Risk Management Policy
1. Policy Statement
1.1 The National Portrait Gallery recognises that the effective management of risk and opportunity is fundamental to safeguarding the National Portrait Gallery, protecting the Gallery’s reputation, complying with regulatory standards and achieving the Gallery’s objectives. This document outlines the principles underpinning our approach to risk management, the risk management process, and the responsibilities of all staff for risk management.
2.1 In order to ensure risk is managed effectively, all responsible for risk should:
- take a balanced view of the organisation’s approach to managing opportunity and risk commensurate with the organisation’s risk appetite;
- have trustworthy internal controls to safeguard, channel and record resources as intended;
- have practical documented arrangements for controlling or working in partnership with other organisations, as appropriate;
- use internal and external audit to improve its internal controls and performance; and
- the Accounting Officer signs the governance statement within their Annual Report and Accounts.
2.2 The core processes at the heart of the risk management framework involve identifying risks, assessing these, designing and operating risk treatment activities (including controls), monitoring these and reporting on success or otherwise. In line with good practice, the primary shift is to position risk management as more than a process, but rather as an essential part of good governance, decision-making and performance management at all levels of the organisation.
2.3 Effective risk management protects and adds value to the Gallery through supporting its objectives by:
- improving decision making, business planning and prioritisation by comprehensive and structured understanding of the wider business environment
- Supporting more efficient allocation and use of resources across the Gallery
- Enhancing communication
- Protecting the Gallery’s assets, reputation and image
- Developing and supporting staff and the Gallery’s knowledge base
- Helping to focus the internal control and scrutiny and audit plan
2.4 The Gallery’s responsibilities in relation to risk management and the Governance Statement are set out in Chapter 4 of Managing Public Money, and in the Gallery’s Management Statement and Financial Memorandum agreed with DCMS.
3.1 The Board of Trustees has ultimate accountability for ensuring that risk is effectively managed across the National Portrait Gallery, including approval of the policy and risk appetite statement and setting a culture of risk management across the Gallery.
3.2 The Board is jointly responsible with the Director for establishing and maintaining a sound system of internal control that supports the achievement of the Gallery’s aims, objectives and policies. The system of internal control is designed to respond to and manage the whole range of risks that the Gallery faces. The system of internal control is based on an on-going process which identifies the principal risks, evaluates the nature and extent of those risks and manages them effectively.
3.3 The Board of Trustees review the Corporate Risk Register once a year.
3.4 The Board delegates risk management to the Audit and Risk Committee. The Audit and Risk Committee agrees risk management standards and the overall degrees of risk acceptance or aversion for the Gallery, through its annual review of the Gallery’s risk appetite, and reviews the major risks to the Gallery.
3.5 Specifically, the Committee will:
- Review the Corporate Risk Register, risk reduction plans and the Internal Control & Scrutiny / Audit monitoring documents at its meetings, and;
- Gain assurance on behalf of the Board that the risk management process is operating effectively, liaising with other Committees as required
3.6 The Chair of the Audit and Risk Committee will report to the Board of Trustees:
- annually and quarterly on the effectiveness of risk management and the Gallery's system of internal controls;
- quarterly to provide updates on progress against action points on the Risk Register; and
- as required for emerging or critical issues related to risk management.
3.7 The Committee also performs the same function for the National Portrait Gallery Company Ltd.
3.8 The Director as Accounting Officer is jointly responsible with the Board of Trustees for establishing and maintaining a sound system of internal control that supports the achievement of the Gallery’s aims, objectives and policies.
3.9 With the Director’s Group (see 3.12), the Director is also responsible for raising the level of management awareness and accountability for the business risks experienced by the Gallery and for developing risk management as part of the culture of the Gallery.
3.10 The Directors of the National Portrait Gallery Limited have overall responsibility for ensuring that the risks to the Company and its objectives are identified and properly managed.
3.11 The Directors (executive leadership team/Director’s Group) have overall responsibility for ensuring that the Gallery’s risks are properly managed. Regular monitoring of risk is undertaken by the Director’s Group.
3.12 The Director’s Group is responsible for:
- Developing and communicating the Gallery’s policy on risk and information about risk management procedures to all staff, and where appropriate to the Gallery’s external partners;
- Establishing and reviewing the Gallery’s risk tolerance (the overall level of exposure and nature of risks which are acceptable to the Gallery – see Appendix 1);
- Setting policies on internal control based on the Gallery’s risk profile, its ability to manage the risks identified and the cost/benefit of related controls; and
- Seeking regular assurance that the system of internal control is effective in managing risks in accordance with the Gallery’s policies.
