Risk management policy

1) Introduction

The National Portrait Gallery recognises that the effective management of risk and opportunity is central to its ability to achieve its aims and objectives. This document outlines the principles underpinning our approach to risk management, the risk management process, and the responsibilities of all staff for risk management. The policy can be found on the staff network at Risk Management Policy (Apr 2009).doc.

2) Scope

The Chair of Trustees, the Chair of Audit and Compliance Committee, members of Senior Management Team and Heads of Section should be familiar with this policy and all other Trustees and staff should be aware of it. The aim of the policy is to ensure that all staff are aware of the Gallery’s risk management framework and how risk should be managed in the Gallery.

3) Definitions

Governance is the process by which stakeholders (staff, Trustees and bodies to which the Gallery is accountable) articulate their interests, their input is taken on board, decisions are taken and decision-makers are held accountable. Good governance will give management the freedom to take the organisation forward without undue restraints and ensure this freedom of management is exercised within a framework of effective accountability.

Risk management is the culture, processes and structure that are directed towards the effective management of potential opportunities for and threats to the Gallery.

Risk is something which could:

  • have an impact by not taking opportunities or not capitalising on the Gallery’s corporate strengths,
  • prevent or hinder the achievement of the Gallery’s objectives,
  • cause financial disadvantage, i.e. additional costs or loss of money or assets; or 
  • result in damage to or loss of an opportunity to enhance the Gallery’s reputation.

Statement on Internal Control is the mandatory annual statement made jointly by the Chair of Trustees and Director in the Annual Report and Accounts, confirming that the Gallery has maintained a sound system of internal control throughout the year.

4) Legal Basis

The Gallery’s responsibilities in relation to risk management and the annual Statement on Internal Control are set out in Chapter 4 of Managing Public Money, and in the Gallery’s Management Statement and Financial Memorandum agreed with DCMS.

5) Statement of Principles

The Gallery aims to anticipate and, where possible, avoid risks rather than dealing with their consequences. The purposes of the Gallery’s risk management processes are to help managers make informed choices which improve the Gallery’s performance by informing decision-making and planning; promote a more innovative, less risk averse culture in which taking calculated risks in pursuit of opportunities to benefit the Gallery is encouraged; and integrate risk management into the day-to-day decision making processes.

The improvements and benefits which effective risk management should provide are:

  • an increased likelihood of achieving the Gallery’s aims, objectives and priorities;
  • more efficient allocation of resources, by focusing on the key cost effective controls;
  • giving an early warning of potential problems; and
  • providing everyone with the skills (after specific training if necessary) to be confident decision-makers.

General Principles

All risk management activity will be set in the context of the Gallery’s corporate aims, objectives and organisational priorities, with the aim of protecting and enhancing the reputation and standing of the Gallery. The following general principles will underpin the Gallery’s risk management processes:

  • Evaluation of risk will form part of strategic and business planning, and investment and project appraisal (including working with other organisations).
  • Risk management will be founded on a risk based approach to internal control, to ensure that the application of internal controls is proportionate to the risk the controls are designed to manage.
  • The Gallery’s risk management approach will inform the Gallery’s work to improve the reliability of organisational systems and will form the principal means by which the Director gains direct assurance for the Statement on Internal Control.
  • Managers and staff at all levels will have a responsibility to identify, evaluate and manage or report risks, according to a consistent and comprehensive risk management framework (see below), which sets the context in which risks are identified, evaluated, controlled, monitored and reviewed.
  • Ownership of risk is allocated to individuals best placed to manage the risk – i.e. they have the authority and necessary resources to manage the risk.
  • The Gallery will foster a culture which spreads best practice, lessons learned and expertise acquired from risk management activities across the Gallery.


NPG Risk Management Framework

Stages in the NPG Risk Management Framework

1 Clarify Objectives

Having a clear set of objectives is essential to recognising the key risks that might prevent the achievement of these objectives. This includes not only the Gallery’s strategic objectives, but also to any key departmental objective or programme. Everyone involved should be clear: what needs to be done, by when, and who is accountable for delivery.

2 Identify Risks to achieving objectives

Gallery procedures require risk identification as part of our strategic and business planning, programme and project management. Risks should be defined fully and clearly. Think in terms of the cause and effect and scope of the risk. Risk identification should not be confined to the initial stages of a project, but should be an ongoing and systematic process to identify the risks most likely to affect the achievement of objectives at the current stage of the project’s life.

