Home > Resources > Risk Management Framework

Risk Management Framework

Risk management at StreetGames is all about managing our threats and opportunities. By managing our threats effectively we will be in a better position to deliver our objectives. By managing our opportunities well we will be in a better position to provide improved services to our network and other partners and closer to achieving our mission and goals.

Risk in this context means something happening that may have an impact on the achievement of our objectives. When we manage risk well it often goes unnoticed, however, when we fail to manage risk well the consequences can be significant and high profile. Effective risk management at all levels of the organisation is needed to prevent failures.

A risk management framework is an essential component of StreetGames’ internal controls and governance.

This risk management framework describes StreetGames’ underlying approach to risk management, and documents the roles and responsibilities of the trustees, senior managers and staff. It also outlines the key aspects of the risk management process and identifies the main reporting procedures and opportunities for trustees to receive assurances.

Effective risk management involves the whole organisation and all members of staff should be aware of the principles set out in this document. This is achieved through training received at induction and specific training for managers new to the organisation.

Overall, the goals of our risk management framework are to have procedures in place to:

  • Integrate risk management into the culture of StreetGames
  • Manage risk in accordance with best practice
  • Fully document major threats and opportunities
  • Clearly identify risk exposures
  • Implement cost effective actions to reduce risks
  • Ensure conscious and properly evaluated risk decisions
  • Provide adequate assurances to trustees of effective management of risk

StreetGames’ Risk Management Framework – Roles and Responsibilities

The Framework is formed around four Lines of Defence as follows:

  • First lineThe first line of defence includes the overall risk management systems and control frameworks, incorporating controls over operational processes and outputs. Risks are managed and controlled day-to-day by, and assurance comes directly from, those responsible for delivering specific objectives or processes, who are well trained, know the organisation, culture and day-to-day challenges.
  • Second line:  The second line of defence relates to review by management or specialists that is separate from day-to-day operations. It includes risk and compliance reviews, financial controls over operational departments and oversight of operations by senior management and the Board.  The second line of defence introduces a degree of independence and objectivity, as the reviewers are not staff and managers who are operationally responsible for the areas being reviewed. However, the reviewers are still part of the same management team, working with those being reviewed. 
  • Third line: The third line of defence is internal audit activity.  StreetGames does not have a separate internal audit function, but seeks assurance through Link Trustee Reviews or ‘deep dives’.
  • Fourth line: The fourth line of defence is the use of objective and independent assurance, providing reasonable (not absolute) assurance of the overall effectiveness of governance, risk management and controls.  At StreetGames external assurance is obtained as needed and to date has largely been provided via annual statutory audit, Quest accreditation, Cyber Essentials review, Sport England and Sport Wales governance assessments etc.

Further details of the StreetGames Risk Assurance Framework can be found at Appendix 1.

Within this Framework, the key roles of the Board and Senior Management are as follows:

Role of the Board

The Board’s role in the management of risk is to:

  • Set the tone and influence the culture of risk management within the organization, including deciding what types of risk are acceptable and which are not, and setting the standards and expectations of staff with respect to conduct and probity.
  • Consider major decisions affecting StreetGames’ risk profile or exposure
  • Monitor the management of significant risks to reduce the likelihood of unwelcome surprises or impact through the Audit Committee.
  • Regularly review StreetGames’ approach to risk management and key elements of risk management processes and procedures.

Role of the Audit Committee

The Audit Committee’s role in the management of risk is to:

  • Satisfy itself that significant strategic risks have been identified and are appropriately managed and monitored.
  • Satisfy itself that the less significant risks are being actively managed, with the appropriate controls in place and working effectively.
  • Undertake appropriate activities to provide assurance to the Board that risks are correctly identified, that suitable controls and mitigating actions are in place and that they are operating as expected.

Role of StreetGames’ Senior Management

The role of the Executive team and Senior Managers is:

  • To take overall responsibility for the administration and implementation of the Risk Management process
  • To identify and evaluate significant risks faced by StreetGames to be considered by the Board/ Audit Committee
  • To ensure appropriate controls are in place to manage the risks identified
  • To provide appropriate information on the status of risks and controls
  • To contribute to the development of the Risk Management Framework
  • To disseminate detail of the Framework and ensure it is implemented throughout the organization

StreetGames’ Risk Management Framework – Assessing and Addressing Risk

There are four linked elements to the Framework – identifying, assessing, addressing and reviewing and reporting on our risks.

Identifying Risks

Risk are assessed in terms of how likely they are and the size of the impact should they occur. StreetGames views many risks as opportunities to be embraced and not just threats to be avoided.