3.13 Heads of Department or senior managers or equivalent have a responsibility to identify, evaluate and manage risks to their departmental objectives and for preparing and maintaining a Departmental Risk Register. These registers are formally reviewed and updated quarterly.
3.14 Individual members of the Director’s Group or Heads of Department or equivalent may take charge of managing specific risks or areas of risk.
3.15 As Budget-Holders, all members of Director’s Group will provide the Accounting Officer with an annual Assurance Statement confirming compliance with the Gallery’s risk management procedures.
3.16 The Chief Financial Officer is responsible for:
- Maintaining the Gallery’s Corporate Risk Register;
- Reporting quarterly and at year-end on risk management to Audit and Risk Committee;
- Keeping up-to-date with external guidance and providing advice on risk management; and
- Ensuring that appropriate risk management training is made available to staff as required.
3.17 Heads of Section have a responsibility to identify, evaluate and manage operational risks and to bring emerging risks to the attention of their Head of Department for inclusion where appropriate in the Departmental Risk Register. Heads of Section are ideally placed to pick up on those early warning indicators which might identify where problems are developing and this is an important responsibility.
3.18 Heads of Section should ensure that everyone in their section understands their risk management responsibilities and must make clear the extent to which staff are empowered to take risks.
3.19 All staff have a responsibility for maintaining good internal controls and managing risk in order to achieve personal, team and Gallery objectives. Collectively, staff need the appropriate knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This requires an understanding of the Gallery, its strategic objectives (in the Corporate Plan), the risks the Gallery faces and the organisations and individuals the Gallery deals with. Everyone should be aware of the risks they are empowered to take, and those which should be avoided or reported upwards.
3.20 The role of Internal Audit is to give the Accounting Officer an independent and objective opinion on the Gallery's risk management, internal control and governance. This assists senior management in assessing and monitoring the effectiveness of the internal controls.
3.21 Internal Audit will issue an Annual Report to the Accounting Officer, which will include Internal Audit's opinion of risk management in the Gallery and a Statement of Assurance on Internal Control.
4.1 Governance is the process by which stakeholders (staff, Trustees and bodies to which the Gallery is accountable) articulate their interests, their input is taken on board, decisions are taken and decision- makers are held accountable. Good governance will give management the freedom to take the organisation forward without undue restraints and ensure this freedom of management is exercised within a framework of effective accountability.
4.2 Risk management is the culture, processes and structure that are directed towards the effective management of potential opportunities for and threats to the Gallery.
4.3 Risk is something which could:
- have an impact by not taking opportunities or not capitalising on the Gallery’s corporate strengths,
- prevent or hinder the achievement of the Gallery’s objectives,
- cause financial disadvantage, i.e. additional costs or loss of money or assets; or
- result in damage to or loss of an opportunity to enhance the Gallery’s reputation.
4.4 Governance Statement is the mandatory annual statement made jointly by the Chair of Trustees and Director in the Annual Report and Accounts, confirming how they and the supporting Management Board have managed and controlled the resources of the Gallery during the period.
5. Statement of Principles
5.1 The Gallery aims to anticipate and, where possible, avoid risks rather than dealing with their consequences. The purposes of the Gallery’s risk management processes are to help managers make informed choices which improve the Gallery’s performance by informing decision-making and planning; promote a more innovative, less risk averse culture in which taking calculated risks in pursuit of opportunities to benefit the Gallery is encouraged; and integrate risk management into the day-to-day decision making processes.
5.2 The improvements and benefits which effective risk management should provide are:
- an increased likelihood of achieving the Gallery’s aims, objectives and priorities;
- more efficient allocation of resources, by focusing on the key cost effective controls;
- giving an early warning of potential problems; and
- providing everyone with the skills (after specific training if necessary) to be confident decision- makers.
5.3 All risk management activity will be set in the context of the Gallery’s corporate aims, objectives and organisational priorities, with the aim of protecting and enhancing the reputation and standing of the Gallery. The following general principles will underpin the Gallery’s risk management processes:
- Evaluation of risk will inform the Gallery’s decision-making and form part of strategic and business planning, and investment and project appraisal (including working with other organisations).
- Risk management will be founded on a risk based approach to internal control, to ensure that the application of internal controls is proportionate to the risk the controls are designed to manage.
- The Gallery’s risk management approach will inform the Gallery’s work to improve the reliability of organisational systems and will form the principal means by which the Director gains direct assurance for the Governance Statement.