3 Assess the risks

This involves assessing the probability (or likelihood) and impact of individual risks and assigning a risk rating (in accordance with the Gallery’s risk appetite – this is attached at Appendix 1) to determine their severity and how we should respond to the risk. The following table indicates the level of response required from management for risks rated at Extreme, High, Medium or Low. Guidance on how to evaluate risk and apply a risk rating to it can be found on the staff network. The risk appetite and the criteria used to evaluate the impact and probability of a risk are reviewed by Trustees on a regular basis.

Assess the risks

Extreme risk

  • Mitigating action must be considered as first response. The Gallery is seriously concerned about this risk
  • Business plans and individuals’ objectives must reflect action to manage the risk. Comprehensive action is required
  • A full contingency plan should be in place and a review date agreed by risk owner
  • Risk owner normally at Senior Management Team level
  • Heads of Department must initially alert Senior Management Team of an extreme risk and regularly report its management to the Director

High risk

  • Mitigating action must be considered as first response.
  • Business plans and individuals’ objectives must reflect action to manage the risk. The Gallery is concerned about this risk.
  • Outline contingency plan should be prepared by an agreed deadline, and further review date agreed by risk owner. Some immediate action is required
  • Risk owner normally at Senior Management Team level.

Medium risk

  • Consider need for mitigating action, subject to other departmental plan priorities. The Gallery is uneasy about this risk
  • Consider need for a contingency plan. 

Low risk

  • The Gallery is content to carry this risk
  • No current action required, but keep under periodic review


4 Determine the appropriate response to each risk

Effective risk management is not about avoiding risk. There are a variety of responses to risk:

  • Tolerate - accept the risk and be prepared to manage its consequences.
  • Transfer the risk to a third party, (e.g. by contracting out or by insurance).
  • Treat - reduce the risk through the application of controls.
  • Terminate - avoid the risk by deciding not to proceed with the activity.

Controls to reduce risk have a cost. It is important that the control is proportionate to the risk and offers value for money. This means that the Gallery will not necessarily set up and monitor controls to counter risks where the cost and effort are disproportionate to the impact or expected benefits.

For some key areas where the likelihood of a risk occurring is relatively small, but the impact on the Gallery is high, the Gallery may cover that risk by developing Contingency Plans, for example the Emergency Procedures Plan. This allows the Gallery to contain the negative effect of unlikely events which might occur.

5 Review and report on risks

Risks need to be kept under regular review. This will need to take place at several levels e.g.

  • Planning Team and the Audit & Compliance Committee will review on a quarterly basis the Corporate Risks facing the Gallery. The Chair of A&CC will report on these risks to Trustees at each Trustees’ meeting.
  • Heads of Departments will review and update Departmental Risk Registers, at least quarterly, for consideration by the Planning Team and as part of the business planning and mid year review process.
  • Departmental Risk Registers should also be reviewed at the regular departmental and team meetings by Heads of Department/Heads of Section. Any significant increases in risk profiles, or the identification of new risks with a High risk rating, should be reported to the Head of Department and then to the Head of Finance and Planning, and the appropriate risk register updated as necessary.
  • Project/Exhibition Managers will review and report on risks associated with their projects/exhibitions to their respective Heads of Department, who will then report to Planning Team and Audit & Compliance Committee any key risks emerging with the project or exhibition.

6) Responsibilities

Trustees
The Chair of Trustees is jointly responsible with the Director for establishing and maintaining a sound system of internal control that supports the achievement of the Gallery’s aims, objectives and policies. The system of internal control is designed to respond to and manage the whole range of risks that the Gallery faces. The system of internal control is based on an on-going process which identifies the principal risks, evaluates the nature and extent of those risks and manages them effectively.

The Audit and Compliance Committee agrees risk management standards and the overall degrees of risk acceptance or aversion for the Gallery, through its annual review of the Gallery’s risk appetite, and reviews the major risks to the Gallery.

The Chair of the Audit and Compliance Committee will advise the Director and report to the Board of Trustees:

  • annually and quarterly on the effectiveness of risk management and the Gallery's system of internal controls;
  • quarterly to provide updates on progress against action points on the Risk Register; and
  • as required for emerging or critical issues related to risk management.