Risk Registers will be maintained at two levels across StreetGames:

  • Operational risks are identified by each team or programme area.  Each operational area has its own risk register.  Risks are elevated to the Strategic Risk Register by the Organisational Health Team in discussion with the Executive Management Team on a quarterly basis.
  • Overall responsibility for identifying other strategic and organisational wide risks for inclusion in the strategic register rests with the Organisational Health Team.
  • Risk registers are working documents and a key source of internal control and governance.  The identification of risks is an ongoing task and all staff and Trustees have a part to play.

Assessing Risks

To assess risks we identify the impact of a risk should it materialise and give each risk a score rating.

Identified risks should be supported by sufficient narrative to outline the potential causes that may lead to the crystallization of the risk and the effects to which the organization will be exposed.  The detail of this narrative will be key in assessing the adequacy of existing controls and directing any further mitigation activity.  The assessment of risks will include the consideration and documentation of contributing factors, to clarify the basis for the risk.

For each identified risk StreetGames will determine its Gross and Net Risk Exposure.

The Gross Risk Exposure is the inherent exposure that would be faced by the organization if no mitigating controls were in place.

The Net Risk Exposure is the residual exposure faced by the organization if mitigating controls established are assumed to be operating effectively.  The anticipated effectiveness of control measures or mitigation will be assessed as high, medium or low (H/M/L)

To ensure that attention is focused on addressing the most important risks a standard risk management approach is used that gives each risk a relative score, depending on a combination of its likelihood and its impact.

Likelihood

When assessing the likelihood, it is important to consider the frequency of occurrence which would materially affect StreetGames.  We have defined the following assessment criteria as a guide:

Assessment

Description

1 – very low

Less than 1% and unlikely to occur in the foreseeable future

2 – medium

Less than 40% chance.  The event may occur at some time

3 – high

Likelihood greater than 40%.  There is a strong possibility that the event or risk will occur

4 – very high

Likelihood greater than 75%.  The event is very likely and expected to occur in most circumstances.

Impact

Impact can be measured across a range of indicators and the following assessment criteria provide an indication as to the potential risk score. Note, these criteria are meant to be a guide only and the impact of each risk should be assessed individually.

Assessment

Description

1 – very low

Financial – less than 1% of budgeted surplus

Service quality – marginally impaired; a slight adjustment to service delivery required

Health & safety – minor injury

Reputation – minimal effect

2 – medium

Financial – up to 10% of budgeted surplus

Service quality – impaired, leading to changes in service delivery required to maintain quality.

Health & safety – injury requiring hospital treatment

Reputation – damage is uncomfortable for the organization

3 – high

Financial – up to 50% of budgeted surplus

Service quality – significant reduction in service quality expected

Health & safety – serious injury

Reputation – damage occurs with key stakeholders

4 – very high

Financial – more than 50% of budget

Service quality – cannot be maintained such that there is a need to reassess corporate priorities

Health & safety – fatality/ long-term hospitalisation

Reputation – irrecoverable damage occurs with key stakeholders

For ease of understanding, the resultant risk exposure (the product of likelihood x impact score) is prioritized utilizing a RAG rating as follows:

Attention will naturally focus on those risks with a higher net score, but all risks require some level of response.  Risks with low likelihood but very high impact will also need special attention.

Addressing Risks

Having identified and assessed the risks we follow the 4 Ts approach for risk response as follows:

Transfer the risk: this might be done by taking out insurance or asking a third party to take on the risk in another way.

Tolerate the risk: in some instances our ability to take effective action may be limited or the cost of taking the action might be disproportionate to the benefit gained by mitigating the risk. In cases like this the Executive Management Team will “watch” the risk to ensure its status does not change and to take appropriate action if another option to mitigate the risk arises.

Treat the risk: to set out a series of mitigating actions to contain the risk to an acceptable level.

Terminate the risk: taking decisive action to eliminate the risk altogether. Terminating a risk may lead to the creation of new risks.

StreetGames acknowledges the risks inherent in its business and is committed to managing those risks that pose a significant threat to the achievement of its charitable objectives and financial health.  The level of risk that is considered acceptable is nevertheless dependent on the nature of the activity being undertaken.  Guidance on appropriate Risk Appetite levels can be found as follows:

Appetite Level

Description

1 – Very High

StreetGames accepts risk that is likely to result in significant reputational damage, financial loss or exposure, major breakdown in services, information systems or integrity, significant incidents of regulatory and/ or legislative non-compliance, but excluding potential risk of injury to staff/ participants/ learners.

2 – High

StreetGames accepts risk that may result in reputational damage, financial loss or exposure, major breakdown in services, information systems or integrity, significant incidents of regulatory and/ or legislative non-compliance, but excluding potential risk of injury to staff/ participants/ learners.