- Managers and staff at all levels will have a responsibility to identify, evaluate and manage or report risks, according to a consistent and comprehensive risk management framework (see below), which sets the context in which risks are identified, evaluated, controlled, monitored and reviewed.
- Ownership of risk is allocated to individuals best placed to manage the risk – i.e. they have the authority, expertise and necessary resources to manage the risk.
- The Gallery will foster a culture which spreads best practice, lessons learned and expertise acquired from risk management activities across the Gallery.
6. Risk Management Framework
6.1 Clarify Objectives
Having a clear set of objectives is essential to recognising the key risks that might prevent the achievement of these objectives. This includes not only the Gallery’s strategic objectives, but also to any key departmental objective or programme. Everyone involved should be clear: what needs to be done, by when, and who is accountable for delivery.
6.2 Identify Risks to achieving objectives
Gallery procedures require risk identification as part of our strategic and business planning, programme and project management. Risks should be defined fully and clearly. Think in terms of the cause and effect and scope of the risk. Risk identification should not be confined to the initial stages of a project, but should be an ongoing and systematic process to identify the risks most likely to affect the achievement of objectives at the current stage of the project’s life.
6.3 Assess the risks
This involves assessing the probability (or likelihood) and impact of individual risks and assigning a risk rating (in accordance with the Gallery’s risk appetite – this is attached at Appendix 1) to determine their severity and how we should respond to the risk.
The scoring system used to assess impact, probability, proximity and risk appetite is as follows:
|Health and safety risk
|exposure up to £100k
|Litigation/ non compliance penalties risk remote
|No/ slight impact on reputation
|Minor injury not resulting in time off work, non-RIDDOR reportable
|Minor, repairable, damage
|Litigation/ non compliance penalties risk possible
|Potential for adverse publicity - avoidable with careful handling
|Injury resulting in time off work, non-RIDDOR reportable
|Significant damage, repairable
|exposure over £500k
|Litigation/ non compliance penalties risk likely
|Major adverse publicity not avoidable (national media)
|Serious injury, RIDDOR reportable
|Theft, major non-repairable damage
|Surprising if it happened in the next year (less than 25% probability)
|Could happen in the next one to three years (less than 75% probability)
|Likely to happen in the next three years (greater than 75% probability)
|Threat of risk materialising in the next quarter
|Threat of risk materialising in the next 6 months
|Threat of risk materialising in the next 12 months or more
6.4 Determine the appropriate response to each risk
6.4.1 Effective risk management is not about avoiding risk. There are a variety of responses to risk:
- Tolerate - accept the risk and be prepared to manage its consequences.
- Transfer the risk to a third party, (e.g. by contracting out or by insurance).
- Treat - reduce the risk through the application of controls.
- Terminate - avoid the risk by deciding not to proceed with the activity.
6.4.2 Controls to reduce risk have a cost. It is important that the control is proportionate to the risk and offers value for money. This means that the Gallery will not necessarily set up and monitor controls to counter risks where the cost and effort are disproportionate to the impact or expected benefits.
6.4.3 For some key areas where the likelihood of a risk occurring is relatively small, but the impact on the Gallery is high, the Gallery may cover that risk by developing Contingency Plans, for example the Emergency Procedures Plan. This allows the Gallery to contain the negative effect of unlikely events which might occur.
6.4.4 In the majority of cases, the next step will be to put in place systems to mitigate either the likelihood or the impact of the risk. These may include systems addressing the whole operation of the Gallery as well as the areas where risks have been identified. Any system of risk mitigation should provide as a minimum:
- Effective and efficient operation of the Gallery
- Effective internal controls
- Compliance with law and legislation
6.4.5 Mitigating actions will be recorded against each risk that has been listed in the risk register with milestones where appropriate. Mitigating actions should be: Specific, Measurable, Achievable, Realistic, and Time constrained. For each mitigating action, ‘sources of assurance’ over the controls will be identified. Not all mitigating actions will be SMART, especially for risks that are ongoing and timescales are not known. Risk register owners will endeavour to provide as much detail as is possible.
6.5 Review and report on risks
Risks need to be kept under regular review. This will need to take place at several levels e.g.
- The Director’s Group and the Audit and Risk Committee will review on a quarterly basis the Corporate Risks facing the Gallery. The Chair of the Audit and Risk Committee will report on these risks to Trustees at each Trustees’ meeting.
- Heads of Departments will review and update Departmental Risk Registers, at least twice per year, for consideration by the Director’s Group and as part of the business planning and mid-year review process.
