Risk Management Policy

This document outlines the risk management policy of ComputerMinds Ltd.

Introduction

ComputerMinds

ComputerMinds is a Drupal-only development house with offices in Bristol and Coventry. We have gained a reputation within the Drupal community for delivering high-quality Drupal websites, training and consultancy to a wide variety of clients.

>We feel that Drupal offers us as developers an ideal framework on which to build complex content driven websites. We have extensive experience in working with a variety of clients from membership organisations through to large corporates. At the heart of how we work are the requirements of our clients; as such we prefer to take an agile approach to development so we can be better positioned to react to any changes in our clients’ original requirements without having to unduly inflate the budget or extend our time estimates.

We are active members of the Drupal community and regularly contribute back to the Drupal project. We have given a number of seminars and training sessions at Drupal conferences around the world on a variety of topics and sponsored the DrupalCon London 2011 conference. We believe that Drupal provides the best platform for any complex web-based development project; its modular model means it can be extended without affecting the core codebase. This in turn provides us with the robustness and security that makes Drupal such a good solution for the high expectations our clients place on their websites.

Many of our websites contain extremely sensitive information and/or are developed for risk-averse clients, including the public and corporate sectors.

>We take risk management very seriously and will always follow best practice.

Risk Management

Risk Management is an important aspect of any project and as a company we have internal policies to ensure that in the rare event of something going wrong that your project and data remains safe.

The full copy of our Risk Management Policy and Strategy can be viewed below. This policy is intended to provide us with the internal processes to follow to prevent anything from going wrong and with a safety net should something happen beyond our control. As a final contingent we also hold Professional Indemnity Insurance to cover any damages that may occur as a result of error on our part.

In addition to the policy documents and insurances, all of our code is stored in externally located, version-controlled repositories. These keep the code secure in the event of a disaster and make it possible to revert to a previous stable release should something go unexpectedly wrong.

Support

We offer a range of support options and maintenance agreements as well as client training to minimise risk.

We cannot, however, support the use of external sites, including social media, email programmes, APIs and other applications, nor guarantee their security.

Risk Management Policy

This appendix details our internal approach toward Risk Management comprising of our Risk Management Policy and its associated Risk Management Strategy.

Introduction

The aim of this policy document is to embed risk management at ComputerMinds Limited.  This policy document forms the basis for the accompanying Risk Management Strategy document, to help achieve the objective of effective Risk Management. Risk can be defined as:

“The threat that an event or action will adversely affect the Company’s ability to achieve its objectives, perform its duties or meet the expectations of its stakeholders”.

Objectives

ComputerMinds Limited (“the Company”) is committed to implementing a proactive approach to risk management that is based on the following key principles:

  • Risk management activity will be aligned to corporate and business plan aims, objectives and priorities. It will encompass all strategic and operational risks that may prevent the Company from fulfilling its objectives.
  • Risk management is key to the Company’s corporate strategy.
  • The Company will anticipate and take preventative action to avoid risks rather than dealing with the consequences.
  • Risk management is a process to assist in understanding risks and thereby to contribute to improved decision-making. The purpose therefore is not to design out risk, but to manage it effectively.
  • A consistent approach to the identification, assessment and management of risks will be embedded throughout the Company.
  • Risk control and mitigation measures will be effective, appropriate, proportionate, affordable and flexible. Risk controls will not be implemented where the cost and effort is disproportionate to the expected benefits. The Company will commit the necessary resources to implement risk management consistent with the above principles.
  • Risk control and mitigation measures will be effective, appropriate, proportionate, affordable and flexible. Risk controls will not be implemented where the cost and effort is disproportionate to the expected benefits. The Company will commit the necessary resources to implement risk management consistent with the above principles.
  • This policy requires all employees to take responsibility for the cost effective management of risk in all aspects.

Risk Management Strategy

Risk Management is fundamental to any modern organisation and is an issue that all companies have to address if they are to meet the expectations now being placed on them in respect of this discipline. This Risk Management strategy seeks to promote the identification, assessment and response to key risks that may adversely impact upon the achievement of the Company’s aims and objectives. This strategy builds on and replaces the earlier risk management strategy.

Objectives

  • The overall objective of this strategy is to ensure that the Company adopts the best practices in the identification, evaluation and cost effective control of risks to ensure that they are eliminated or reduced to an acceptable level. Also we need to ensure that systems are in place to track and report upon existing and emerging risks that could cause damage to the Company or its stakeholders.
  • To help further embed risk management throughout the Company.
  • To provide reliable information on which to base the annual strategic and operational risk assurance statements.

Roles & Responsibilities

In order to ensure the successful implementation of the risk management strategy, clear roles and responsibilities for the risk management framework and process are needed.  These are listed below.

Group/Individuals

Role/Responsibilities

Managing Director

  1. Overall responsibility for ensuring that strategic risks are effectively managed within the Company.
  2. To provide an annual statement of assurance on strategic risks.

Senior Employees

  1. Approving the Risk Management Strategy and Policy on an annual basis.
  2. Receive regular updates of the strategic risk register.
  3. Receive reports from the Managing Director stating whether effective risk management arrangements operate.
  4. Contribute towards the identification and management of strategic and cross cutting risks.
  5. Regularly review the strategic risk register.

Project Owners

  1. Contribute towards the identification and management of operational risks for their projects
  2. To maintain awareness of and help promote the approved risk management strategy and policy to all staff.
  3. To ensure that risks that have been identified are addressed and mitigated. Those that are scored 7,8 or 9 to be addressed urgently.
  4. Ensure that risk management is incorporated into service and project plans.

All Employees

  1. To highlight to management any risks arising and contribute to the control process to mitigate the risks to an acceptable level.