3 – Medium

StreetGames is willing to accept some risks in certain circumstances that may result in reputational damage, a degree of financial loss or exposure, disruption to services, information systems or integrity, moderate incidents of regulatory and/ or legislative non-compliance, but does not have the potential to risk injury to staff/ participants/ learners.

4 – Low

StreetGames is not willing to accept risks (except in very exceptional circumstances) that may result in reputational damage, financial loss or exposure, disruption to services, information systems or integrity, incidents of regulatory and/ or legislative non-compliance, or potential risk of injury to staff/ participants/ learners.

5 – Very Low

StreetGames is not willing to accept risks under any circumstances that may result in reputational damage, financial loss or exposure, disruption to services, information systems or integrity, incidents of regulatory and/ or legislative non-compliance, or potential risk of injury to staff/ participants/ learners.

The table below provides an indication of the most appropriate response based on the Net Risk Management Score and the Risk appetite for the activity concerned:

Net Risk Score

Very low Risk Appetite

Low Risk Appetite

Medium Risk Appetite

High Risk Appetite

Very High Risk Appetite

Red 8-16

Treat

Terminate

Transfer

Treat

Terminate

Transfer

Treat

Terminate

Transfer

Treat

Terminate

Transfer

Treat

Tolerate

Amber 4-6

Treat

Terminate

Transfer

Treat

Terminate

Transfer

Treat

Tolerate

Tolerate

Tolerate

Green 1-3

Tolerate

Tolerate

Tolerate

Tolerate

Tolerate

Note that each risk needs to be assessed on its own merits and the most appropriate response identified.

StreetGames’ Assurance Framework

Assurance is required where there is a risk that a control or mitigating action is not being implemented such that there is the potential for loss to the organization as a result.  The greater the potential consequence and the more likely it is to happen, the more important it is to have robust assurance that:

  • Plans, policies and procedures are fit for purpose and being operated to
  • Agreed actions are taken to timescale and planned outcomes achieved
  • Performance is in line with expectations
  • Controls are operating as intended
  • Management reports and information are reliable; and
  • Risks are being managed.

The Strategic Risk Register is designed to focus Management and Board attention on Key Risk Themes.  These have been identified by the Board as follows:

  • Network Capability – the ability of our network to operate sustainably
  • Resources – including HR/ Succession Planning/ Equality & Diversity.
  • Funding and Fundraising
  • Finance and financial control
  • Governance
  • Data Protection
  • Safeguarding
  • High Risk Projects as appropriate

For each Key Risk Theme appropriate sources of assurance are provided to the Board and senior management to support the conclusion that identified controls are operating as expected and that risk is being managed as described.

Assurance can come from a range of different sources in accordance with each of the four lines of defence, including:

  • Confirmation that appropriate training is in place and being undertaken by all relevant staff
  • Regular internal reports prepared by internal leads and by senior management
  • Reporting of specific instances of breach (including nil returns)
  • Regular reviews of the StreetGames Balanced Scorecard
  • Regular reviews of Key Risk Themes by Link Trustees
  • Additional Committee resource to scrutinise particular areas of risk – eg Finance Committee/ Fundraising Committee
  • One-off ‘Deep Dives’ by management and Trustees
  • ‘Desk top’ incident response exercises
  • External reports such as external audit, Ofsted and consultants
  • External assessment results such as Quest, Sport England or Sport Wales audits

Link Trustee

The role of the Link Trustee is an especially important one in supporting the maintenance of a robust assurance framework. The objective of the role is to support the Board fulfil its responsibility to ensure StreetGames has in place an effective risk management framework by taking specific responsibility for assessing the application of the framework to specific Key Risk Themes.

Expectations of the Role are that the Link Trustee:

  • Develops an understanding of the nature of the key risks faced by StreetGames under the relevant key Risk Theme, along with the controls in place to mitigate the risks.
  • Provides informed challenge to management with regard to the identification of risks and the operation of associated controls.
  • Brings any specialist knowledge of the Risk Theme to contribute to the identification of gaps in assurance.
  • Reports to the Board on at least a biennial basis or more frequently if required as to the level of assurance obtained that the underlying risks associated with the key Risk Themes are being effectively managed (Link Trustee Review)
  • Provides advice and guidance to senior management insofar as his or her own professional expertise allows.
  • Is not expected to take on any managerial responsibilities with regard to the key Risk Theme or for design of controls to mitigate risks.

The Link Trustee Review is not intended that this is an onerous role for Trustees, but rather a proportionate and informed challenge to management that contributes to overall Board assurance.  It is expected that it primarily takes the form of a discussion with the relevant Key Risk Theme Owner and any other StreetGames staff who may be specifically be involved in delivery or otherwise provide expert input.  The discussion is shaped around a number of key questions and the output is in the form of a written report as set out in the template attached at Appendix 3.