- Departmental Risk Registers should also be reviewed at the regular departmental and team meetings by Heads of Department/Heads of Section. Any significant increases in risk profiles, or the identification of new risks with a High risk rating, should be reported to the Head of Department and Department Director, and then to the CFO, and the appropriate risk register updated as necessary.
- Project/Exhibition Managers will review and report on risks associated with their projects/exhibitions to their respective Heads of Department, who will then report to Director’s Group and Audit and Risk Committee any key risks emerging with the project or exhibition.
7.1 The Director’s Group, which meets ahead of the quarterly Audit and Risk Committee meetings, co-ordinates the identification, control and monitoring of risk within the Gallery, with facilitation from the CFO.
7.2 This is managed through the Gallery's Corporate Risk Register which includes a list of high rated risks identified by the Director’s Group, in their Departmental Risk Registers, and linked to Gallery objectives from the Corporate Plan. For each risk the register shows an assessment (rating) of the risk as to impact and probability, the associated risk appetite against which the risk should be compared, the member of staff responsible for managing the risk, the controls in place to manage the risk, an assessment of the residual risk against the agreed risk tolerance, and any further action which should be taken to manage the risk down to within the relevant risk tolerance, should management consider the controls are not strong enough to manage the risk.
7.3 The Company’s Directors review the Company’s risk register at each Board meeting, with facilitation from the CFO - as Company Secretary - and advice from the Company’s external auditors. The Company risk register is reviewed quarterly by the Director’s Group and Audit and Risk Committee.
7.4 The Audit and Risk Committee reviews the Corporate Risk Register, and the actions taken to mitigate risks, on a quarterly basis. The Chair of the Audit and Risk Committee provides quarterly updates and an annual report to the Board of Trustees on the effectiveness of risk management.
8. Breach of the Policy
8.1 Actions taken by staff in contravention of the Gallery’s stated policies and/or procedures may be treated as a disciplinary offence, to be dealt with in accordance with the Gallery’s Disciplinary
9. Policy Review
9.1 The Gallery’s Risk Appetite should be reviewed annually and the Policy will be monitored as part of the Gallery’s annual internal review and reviewed every three years or as required by legislature changes.
Policy author: CFO
Date of last review: February 2024
Date of next review: February 2027
Approved by the Board of Trustees
Appendix 1: Risk Tolerance
Trustees encourage the taking of controlled risks, the pursuit of new opportunities and the use of innovative approaches to further the interests of the Gallery and achieve its objectives, provided the resultant exposures are within the Gallery’s risk tolerance range.
An organisation’s risk tolerance or risk appetite is the amount of risk it is prepared to tolerate in a particular circumstance. Risks for which there is a low risk appetite require a level of control that results in a low risk score once action has been taken to manage the risk.
Trustees have agreed a risk appetite framework for various areas of the Gallery’s operations as follows, (generally any activity arising out of our statutory obligations will have a low risk appetite):
|The Gallery is has a low risk appetite to risk although in the short term it is recognised that the Gallery is taking a medium level of financial risk during the Inspiring People project in order to increase self-generated income and secure long-term financial security. The Gallery will aim to achieve a low level of risk in the future by having balanced budgets, in year contingency and meeting the reserves policy.
|The Gallery has a low risk appetite in relation to liquidity and has a policy to pay debts when they fall due and to have adequate cash balances to cover two months of operational expenditure.
|The Gallery places great importance on compliance and has no appetite for any breaches in statute, regulation, professional standards, health and safety, bribery or fraud and therefore has a low appetite for risk.
|It is regarded as critical that the Gallery protects its reputation. The Gallery therefore has a low risk appetite for any activities that put its reputation in jeopardy, could lead to undue adverse publicity and could lead to loss of confidence from its funders and supporters.
|The Gallery wishes to be a leader in knowledge, ideas and innovation and recognises that this may require a higher level of risk. The Gallery is comfortable in accepting this risk, subject to understanding the risks and benefits are fully understood at the beginning of projects.
|The Gallery has a low risk appetite on cyber security. The Gallery must have confidence in the confidentiality, integrity and availability of their data. Any personal data collected, stored and processed by public bodies are also subject to specific legal and regulatory requirements. Cyber incidents pose an increasing threat to the Gallery’s management of their information, with hacking, ransomware, cyber fraud and accidental information losses all evident throughout the public sector. Cyber security is a Gallery wide responsibility.
|The Gallery has a low risk appetite on sustainability. The Gallery must balance the actions it takes in all areas with climate responsibility.
Any risk which is assessed as being higher than the associated risk appetite, once action has been taken to manage them, would need to be examined to see if the controls could be strengthened to reduce the risk to within the risk appetite.