Risk Management Policy

INTRODUCTION

This Risk Management Policy forms part of Black Ocean s.r.o.’s governance and control arrangements.

Risk management is not an isolated activity. It is one element together with planning, project and performance management of effective governance and management. The focus is on those risks that could disrupt the achievement of Black Ocean s.r.o.'s strategy.

The purpose of this policy and the supporting guidance is to establish Black Ocean s.r.o.’s underlying approach to risk management by clarifying the roles and responsibilities of the Board of Directors, the Finance and Audit Committee, Senior Management and other staff. It also describes the context for risk management as part of the overall system of internal controls and arrangements for periodic review. It aims to support those staff with particular involvement in anticipating, assessing and managing risks so that they can take timely and well-founded risk-informed decisions.

DEFINITIONS

A risk is commonly defined as an effect of uncertainty on the achievement of objectives. In other words, risks are various events that can affect the achievement of objectives. Risk can have both negative and positive outcomes. Our aim is to manage the adverse effects and turn the risk into value. Risks are an everyday part of our activities. Our operations involve multiple partnerships, challenging environmental, organizational contexts and extensive geographic scope. The realization of our mission and strategy depends on our ability to recognise risks and to define suitable measures for their treatment. Effective risk management is about effective decision- making, not compliance. It is not limited to the identification and mitigation of negative risks, but also enables opportunities to be recognised that may involve some level of risk where they also have the potential to lead to positive outcomes, supporting the overall strategy.

Risk management refers to all activities performed by Black Ocean s.r.o. to anticipate, identify, assess and control the uncertainties which may impact on Black Ocean s.r.o.'s ability to achieve its aims, objectives and opportunities. These will range from organization-wide to specific projects or programmes, to the individual.

The risk management policy aims to demonstrate that Black Ocean s.r.o. is acting appropriately to anticipate risks; to assess risks; to avoid excessive risk; to embrace necessary or desirable risks with appropriate safeguards; that its response to risk, whether by insurance, control measures or avoidance, is proportionate and effective; that responsible staff are equipped to take risk-based decisions with confidence; and that we are intelligent in applying our risk appetite.

THE POLICY STATEMENT

In our work to achieve our ambition, four risks stand out. The first concerns our reputation. Our Mission centers on creating and sharing knowledge and delivering projects that have a real impact. So we must undertake research and knowledge work of the highest quality and secure maximum impact and influence for our activities. As such, our reputation for the quality of our work, our autonomy and ethical and intellectual integrity are of paramount importance. We will be bold in the nature of our work, in our technical thinking, in our methodologies and we will be innovative in how we seek to impact and influence. We will do everything we can to mitigate risks to our reputation.

The second concerns our people. Certain parts of our work takes place online and overseas in locations that are inherently risky. We are responsible for the well-being of our staff. We, therefore, seek to ensure that work with partners overseas and in particular, overseas travel for our own staff, is informed by robust risk assessments and that traveling staff are trained and supported in their individual journeys. We will not require staff to travel or work in areas where we assess the risks to be excessive.

The third concerns our financial position. We will manage our income and control our costs, remain competitive whilst delivering well-managed projects and programmes on time and on budget. We will seek to minimize our financial exposure. We will not compromise our ethical standards to secure funding. We will not undertake work that compromises our financial solvency.

The fourth concerns the impact of our projects and programmes. Many of our services involve partners and collaborators often based online and overseas and/or operating in challenging environments. To do this well, we need to anticipate and manage all project and programme risks at the pre-proposal, proposal and inception stages. We need to make decisions about when to bid for funding and with whom, in good time but often on the basis of imperfect information. We need to be prepared to decide when we will take well-judged risks. when we will support responsible risk-taking and when we will not submit a funding proposal because of the risks. When we do, we must use relevant management information to track progress and identify difficulties. We will support our staff to do this well. We will not undertake work where we assess the financial or delivery risks to be too high. We will not compromise our ethical standards in delivering our work.

PRINCIPLES AND GOVERNANCE

Our risk management approach will reflect the following principles:

• Addressing both value protection and value creation;
• Ensuring that roles and responsibilities are explicit and clear;
• Ensuring that the process for managing risk is fit for purpose;
• Establishing legal compliance as a minimum standard.

And will be embedded in our governance structures as follows:

• As the principal executive and policy-making body of Black Ocean s.r.o., the Board of Directors is responsible for the risk management policy and for assuring itself of the policy’s implementation.
• The Board is also responsible for defining our risk appetite and risk tolerance, ensuring that a sound system of internal control is in place that supports the achievement of policies, aims and objectives while safeguarding the public and other funds and assets for which it is responsible.