Risk Identification Process

Managers should concentrate on events that might effect the Company’s achievement of its objectives. Strategic risks linked to the Corporate Objectives and Operational risks linked to service and project plans need (as a minimum) to be identified and monitored.

Different Types of Risk

  1. Strategic Risks - The Strategic Risk Register is the means used to record, monitor and report the Strategic risks. Possible examples are:
    1. Economic: Affecting the ability of the Company to achieve its commitments.
    2. Technological:  The ability to identify technological changes and using technology to meet changing demands.
    3. Legislative:  The ability to meet the legislative demands affecting the Company.
  2. Operational Risks – Operational risks are those that could prevent achievement of Operational Objectives, as stated in service and project plans. Only those risks that are of a concern need recording and monitoring. However, these should include contingency or disaster recovery plans.  Possible examples are:
    1. Professional: Associated with the professional competence of Company employees and the recruitment and retention of staff
    2. Financial:  Associated with the financial resources and related controls.
    3. Legal:  Relating to potential breaches of legislation.
    4. Physical: Related to physical damage, security, accident prevention and health & safety.
    5. Technological:  Associated with reliance on operational equipment.
    6. Clients:  Associated with the ability to engage all our customers and the identification of their changing needs and related issues of equality.
  3. Cross Cutting Risks – All involved in the risk management process, should consider whether any Corporate/Operational activities result in cross cutting risks on other areas of the Company. The relevant management should liaise to determine the appropriate method of treating any cross cutting risks.
  4. Projects & Contract Risks – All new projects and contracts should have had their various risks considered before being approved. In the case of a contract, the Managing Director is responsible for ensuring relevant risks have been considered.
  5. Partnership Risks – Before any significant partnerships are entered into, their risks should be assessed, and where unacceptable, mitigating controls put in place. The partnership risks should be reviewed periodically, and assurances obtained about the management of these risks, by the Managing Director.
  6. Financial Risk - Loss of income or greater expenditure than anticipated is the primary risk identified and measured. However, this is just one of several different types of risk that can be measured. It is not just the impact of an event happening in financial terms that need to be evaluated, but also the potential damage that such an event could have upon other things such as the reputation of the Company.

Risk Financing

Management should consider if and how insurance could be used to mitigate risks. The three options available are:

  • Retention – internal (insurance) sources of funds.
  • Transfer – external (insurance) sources of funds.
  • Hybrid – internal/external (insurance) sources of funds.

Analyse the Risks

Following the identification of risks identified, they will then be included in the risk register, which will identify the risk owner and the steps being taken to mitigate the risk. Each service area will need to “own” their part of the risk register.

RISK MODEL: A consistent method for determining whether a risk is material to a specific activity has been established (see below) to assist in the assessment of the materiality, the likelihood and potential impact both in terms of financial and reputation damage. We will use the standard approach of giving each risk a relative score, depending on a combination of its likelihood and its impact as shown below. Using a traffic light coding system enhances the significance of the scores within the risk assessment matrix. Risks within the 3 top right hand squares of the matrix will be coded “Red”, the 3 bottom left hand squares will be coded “Green” and the squares in between will be coded “Amber”

Impact on Services

HIGH

6

7

9

MEDIUM

3

5

8

LOW

1

2

4

 

LOW

MEDIUM

HIGH

Likelihood of Occurrence

To encourage consistency, a simple 3 x 3  “Risk Model” or map is used, to score the identified risks in terms of likelihood and impact. A broad definition for each element of the grid is shown on the model to assist scoring. Although scores are always judgemental, they should be soundly reached, and a guideline is shown below:

Risk Impact

Score

Frequency of Review

No action necessary

1

n/a

Monitor as necessary - ensure being properly managed.

2

Quarterly

Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties.

3

Quarterly

Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties.

4

Monthly

Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties.

5

Monthly

Important risks - may potentially affect provision of key services or duties.

6

Monthly

Key risk- may potentially affect provision of key services or duties

7

Immediate

Key risk- may potentially affect provision of key services or duties

8

Immediate

Immediate action needed - serious threat to provision and/or achievement of key services or duties.

9

Immediate>

 

Risk Register Contents

The identified risks, once analysed and scored, should be recorded in a risk register. There should be one risk register for strategic risks known as the Strategic risk register and a risk register for operational risks. The Register will contain details of the following:

  • The Risk description
  • The Gross Risk Score
  • Risk Owner
  • Action required

Frequency of Risk Register Reviews

The Strategic Risk register will be reviewed by the Management Team on a quarterly basis i.e. at the end of June, September, December and March. The Operational Risk registers will be reviewed at least twice during the year.

Effective Arrangements for Risk Management

  1. The Strategic Risk register to be reviewed at least four times in the year;
  2. Operational Risks to be reviewed at least two times per year
  3. If the risks considered by the Operational Risk group are scored a 7, 8 or 9, they will be considered a Strategic Risk and will need to be added to the Strategic Risk Register;
  4. All service areas to adopt the strategic risk register template for undertaking risk assessments for their service areas.

Benefits

Amongst the benefits that the Company will gain from this formalised risk management process are:

  • A fully documented representation of all its key risks and the actions being taken to mitigate them.
  • Better understanding of risks and exposures faced by the Company.
  • Greater ownership by managers of risks and their systems of internal control.
  • Integration of risk management into systems and project based development and contracting and partnership arrangements.
  • Efficient and effective integration of recovery and contingency plans.
  • More focussed use of insurance as a method of transferring risk.

Conclusion

It must be realised that “risk management” does not, and must not operate in isolation. The identification of risks and the controls put in place to mitigate threats from these risks has many links with Corporate Governance, and Business Continuity Management.