The Committee also performs the same function for the National Portrait Gallery Company Ltd.

Director (Accounting Officer)
The Director as Accounting Officer is jointly responsible with the Chair of Trustees for establishing and maintaining a sound system of internal control that supports the achievement of the Gallery’s aims, objectives and policies.

Directors of the National Portrait Gallery Company Ltd
The Directors have overall responsibility for ensuring that the risks to the Company and its objectives are identified and properly managed.

Senior Management Team
The Senior Management Team has overall responsibility for ensuring that the Gallery’s risks are properly managed. Regular monitoring of risk is undertaken by the Planning Team.

Heads of Department have a responsibility to identify, evaluate and manage risks to their departmental objectives and for preparing and maintaining a Departmental Risk Register. These registers are formally reviewed and updated quarterly.

Individual members of Senior Management Team take charge of managing specific risks or areas of risk.

As Budget-Holders, all members of Senior Management Team will provide the Accounting Officer with an annual Assurance Statement confirming compliance with the Gallery’s risk management procedures.

Planning Team
The Planning Team comprises the Director, the Head of Finance and Planning, the Chief Curator, the Head of Exhibitions and Collections Management, the Head of Learning, the Communications and Development Director, the Head of Trading and the Head of Resources.

The Planning Team is responsible for:

  • Developing and communicating the Gallery’s policy on risk and information about risk management procedures to all staff, and where appropriate to the Gallery’s external partners;
  • Establishing and reviewing the Gallery’s risk tolerance (the overall level of exposure and nature of risks which are acceptable to the Gallery – see Appendix 1);
  • Setting policies on internal control based on the Gallery’s risk profile, its ability to manage the risks identified and the cost/benefit of related controls; and
  • Seeking regular assurance that the system of internal control is effective in managing risks in accordance with the Gallery’s policies.

Head of Finance and Planning
The Head of Finance and Planning is responsible for:

  • Maintaining the Gallery’s Corporate Risk Register;
  • Reporting quarterly and at year-end on risk management to Audit & Compliance Committee;
  • Keeping up-to-date with external guidance and providing advice on risk management; and
  • Ensuring that appropriate risk management training is made available to staff as required.

Heads of Section (Budget Managers)
Heads of Section have a responsibility to identify, evaluate and manage operational risks and to bring emerging risks to the attention of their Head of Department (member of Management Team) for inclusion where appropriate in the Departmental Risk Register. Heads of Section are ideally placed to pick up on those early warning indicators which might identify where problems are developing and this is an important responsibility.

Heads of Section should ensure that everyone in their section understands their risk management responsibilities and must make clear the extent to which staff are empowered to take risks.

Staff
All staff have a responsibility for maintaining good internal controls and managing risk in order to achieve personal, team and Gallery objectives. Collectively, staff need the appropriate knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This requires an understanding of the Gallery, its strategic objectives (in the Corporate Plan), the risks the Gallery faces and the organisations and individuals the Gallery deals with. Everyone should be aware of the risks they are empowered to take, and those which should be avoided or reported upwards.

Internal Audit
Internal Audit's primary role is to give the Accounting Officer an independent and objective opinion on the Gallery's risk management, internal control and governance. This assists senior management in assessing and monitoring the effectiveness of the internal controls. Internal Audit will issue an Annual Report to the Accounting Officer, which will include Internal Audit's opinion of risk management in the Gallery and a Statement of Assurance on Internal Control.

7) Procedures

The Planning Team, which meets quarterly ahead of Audit & Compliance Committee, co-ordinates the identification, control and monitoring of risk within the Gallery, with facilitation from the Head of Finance & Planning and advice from Internal Audit.

This is managed through the Gallery's Corporate Risk Register which includes a list of high rated risks identified by the Senior Management Team, in their Departmental Risk Registers, and linked to Gallery objectives from the Corporate Plan. For each risk the register shows an assessment (rating) of the risk as to impact and probability, the associated risk appetite against which the risk should be compared, the member of the Senior Management Team responsible for managing the risk, the controls in place to manage the risk, an assessment of the residual risk against the agreed risk tolerance, and any further action which should be taken to manage the risk down to within the relevant risk tolerance, should management consider the controls are not strong enough to manage the risk.