RISK MANAGEMENT OBJECTIVES

Black Ocean s.r.o.’s objectives in relation to risk management are to:

• Develop an appropriate risk appetite.
• Adopt good practice in the anticipation, timely identification, evaluation and cost-effective control of risk in carrying out both normal and extraordinary business activities.
• Ensure that adverse risks are either avoided, reduced to an acceptable level, or managed and contained; and to do so in good time and on a continuous basis.
• Support individual members of staff and teams to take appropriate risk-based decisions, encouraging responsible intellectual risk-taking, informed by an understanding of risk and reward and supported by senior colleagues where necessary.
• Ensure business continuity wherever possible and respond effectively when this is threatened.
• Enable a robust audit trail to demonstrate that we are capable of managing risk.
• Focus risk assessment and management on the highest level of threats to our ability to achieve our strategic objectives; and opportunities to promote them.
• Assure funders/investors that there is a robust approach in place to assess and manage risk.

ASSESSING RISKS

Effective risk management requires risks to be anticipated, identified and assessed regularly, and actions are taken to manage the risks, whether these are positive or negative. To support risk assessment and actions to be identified, Black Ocean s.r.o. will develop documentation about each project/programme specifying the country of operation, partner exposure, any key risks (e.g. foreign exchange). It will also develop training and communications tools to support project managers to manage risk.

We face specific operating risks that inform our approach to assessing risks as follows:

• We hold investments and a minimum financial reserve to enable us to manage cash flow and other uncertainties. We will not undertake activities that compromise these.
• We work with and through partners. The quality of our work and our reputation can be affected adversely or positively by the activities of our partners. We will, therefore, select our partners carefully and we will develop a set of partnership principles and criteria to assist in this.
• We work in countries with different regulatory and accounting requirements for INGOs. We will always ensure that we understand these requirements in order to maintain our license to operate to the benefit of our ultimate beneficiaries.

Details of Black Ocean s.r.o.’s approach to assessing risks are set out in the Appendix.

RISK MANAGEMENT FRAMEWORK

Our approach to risk management reflects sector guidance and aims to clearly locate responsibility for identifying and managing different levels and types of risk in a structured way.

In each case, the “owner” of the risk should have in place early warning mechanisms to alert Black Ocean s.r.o. so that remedial action can be taken to manage any potential hazards.

MANAGING RISKS

Risks regarded as high or very high in impact and probability should be identified in advance and a decision taken about whether to continue with the activity and if so, how to manage it to either realize the potential benefits or avoid the potential downsides. Risks change and evolve as projects develop, before bidding and throughout their funded life. Different risks will be managed with a particular focus. Some will be addressed through routine management, supported by Black Ocean s.r.o.’s systems, procedures and policies. Black Ocean s.r.o.’s risk management process has a particular role to play here in providing the forum for regular review of project implementation, including emerging issues that threaten successful delivery.

MONITORING AND LEARNING

We will monitor the risks on the Strategic Risk Register, especially those with a “High” risk score. Clusters/units and departments will be asked to review the operational risks captured in their Registers termly. The Strategic Risk List is kept under review by the Finance and Audit Committee, which meets regularly. It is reported to the Board.
We will learn from our experience of risk management and seek to share issues and ideas with staff to enable them to work effectively in a risk-based manner. This will include learning from those risks that we take on knowingly, where we believe that we could secure significant benefits if the risks are handled responsibly.

ROLES AND RESPONSIBILITIES

The Board is responsible for overseeing risk management with a scheme of delegation to the Finance Resources and Audit Committee and policy implementation by the Director and senior staff. All senior staff are responsible for encouraging good risk management practice within their areas of responsibility and all project managers (researchers and professionals) will need to have regard to risk for the projects that they lead or support.

The Board will:

• Approve the overall policy statement;
• Offer periodic advice on risk appetite and risk tolerance;
• Satisfy itself about the assessment of strategic risks via annual consideration of the Strategic Risk List;
• Monitor the management of significant risks to ensure that appropriate controls are in place;
• Identify any strategic risks that require inclusion or updating in the Strategic Risk List to ensure that it reflects Black Ocean s.r.o.’s overall strategy and operating context;
• Approve major decisions, taking into account Black Ocean s.r.o.s risk profile or exposure;
• Satisfy itself that less significant risks are being actively managed, and that appropriate controls are in place and working effectively to ensure the implementation of policies approved by the Board;
• Review regularly the Institute’s approach to risk management and approve changes where necessary to key elements of its processes and procedures.

The Finance and Audit Committee will:

• Ensure the implementation of the risk management policy and advise on any modifications to the policy;
• Receive advice from the Board on the need for inclusion or amendment of strategic risks in the Strategic Risk List;
• Ensure that adequate information is provided for the Board and its committees, as appropriate, on the status of risks and controls;
• Ensure that an annual report is provided to the Board on the effectiveness of the system of internal controls;
• Ensure that local risk registers in the country offices are reviewed regularly.

