At Great Places, we recognise that risk management, whether this relates to positive (opportunity) or negative (threat) risks, is not only a regulatory requirement but is an integral part of everyday business.
Our Code of Governance gives the Board ultimate responsibility for establishing, overseeing and reviewing systems of internal control and establishing and overseeing a risk management framework. This involves approval of our Risk and Assurance Strategy, agreeing our Risk Appetite Statement and ensuring that all decisions are made in line with this statement. Detailed scrutiny and evaluation of the risk management and internal controls framework are delegated to the Audit and Assurance Committee and the terms of reference reflect this duty, linking closely to the internal and external audit provision, and the assurance provided by internal and external specialists as required.
Risk management and assurance are complementary processes linked to the effective governance of the organisation. Risk management provides assurance to the Board that all material threats to the business have been identified, evaluated and mitigated. Mitigations may involve treating the risk to lessen the likelihood or impact, tolerating the risk as an unavoidable matter, transferring the risk to a third-party specialist, or terminating that activity that triggers the risk. Assurance sources provide confidence that controls are adequate and effective, and that mitigation plans are proportionate and offer good value for money. Our approach has matured significantly in recent years, with the Board and the Audit and Assurance Committee pivotal in driving risk management. This is framed around the three lines of assurance model and pulled together via our Assurance Map. Our risk management process is framed around three key stages: risk identification, risk assessment and risk mitigation.
The financial threats to the organisation brought about by the current operating and political environment require a sound, strategic approach to risk management. We continue to use sensitivity and stress testing, including multi-variate tests, to model scenarios which push us out of our tolerance limits or challenge our financial “golden rules,” using control measures and mitigating activities to address these. Board is pivotal to these discussions and the determinations made around financial mitigation strategies.
Any risks that fall under the ESG remit are reflected in our corporate risk register and monitored monthly by our leadership team. Risks are owned at Director level, and Board are sighted at every meeting on the control framework and plans for further mitigation activity.
Where appropriate, risks in this space will also be covered under our ‘three lines of defence’ approach to assurance and picked up in the internal audit programme. The risk register identifies the control framework in operation to mitigate risks, and any further actions that are planned to reduce either the likelihood of the risk crystallising, or the impact to the organisation should that happen.
