Corporate Risk Register –Board approved 21 Sept 2015

Corporate Risk/Tolerability Matrix (Residual Assessment)

Source – HM Treasury

4 -
Major / 4 / 8 / 12 / 16
3 - Significant / 3 / 6 / CR1, 2,
9 / CR 4
12
2 – Moderate / 2 / CR 3, 5
4 / 6 / 8
1 –
Minor / 1 / 2 / 3 / 4
/ 1 –
Very unlikely / 2 –
Unlikely / 3 –
Likely / 4 –
Very likely

Orange Book Oct 04

Key

Extreme risk
High risk
Moderate risk
Low risk

* Definitions of risk categories, likelihood and impact are set out in the Commission’s risk policy

CORPRATE RISK SUMMARY

Status / Risk Ratings Covered
 / Extreme Risk: 12 – 16
 / High Risk: 6 - 9
 / Moderate Risk: 3 – 4
 / Low Risk: 1 – 2

OUTLINE OF CHANGES TO RISKS

Risk No. / Corporate Risk / Inherent Assess
ment / Residual Assess
ment / Change since last Board Meeting
CR1 / Public confidence in charities diminished by delays and difficulties in registration and operating the charity register because of poor quality and quantity of applications, inefficient processes, lack of resources, and failure to set appropriate targets. / 
4,3 / 
3,3 / None
CR2 / Failure to operate our compliance role hampers holding charity trustees to account because of lack of accounting regulations, disproportionate impact of significant cases and poor systems. / 
4,4 / 
3,3 / None
CR 3 / Failure to promote effective key messages, not learning enquiry lessons and not sharing information effectivelyresult in the public and other stakeholders not being equipped to hold charities to account. / 
3,3 / 
2,2 / None
CR 4 / Failure to have necessary resourcing (people, budget, systems and facilities) compromises ability to deliver efficient and effective services because of ineffective plans, policies, and performance monitoring. / 
4,4 / 
3,4 / Increase
CR 5 / Occurrence of poor governance would put the Commission at risk of not meeting legal obligations and good practice because of weak oversight and management assurance arrangements. / 
3,2 / 
2,2 / None

ANALYSIS OF CHANGES TO RISK RATINGS

Changes to the Register and Action Plan

Since the risk register was approved by the Board in May 2015 various actions have been progressed. To address Risk 1 - public confidence,a range of new measures to address the poor quality of applications have been implemented and a revised registration manual was implemented following adoption by the Board. Additional resource is in place to progress grouped applications.In terms of risk 2 - Failure to operate compliance role,draft accounting regulations were reviewed and various feedback passed to the Department, and additional time was allocated to review older enquiry cases and work load priorities.

In terms of Risk 3 - Failure to equip the public and other stakeholders,the publication scheme was reviewed and a revised version agreed by the Board in June. SMT agreed to prioritise the review of the MOU with HMRC.In terms of Risk 4 -Failure to have necessary resources, following the June monitoring round additional resource and capital was provided, but further pressures have been identified in relation to emerging business needs, particularly given the nature and scale of emerging legal challenges which include the first tribunal work related to registration decisions and consents. Additional resource bids will be made to the Dept. The likelihood of this risk has been increased and the impact of cuts and potential responses are being modelled as part of strategic planning work and will be discussed with managers and staff. Further work with the middle management group as part of a new 3 year strategic plan is intended to further mitigate this risk going forward. The wider issue of the Executive’s overall budget position remains a risk for the Commission as a public sector body wholly funded by grant in aid. The uncertainty created by CCEW’s current review of its future ICT systems provision also increases this risk to CCNI. A future change in provider could render CCEW incapable of continuing to support CCNI’s systems and would have a major impact. However, a change in provider could also benefit CCNI if it were to be compatible with the systems we have already developed through CCEW. Steps to mitigate Risk 4 included submission of the in year bids, carrying out a review of ILM training for middle managers and producing a report detailing actions arising from the organisational culture development programme, whichwas considered by Commissioners. In relation to Risk 5- Poor governance,the Board reviewed a series of governance procedures including terms of reference, code of conduct and standing orders as well as a self assessment exercise.Consultancy work was undertaken with internal audit regarding the attendance management policy.

Assurance Statement

I certify that the related risk management action plan was reviewed by SMT during September2015, a review of controls and actions was undertaken, and assurance checks completed as necessary.

Signed _________Chief Executive Date:21/09/2015

1

Corporate Risk Action Plan

1 / 2 / 3 / 4 / 5 / 6 / 7 / 8
Identifier
Identifier / Risk / Business Plan
Objective(s) / Assessment / Controls
in
Place / Assessment / Additional Actions
Planned
Target Date / Risk
Owner
Inherent / Residual
Impact / Likelihood / Impact / Likelihood
1 / Public confidence in charities diminished by delays and difficulties in registration and operating the charity register because of poor quality and quantity of applications, inefficient processes, lack of resources, and failure to set appropriate targets.
Risk
Category:
Corporate Aim/
Reputational
Risk Appetite Low / 1.1, 2.3, 5.1, 5.3, 6.3 / 4 / 3 /
  • Prioritisation policy covering deemed, expressions of interest and special circumstances
  • Policy, procedure and guidance governing registration activities and decision making
  • SMT approved work around to enable additional inputs/roles in registration workflow
  • Pilot process to monitor and address poor applications agreed
  • Monthly SMT performance review
  • Board updates on casework and population of charity register
  • Chief Executive’s report to Board on challenges to registration
  • Monitoring via post registration survey
  • Communications strategy and action plan
  • Publishing our decisions policy.
  • Additional resource to focus on called forward and group applications.
/ 3 / 3 / Enhanced needs in phase 2 CRM workflow reporting covering case and resource time spend by end Q2 - 15/16
Task & Finish group established to develop “Failure to register” policy by end Q3 -15/16
Implement range of measures to address poor quality applications by end Q2 -15/16
Roll out additional elements of new registration manual, scope further change needs to OLAR/OLS and CRM – end Q2- 15/16
UAT for interim Annual Return completed by end Q2 – 15/16
Use CRM to communicate with applicants to ‘discourage them from contacting CCNI for progress updates on registration applications’ by end Q2 15/16. / ICT officer
HCS
HCS
HCS
ICT officer
CM/ ICT Officer

Current Assessment: CCNIis treating this extreme to high risk which is fundamental to the operation of its role as a regulator. The timing and quality of registration applications continues to presentobstacles to achieving the volume of registration as envisaged in the Light Touch Review. Additional resourcing allocated to bring forward grouped applications that can be fast tracked has achieved agreement on model documents and purposes with several bodies. The registration manual was revised and staff awareness raising and training have been undertaken. Changes to operating systems will need to be prioritised given available resourcing and the wider ICT strategy agenda.

1 / 2 / 3 / 4 / 5 / 6 / 7 / 8
Identifier
Identifier / Risk / Business Plan
Objective
(s) / Assessment / Controls
in
Place / Assessment / Action
Planned
Target Date / Risk
Owner
Inherent / Residual
Impact / Likelihood / Impact / Likelihood
2 / Failure to operate our compliance role hampers holding charity trustees to account because of lack of accounting regulations, disproportionate impact of significant cases and poor systems.
Risk Category:
Corporate Aim/
Reputational
Risk Appetite Low / 1.4, 3.1, 3.2, 3.4 / 4 / 4 /
  • High level investigation procedures and various manuals in place and approved by Board
  • Board level panel authorisation of high risk enquiries
  • Liaison with other enforcement bodies and regulators (Charity Commission of England and Wales and Office of the Scottish Charity Regulator ) and HMRC
  • MOUs agreed with HMRC, CCEW, OSCR, PSNI and ISA
  • Programme team capturing learning from each case
  • Permanent legal resource in place to handle legal tests and challenges
  • Review of Tribunal cases and legal costs
  • Chief Executive’s report to Board on challenges in implementing the Act
  • Assurance rec’d from DSD that accounting regs in place by year end.
  • Additional legal resource to assess reallocation of lower risk cases.
/ 3 / 3 / Finalise internal guidance for completion of compliance and monitoring checks by end Q2 – 15/16
Implement recommendations arising from IA 1stand 2nd assignments by end Q2 – 15/16
Develop & publish external guidance on compliance by end Q2 15/16
Monthly review of older cases and workload priorities by end Q2 15/16
Publish thematic report on lessons learnt on Trustee Disqualification by end Q2 -15/16.
Review and feedback on draft regulations by end Q2, plan for guidance consultation by end Q2, contribute to Dept consultation on draft regs by end Q2 – 15/16 / HC&E
SMT
Compliance Mgr
HC&E
EM/ Comms Officer
HCE, Compl Mgr

Current Assessment: The Department has provided initial draft regulations to the Commission and arrangements are well in hand for DSD to consult for 8 weeks in Q3. This will impact considerably on the Commission’s ability to consult on its own related guidance which will start after the Department’s consultation has finished. The delay in providing guidance may attract criticism but should lessen the likelihood of further delays regarding this risk. While the number of statutory enquiries has declined,complexity of the investigations has increased and pressure arising will not diminish untilTribunal processes are exhausted in relation to current cases. These significant cases are testing our resources to the limit and as a result some high profile regulatory cases have not been progressed. In addition, resources continue to be allocated to respond to complaints and lobbying by a small number of disaffected individuals, including FOI and subject access requests from individuals associated with previous investigations.

1 / 2 / 3 / 4 / 5 / 6 / 7 / 8
Identifier
Identifier / Risk / Business Plan
Objective
(s) / Assessment / Controls
in
Place / Assessment / Action
Planned
Target date / Risk
Owner
Inherent / Residual
Impact / Likelihood / Impact / Likelihood
3 / Failure to promote effective key messages, not learning enquiry lessons and not sharing information effectively would result in the public and other stakeholders not being equipped to hold charities to account.
Risk Category:
Corporate Aim/
Reputational
Risk Appetite Low / 1.2, 2.3, 3.3, 4.1, 6.2 / 3 / 3 /
  • Monthly Liaison and policy group meetings between CCNI and sponsor branch to address issues arising from responses
  • Policies and procedures governing statutory activities and decision making
  • Communications strategy and action plan
  • Publishing our decisions policy
  • Policy development plan, including timetable to review/amendexisting policies and decision making procedures
  • Engagement strategy with sector/other stakeholders
  • Chief Executive’s report to Board on challenges to Commission decisions and press coverage, and challenges in implementing the Act.
/ 2 / 2 / Agreed revised publications policy on section 22 Enquiries to Board by end Q2-15/16
Publication of two pieces of guidance on enquiries by end Q2-15/16
Ongoing press releases in relation to decisions and development of publishing our decisions on webpage end Q1–15/16
Prioritise review of HMRC MOUs by end Q2–15/16
Annual public meeting held by end Q2 -15/16 / HC&E
HC&E
CO
Legal
HCoS/
CO

Current Assessment: This is a moderate to low risk which the implementation of the communications plan is intended to mitigatefurther. Steps have been taken to expand publication commitments to ensure the optimal publication of information in addition to enquiry and thematic reports on compliance and enquiries by year end. The Commission has raised the impact of Tribunal practices on its workload with the Department and is awaiting feedback.

1 / 2 / 3 / 4 / 5 / 6 / 7 / 8
Identifier
Identifier / Risk / Business Plan
Objective
(s) / Assessment / Controls
in
Place / Assessment / Action
Planned
Target date / Risk
Owner
Inherent / Residual
Impact / Likelihood / Impact / Likelihood
4 / Failure to have necessary resourcing (people, budget, systems and facilities) compromises ability to deliver efficient and effective services because of ineffective plans, policies and performance monitoring.
Risk Category:
Corporate Aim/
Reputational
Risk Appetite Low / 1.3, 6.2, 6.3 / 4 / 4 /
  • MSFM with DSD and bi monthly Liaison meetings with sponsor branch
  • Governance Framework
  • ARA Committee review procedures and ensure robustness
  • Conflict of interest and Whistle blowing policies in place
  • Internal audit provide advice and guidance
  • Board assessment and Staff Performance Management & Appraisal systems in place
  • Regular Business plan updates to Board, A&R, SMT and DSD
  • Monthly SMT review of Business Plan progress and assurance updates by middle management
  • Engagement of HR& R committee in staff development, TNA process
  • Staffing Handbook approved by Board and assurance processes in place
  • ICT strategy agreed by board.
/ 3 / 4 / Business Plan Progress Report and quarterly Info Assurance return to Dept – end June15
Progress 1st half of Phase II Strategic Review of HR Procedures to Board by end Q2 – 15/16
Report on implementation of organisational culture development exercise recommendations end Q2 – 15/16
Circulate and collate TNLA forms to inform annual Training plan by end Q2 – 15/16
Implement Project Plan for 2016/19 strategic planning process – end Q2 – 15/16.
Liaise with sponsor branch and IT Assist re management of CRM server memory and operation of disaster recovery / CEX/
HCoS
HCoS
HCoS
F&AM
F&AM
HCoS/
ICT Officer

Current Assessment: This is an extreme to high risk. Following the June monitoring round additional resource and capital was provided, but further pressures have been identified in relation to emerging business needs, particularly given the nature and scale of emerging legal challenges which include the first tribunal work related to registration decisions and consents. Additional resource bids will be made to the Dept. The impact of cuts and potential responses are being modelled as part of strategic planning work and will be discussed with managers and staff. Further work with the middle management group as part of a new 3 year strategic planis intended to further mitigate this risk going forward. The wider issue of the Executive’s overall budget position remains a risk for the Commission as a public sector body wholly funded by grant in aid.

1 / 2 / 3 / 4 / 5 / 6 / 7 / 8
Identifier
Identifier / Risk / Business Plan
Objective
(s) / Assessment / Controls
in
Place / Assessment / Action
Planned
Target Date / Risk
Owner
Inherent / Residual
Impact / Likelihoo / Impact / Likelihood
5 / Occurrence of poor governance would put the Commission at risk of not meeting legal obligations and good practice because of weak oversight and management assurance arrangements.
Risk Category:
Compliance
Finance/Accountability
Risk Appetite Low / 1.2, 1.3, 2.2, 2.3, 3,2, 5.2, 6.1. / 3 / 2 /
  • Governance Framework including Board and committee terms of reference
  • Board annual effectiveness review
  • Audit and Risk Committee review procedures and ensure robustness.
  • Business Continuity Plan
  • Policy Development Plan
  • Internal audit provide advice and guidance
  • Risk policy, risk registers, assurance framework.
  • Regular Assurance to Dept, Board, A&R, SMT
  • Monthly SMT review of progress and assurance updates by middle management
/ 2 / 2 / Bi monthly liaison meetings in Q2 – 15/16.
Quarter 2 – 15/16stewardship statements by September 2015.
Input from middle managers on business plan progress reporting by end Q2 – 15/16.
Follow up issues arising from 2ndaudit by external and internal audit during Q2 – 15/16.
Carry out assurance checks in July/Aug/Sept re Implementation of IA recommendations by end Q2 – 15/16.
Internal Audit consultancy work re attendance mgt and records mgt by end Q2 – 15/16 / SMT
CEX
HCoS
SMT
F&AO
HCoS

Current Assessment: This risk is judged as a high to moderate at this time, informed by briefings and indications of a satisfactory assurance rating from audit. Further comment on the rating will emerge as part of audit’s 2015/16 assignments. Changes to the assurance check mechanism were implemented by staff in Q1, and additional steps to make middle managers and staff accountable as part of assurance checking will continue in Q2.

CEX - Chief Executive, SMT – Senior Management Team, HCS - Head of Charity Services, HCoS - Head of Corporate Services, HC&E - Head of Compliance & Enforcement, PM - Policy Manager, CM – Casework Manager, CO - Comms Officer 1

1