Effective risk management is critical to ensure an organisation maintains its services, progresses towards achieving its strategic aims, and provides assurance it is operating on sound corporate governance principles.

In accordance with the Account and Audit (Amended) Regulations 2015, part of an internal control framework is a system for managing risk.

A public service organisation must identify, analyse and prioritise risks, as well as manage and control risks in a cost-effective manner to maximise the quality and efficiency of its service provision and protect its reputation.

Risk management is about being risk aware and finding ways to do something that best minimises threats and maximises opportunities. The key is to identify what those risks might be and how to accommodate them in our activities. A risk management policy outlines how this will be done.

The aims of a risk management policy are to:

• Explain how to manage and identify risk.
• Have a formalised, coordinated, and consistent approach to managing risks that is understood by all staff.
• Inform policy, strategic planning, and operational decisions by identifying key risks and their likely impact.
• Preserve and enhance the effectiveness of service delivery.
• Minimise loss, disruption, damage, and injury and reduce the cost of risk, thereby maximising resources.
• Embed a risk management culture, reducing bureaucracy and improving efficiency and effectiveness.

The Authorised Professional Practice (APP) National Decision Model (NDM) and Risk APP used in policing has a default decision making tool and framework for managing risk. It is informed by the College of Policing’s ten risk principles.

Intelligence, performance, risk, environmental scanning, and consultation all inform the strategic assessment to identify threats, harm and risk facing an organisation. Tactical plans can be developed from this assessment.

Strategic MoRiLE (Management of Risk in Law Enforcement) is used for risk assessment of thematic areas such as child sexual exploitation and abuse (CSEA). Tactical MoRiLE is used for specific operations and investigations.

Establish an infrastructure to support effective risk management.

Information on risks should be gathered, acted on, and escalated where appropriate, consistently and efficiently to respond to new emerging issues and threats.

Risk management should be an integral part of a performance management framework by gathering information and taking appropriate management decisions based on our interpretation of our risk controls.

Deliver a programme of training to the level of skills and expertise necessary to manage risk and ensure risk management is embedded into induction courses and other relevant training.

Everyone has a responsibility to manage risk and ensure it is discussed and if appropriate, recorded in the most appropriate place. However, several individuals and groups have some key accountabilities. Their roles and responsibilities should be defined within the policy, along with an escalation of risks infographic.

Your policy should also refer to and comply with other risk management standards and legislation, including:

• Civil Contingencies Act 2004
• APP National Decision Model
• APP Risk
• Delivering Good Governance in Local Government 2016
• Orange Book 2020
• BS 31100:2011 Risk Management British Standard Code of Practice
• ISO 31000:2018 Risk Management Guidance.

It should also link to other related policies to show the golden thread. These can include an organisation’s business continuity policy, and information sharing and information security policy.

Risk management supporting guidance can be linked to the policy to give an explanation of definitions and hints and tips in the practical application of the risk management policy.

Guidance is not mandatory but supports staff coaching, learning and development. Typically this includes:

• Why manage risk introduction
• Definitions
• Risk management group members and terms of reference
• Risk architecture, risk framework and flowchart
• Risk management framework and process
• Monitoring and review
• Glossary.

The policy and supporting guidance should be reviewed regularly to ensure it is fit for purpose. This would normally be done by the organisation’s risk management group and completed at least annually.

Beverley Nichol-Culff (beverley.nichol-culff@alarmrisk.com) is Head of Risk Management and Insurance at West Yorkshire Police, and a Board Director and the Blue Light Lead for ALARM.