The Strategic Management Team will:

• Regularly review the Strategic Risk List and submit this to the F&A committee quarterly and thence bi-annually, to the Board;
• Advise on modifications to the policy;
• Assess the adequacy of internal controls and advise the Board as necessary;
• Decide on risk mitigation where Board or FAC action is not required;
• Advise on Black Ocean s.r.o.’s appetite for risk and its tolerance of risk;
• Inform all its strategic decisions with considerations of risk;
• Ensure other Sub Committees take appropriate steps in respect of risk;
• Keep the overall Strategic framework under review;
• Advise on thresholds for risk assessment in proposals and projects;
• Engage with the Institute’s internal and external auditors on internal controls;
• Ensure appropriate training is available for staff;
• Advise on any supporting policies;
• Advise on thresholds for risk-based decisions;
• Ensure appropriate insurance cover is in place to mitigate risks.

Country Directors, Cluster Directors and Heads of Professional Function will:

• Implement policies on risk management;
• Identify particular risks that arise in their area of responsibility e.g. a data protection breach; an employment relations challenge;
• Develop and maintain a local Risk Register and forward a copy of the Register annually to the CFO and Head of Finance;
• Support their staff to develop and apply risk management principles and tools for individual projects;
• Regularly view risks with their staff and help Project Managers identify and manage risks appropriately.

Project Managers will:

• Identify and manage risks in individual projects;
• Provide input to the local Risk Register and report on progress;
• Support their staff to apply good risk management principles.

Individual members of staff will:

• Take care to apply good risk management practice in their day-to-day work;
• Follow the principles and objectives set out in this policy;
• Follow other policies that contribute to managing risks such as the Social Media Policy and Travel Policy;
• Draw on the guidance from Black Ocean s.r.o.’s risk management process when development project proposals;
• Take part in relevant training where this will help with confidence and capacity in risk management.

INTERNAL CONTROLS

Internal controls encompass a review of the risks inherent in each activity. The Finance and Audit Committee report to the Board on the adequacy of internal controls. As part of its remit, the Committee reviews the work of the Internal and External Auditors and of Black Ocean s.r.o.'s management. The Committee is therefore well placed to advise the Board on the effectiveness of the internal control system.

Currently Black Ocean s.r.o. has an external consultant which it contracts to review and report the effectiveness and reliability of the internal control system.
As part of the annual audit, Black Ocean s.r.o.’s External Auditors will advise the Finance and Audit Committee on the operation of the internal financial controls.

PERIODIC REVIEW

The Board will periodically review its risk appetite and risk tolerance. The Board will also periodically review the effectiveness of the internal control system and in doing so will:

• Review the previous year and examine the Institute’s track record on risk management;
• Consider whether Black Ocean s.r.o. has made the right decisions on risks that are value enhancing and value protecting;
• Consider the internal and external risk profiles of the coming year;
• Consider whether the current internal control arrangements are likely to be effective.

As part of its review, the Board will consider:

• Black Ocean s.r.o.’s objectives and its financial and non-financial targets;
• Black Ocean s.r.o.’s strategic ambitions and progress towards them;
• The management approach to risk;
• The appropriateness of the level of delegation of authority;
• Public reporting;
• Prioritization of risks;
• Timely identification and assessment of risks;
• The ability of Black Ocean s.r.o. to learn from its problems and apply its learning.

APPENDIX

ASSESSING RISKS

Most relevant authorities on risk management advocate two main parameters for assessing risks. The parameters are:

• Likelihood, i.e. how likely is it to happen
• Impact, i.e. how significant might the consequences be
• These almost always focus on risk mitigation and management of the possible/likely “downsides” rather than of the possible/likely “upsides” although the idea of focusing resources on the most risky can apply to risks to be embraced as well as to those to be managed/mitigated.
• Black Ocean s.r.o. will use a traffic light system to assess risk.
• Very low - no significant disruption, adverse publicity unlikely, litigation unlikely financial loss modest; funder/partner relations unaffected.
• Low - short term disruption; careful PR required; litigation unlikely; moderate financial loss; funder/partner relations unaffected.
• Moderate - short term disruption; reputational damage; litigation possible; significant financial loss; funder/partner relations may be affected.
• High - medium-term disruption; adverse publicity; probable litigation and difficult to defend; significant financial loss; funder/partner relations affected.
• Very high - sustained disruption; significant reputational damage; litigation highly likely and costly; significant financial loss; funder/partner relations seriously affected.
• Likelihood:
  • vl very low
  • l low
  • m moderate
  • h high
  • vh very high (as likely as not)

Privacy Policy Cookie Policy Risk Management Policy Terms and Conditions