequate
  • Ensuring the reliability and integrity of the management reporting processes
  • Reviewing and ensuring compliance with regulations and laws

[NOTE: If your company does not use the Three Lines of Defence approach or you are too small to incorporate a separate internal audit function – make sure you edit and customise this document to suit your needs and include your actual procedures.]

10.2 Documenting Risk Assessments

The Company details throughout this document how and when the stages of risk assessment are recorded. We understand the need and requirement to document all identification, mitigating actions, risk ratings, reviews and audits and maintain effective and adequate documents for evaluation, pattern analysis and compliance.

It is our aim to fully evidence and demonstrate all aspects of our risk assessments (including DPIA’s for which the documentation requirements are stated in our DPIA Procedures and AML risks specific in our AML Risk Assessment Document), which are documented in all cases, regardless of the size, scope, nature or rating the risk carries. Ensuring accurate and adequate records enables effective breach management, risk analysis and compliance with our regulatory and legal obligations; as well as being able to provide such evidence to supervising authorities or bodies upon request.

11. Responsibilities

The Company will ensure that all staff are provided with the time, resources and support to learn, understand and implement all Risk Assessment and Management documents and related procedures and that departmental managers are supported in completing the Risk Register.

Where the risk involves personal data; the Data Protection Officer is consulted and involved in all decisions and mitigating actions, including making the decision as to whether a risk should be escalated to the Data Protection Impact Assessment screening question stage.

Where the risk is related to financial crime; the Money Laundering Reporting Officer or Nominated Officer are consulted and involved in all decisions and mitigating actions.

12. Associated Documents

The Company has a robust and defined document control system with policies, controls, procedures and measures for all business, contractual, legal, statutory and regulatory requirements. Some policies overlap with other functions or activities, with the below documents needing to be read and used in conjunction with our Risk Management Policy & Procedures: –

  • Data Protection Policy & Procedures
    • Privacy by Design & Security of Processing
  • Data Protection Impact Assessment (DPIA) Procedure
  • Breach Management & Incident Reporting Policy & Procedures
  • Information Security Policy & Procedures
    • Access Control Policy
    • Audit & Monitoring Policy & Procedures
    • Business Continuity Plan
  • Anti-Money Laundering Policy & Procedures
    • AML Risk Assessment
    • AML Checklist
  • Due Diligence Policy & Procedures
    • Due Diligence Questionnaires & Checklist