Reviewing and Reporting Risks – Summary

In order to maintain the risk register as a living document a process of review and maintenance is implemented. The review process is as follows:

Milestone

Annual target date

Led by

Risk controls and implementation reviewed by Board and Audit Committee

Quarterly

Chair of Audit Committee

Risk Assurance Framework reviewed by Board

Triennially

Chair of Audit Committee

Key risk review quarterly by Executive Management Team to fall in line with planning process and Board dates

Quarterly

Director of Finance & Resources

Project/team review on a quarterly basis to feed into Executive Management Team risk review.

Quarterly

Identified risk owner for each team

Management oversight of all strategic risks

At each Organisational Health Team meeting

CEO

Risk assessment for each new funding bid

Initial assessment done before bid is submitted.

Director of Fundraising

Risk assessment for all significant new funding streams

Upon confirmation of award

Project Lead

Add elements to continuity/disaster plans

As required

Identified risk owner for each team

Risk management in staff induction

At each staff induction

Director of Finance & Resources

Monitoring of individual risks

As identified in the risk register

Risk owner

1st Line of defence

2nd Line of defence

3rd Line of defence

4th line of defence

WHO

Day to day ‘doers’, managers with a focus on execution/ implementation of business activities

Owners of Departmental and Directorate level operational risks, controls, processes, procedures

Organisational Health Team (OHT)

Link Trustees

Independent third parties or regulators

HOW

Receives guidance, support and direction from 2nd line control and executive functions

Understands personal responsibility for risk management and required processes and controls

Implements risk framework set by OHT

Develops risk /control processes

Provides guidance, support and direction to 1st line control/exec functions

O/g scans horizon/external environment

OHT review 1st/2nd line risk / control man f/works and practices and the reports of the 4th line of defence (ext bodies)

OHT review risk framework and risk matrix on a regular basis to ensure in place, operating and complete.

Link Trustees carry out biennial review of each key risk area

On request of senior management/ Board or as required by regulator

ASSUR

ANCES

Monitors management’s first line controls to ensure they are in place and operating as intended

OHT can with the approval of or on the request of the Board instruct independent third party reviews on specialist areas

Various

ASSUR

ANCES GIVEN

Key controls, frequency of review, date last completed, results and areas of concern provided to Organisational Management Team for inclusion in reports presented to Board

Link trustee reports provided to OHT, Audit Committee and Board

Regular management reports to Audit Committee and Board highlighting areas for concern and actions taken

Reports provided to OHT , relevant committees (eg Audit Committee) and Board

Board/Committee minutes record outcome of reviews and assurances gained

Documentation

given

Team and Programme Risk Registers

Strategic Risk Register

Link Trustee reports

Board/committee minutes record outcomes

All external reports

Appendix 1 - StreetGames Risk Management and Assurance Framework

Appendix 2: Risk register template – Updated 2022

No.

Contributing Factors/ Sub Risks

Gross rating (Impact x Likelihood Score)

Controls and Mitigation

Revised/ Net Rating (Impact x Likelihood Score)

Change since last rating

Board Assurance (date Last Reviewed by Management Team)

Board Assurance (date – last reviewed by Board)

Further Action Required

Key Risk Theme 1 (Risk Owner/ Link Trustee)

Key Risk Theme 2 (Risk Owner/ Link Trustee)

Appendix 3 – Link Trustee Review Template

Link Trustee Review
Purpose of the Review:
Link Trustee:
Key Risk Theme: Key Contributing Factors:
The Link Trustee  (LT) is asked to consider the risk theme and key contributing factors in the light of StreetGames’s (SG’s) strategy and objectives using appropriate methodologies including: discussion, consultation, review and where appropriate light touch testing.
The LT is asked to:

  • prepare a short paper (c 2 pages) summarising the work done/approach taken in each of the areas for consideration set out below, the conclusions reached, and recommended areas for improvement.
  • summarise below the overall level of satisfaction gained under each of the areas considered: Fully; Substantially; Partially; and Limited (*).
Areas to consider Satisfaction
Level (*)		 Areas for improvement identified (Yes/No)?
1. Risk identification
After considering the Risk Theme and contributing factors how satisfied are you that the Risk Theme adequately reflects the major risks faced by SG in this area?
2. Risk mitigation
Based on your high-level review how satisfied are you that SG has adequate processes and controls in place to manage identified risks?
3. Monitoring and assurances
How satisfied are you the SG’s Leadership Team regularly and routinely gain assurance the key processes and controls to manage the key risks are in place and are effective (eg regular monitoring of reports and KPIs, external assurance available).
4. Overall conclusion
In the light of this review, how satisfied are you that in relation to this risk theme, risks are appropriately identified, managed and monitored?
Report attached: Yes /No Signed: Date: