Royal College of Psychiatrists
Risk Management
Purpose of paper
The purpose of this paper is to provide the Trustees of the College with the necessary data to fulfil their obligation to consider, and actively manage, any risks to the College’s operation. The first section of the paper reviews the issues in general. Appendix 1 comprises a summary of a review carried out by the Senior Management Team in March 2014. Risks have been identified and strategies to minimise these have been detailed. The Trustees should satisfy themselves personally concerning the issues identified and should draw attention to any further areas of concern.
Introduction
1. The Royal College of Psychiatrists is a registered charity and as such is supervised and monitored by the Charity Commission. The Charity Commission Statement of Recommended Practice entitled “Accounting and Reporting by Charities” (SORP 2005) requires a report each year on the College’s activities to demonstrate that Trustees are managing these activities effectively. Legal effect is given by the Charities (Accounts and Reports) Regulations 2005.
2. SORP 2005 is mandatory for the College’s accounts and requires Trustees to include a statement regarding risk management in their annual report. This requirement goes beyond ensuring that the College has adequate insurance to cover financial risk but also extends to all areas of operation including risks to the College’s reputation.
3. Trustees can be held personally liable for losses incurred by their charity and it is therefore important that they identify, consider and manage potential risks. This paper serves to provide a framework for the risk analysis process so that Trustees can consider the work to be done in order to make the statement required by SORP (2005).
The Requirement
4. Paragraph 45 of SORP (2005) states that the Trustees’ annual report should include “a statement confirming that the major risks to which the charity is exposed, as identified by the Trustees, have been reviewed and systems or procedures have been established to manage those risks”. (my highlights)
What is risk?
5. For charities, risk can be defined as any event or action that may adversely affect an organisation’s ability to achieve its charitable objectives and execute its strategies. Risk is not confined to just the financial affairs of the College but extends to all areas of operation. The approach to risk management should be proactive rather than reactive and involves identifying risks and devising a strategy to deal with them. Potential risks are prioritised by probability and impact. The option may be to accept the risk, transfer it to insurers, reduce it by changing procedures or minimise its impact with contingency planning. Trustees are required to demonstrate that systems of internal control are in place and that their effectiveness is reviewed regularly.
The RCPsych Objectives.
6. The College’s strategic objectives are specified in its Strategic Plan 2012 – 2015 as follows:
The Royal College of Psychiatrists promotes mental health by:
· Setting standards and promoting excellence in psychiatry and mental healthcare
· Leading, representing and supporting psychiatrists
· Working with patients, service users, carers and their organisations
Types of risk.
7. Risks may be external to the College such as political or economic changes or internal such as failure in operational management, financial controls or inadequate information systems.
8. Risk can be defined under the following headings. Some risks may be relevant to more than one category.
(a) Strategic risk.
Threats of a strategic nature could include changes in government policy, competition within the sector, loss of image or reputation, and conditions which render College services obsolete.
Examples might include the setting up of a competing organisation, loss of a major funder such as Department of Health funding, regulatory breaches leading to prosecution and heavy fines, adverse public relations causing loss of confidence and/or mass resignations of members, industrial action and economic change.
(b) Operational risk.
This will cover all day to day operational risks such as health and safety, fraud, sickness absence, loss of key personnel, fundraising risks, failure of IT systems, poor governance and breaches of legislation.
Examples might include breaches of health, safety or employment law leading to action by the regulator, prosecution and heavy fines or employment tribunal awards or damages awarded following legal action. Losses resulting from a major fraud. Adverse publicity and public relations issues. Flu pandemic.
(c) Financial Risk
Financial risk includes loss of revenue streams, investment losses, failure to safeguard assets and any risks that affect financial security.
Examples might include: any severe adverse financial impact such as loss of College investments due to downturn in financial markets, significant loss of membership subscription income for whatever reason, loss of publications income due to changes in technology, significant reduction in the number of candidates sitting the College exam or large deficits on meetings and conferences. The level of financial tolerance referred to in this paper will determine which of these risks may be considered major. Such losses could be mitigated by cutting back on services and associated costs.
(d) Hazard risk.
This includes many of the risks that are insurable such as fire, flood, explosion, weather related, motor and employer’s liability. A copy of the College’s Summary of Insurance can be made available for information if required.
Examples might include: risks identified as covered in the Summary of Insurance. However, we should be aware of policy exclusions and deductibles and the fact that some risks are not insurable.
9 Essential Components of a risk management plan include:
(a) Identifying risks in each area.
10. The risk analysis process will require the setting of a financial tolerance level, i.e. a figure that the College could lose without it having a severe effect on its continuing operations. This level would define the criteria of major risk under SORP 2005 and has been set at £500,000.
(b) Ensuring Corporate Governance and Internal Control.
A charity’s system of internal control will have as its principal aim the management of risks that are significant to the fulfilment of its charitable objectives in order to safeguard its assets and ensure that its objectives are fulfilled. Internal control will include having good financial and operational systems in place, reporting of management accounts and annual audits, having suitably qualified and experienced staff and advisors, segregation of duties, written financial procedures and regulations, banking procedures and signatories, control over expenditure and purchases and College wide budgetary control.
Such a system exists within the College and its components are reviewed each year as part of the annual audit. Sound systems of internal control and audit are an essential complement and provide a foundation for proactive risk management within the College.
(c) Defining Disaster Recovery Procedures
The College has a Business Continuity Plan, approved by Trustees, that is reviewed annually and filed offsite at the Scottish Division office. This detailed plan covers business continuity and crisis management and is an essential complement to risk management within the College. A separate plan exists for Divisional Offices.
(d) Ensuring an appropriate Reserves Policy.
The College’s reserves policy as stated in its audited accounts provides sufficient funds to cover 2 months expenditure and serves to support operations in the medium term should a risk materialise.
(e) Negotiating adequate Insurance Policies
Refer to the “Summary of Insurance” for details of policies and cover.
Future strategy.
11. Having identified potential risks they must be prioritised by probable impact and likelihood. Some risks may be retained as acceptable. Taking appropriate action to mitigate their effect may reduce others. Some risks may (or will already have been) transferred to insurers.
12. Risks should be reviewed periodically and the risk management strategy revised with action reported back to Trustees and management. Wide ownership of this review by Trustees and management should ease the process and make it more effective. The creation of an Audit Committee and internal audit function within the College to monitor internal control and risk management should reduce risk.
13. The Senior Management Team has considered the possible major risks. This group was of the opinion that major risks (above £500,000) could arise from the issues noted in the Appendix which has been ranked in order of likelihood and impact. The anticipated major risks will continue to be reviewed on a regular basis.
14. Identifying significant risk should be a part of the assessment of all new College initiatives in addition to other considerations such as finances and manpower etc.
Suggested statement for the Trustees Report.
15. The Trustees assess annually the major risks to which the Royal College of Psychiatrists is exposed, in particular those relating to the specific operational areas of the College, its investments and its finances. The Trustees believe that by monitoring reserve levels, by ensuring controls exist over key financial systems, and by examining the operational and business risks faced by the College, they have established effective systems to mitigate those risks.
Paddy Padmanathan
Director of Finance and Operations.
May 2014
4