The Company’s Directors review the Company’s risk register at each Board meeting, with facilitation from the Head of Finance and Planning - as Company Secretary - and advice from the Company’s external auditors. The Company risk register is reviewed quarterly by Planning Team and Audit & Compliance Committee.

The Audit and Compliance Committee reviews the Corporate Risk Register, and the actions taken to mitigate risks, on a quarterly basis. The Chair of the Audit and Compliance Committee provides quarterly updates and an annual report to the Board of Trustees on the effectiveness of risk management.

8) Breach of the Policy

Actions taken by staff in contravention of the Gallery’s stated policies and/or procedures may be treated as a disciplinary offence, to be dealt with in accordance with the Gallery’s Disciplinary and Grievance Procedure.

9) Review

The Gallery’s Risk Appetite should be reviewed annually, as part of the annual review of Risk Management in May, and the Risk Management Policy at least every three years.

10) Date of Approval This Risk Management Policy was reviewed by Audit & Compliance Committee on 30 April 2009 and approved by Trustees on 14 May 2009.

APPENDIX 1

RISK TOLERANCE

Trustees encourage the taking of controlled risks, the pursuit of new opportunities and the use of innovative approaches to further the interests of the Gallery and achieve its objectives, provided the resultant exposures are within the Gallery’s risk tolerance range.

An organisation’s risk tolerance or risk appetite is the amount of risk it is prepared to tolerate in a particular circumstance. Risks for which there is a low risk appetite require a level of control that results in a low risk score once action has been taken to manage the risk.

Trustees have agreed a risk appetite framework for various areas of the Gallery’s operations as follows, (generally any activity arising out of our statutory obligations will have a low risk appetite):

Governance risks
External risks
Compliance
Reputation
Financial
Collections/conservation 
Exhibitions
Learning Programmes
Buildings, routines and events
Trading/Marketing   
Project risks  
- Mission critical projects
- Other development projecs
- Speculative project


Low risk appetite
Medium risk appetite
Low risk appetite
Low risk appetite
Low risk appetite
Low risk appetite
Medium risk appetite
Medium risk appetite
Medium risk appetite
Medium risk appetite

Low risk appetite
Medium risk appetite
High risk appetite

Any risk which is assessed as being higher than the associated risk appetite, once action has been taken to manage them, would need to be examined to see if the controls could be strengthened to reduce the risk to within the risk appetite.

Guidance about how to identify and evaluate risk can be found on the Gallery network. The guidance includes advice about how to undertake a risk management workshop in order to prepare a Departmental Risk Register. The Head of Finance and Planning will normally facilitate such a workshop, and these workshops should be held once a year – ideally to coincide with the preparation of the new Departmental Plan.

APPENDIX 2

THE GALLERY’S POLICIES, PROCEDURES, GUIDANCE MANUALS AND HANDBOOKS

An important pillar in maintaining internal control is to ensure that all staff are aware of the Gallery’s policies, procedures and guidance. These policies, procedures, guidance manuals and handbooks define where there are mandatory processes and procedures to be followed. Full compliance with these standards is required and confirmation of compliance will be sought in the annual Budget-Holders’ Assurance Statements. Non-compliance with the Gallery’s prescribed procedures constitutes an unacceptable risk. Trustees and staff should also be aware of the Gallery’s strategic policies as listed below.

All staff should be aware of:

Strategy

  • Summary Policies for: Collections and Acquisitions; Exhibitions & Displays; National Programme; Research; Learning & Access; Development & Communications; Publications; Resources

All staff should comply with:

Human Resources

  • Employee Handbook
  • Policies for: Health & Safety; Equality; Recruitment; Alcohol and Drugs; Security and IT; Communications; Volunteers, Interns and Work Experience
  • Whistle-blowing procedures

Finance

  • Financial Regulations
  • Financial Procedures
  • Policies for Anti-Fraud; Risk Management
  • Expenses Policy

Records Management

  • Policies for Data Protection; Archive and Records Management

Other

  • Use of Gallery’s brand/visual identity
  • Guidelines for dealing with the press
  • Procurement Policy
  • IT Security Policy

Staff should also ensure they comply with mandatory departmental procedures, manuals etc; Heads of Department are responsible for ensuring that their staff are aware of those procedures which are mandatory.