Risk Management Policy Introduction Blue Saffron defines risk as the threat that internal or external events will adversely affect its ability to achieve its strategy, policy and operational goals. It recognises that risk is something that cannot be wholly contained but aims to manage the exposure to those risks to a satisfactory level. It is the intention that effective, proactive risk management supporting structured well managed risk taking is integrated into the culture of the company. Principles Blue Saffron will identify and manage risks that endanger the achievement of the strategic aims defined in its Business Plan. The approach adopted will be based upon HM Treasury guidance on Management of Risk – A Strategic Overview (“The Orange Book”) and will be enhanced with reference to best practice from other organisations as opportunities arise. Blue Saffron’s internal control framework incorporates its risk management approach. Management of risk will be embedded at all levels of the organisation, supported by an active training and education programme. Risk Assessment Risks will be assessed against estimation criteria approved by the directors. These criteria cover the potential impact of the risk and the likelihood of its occurrence. The risk will be considered for its effect on strategy, operations, finances or reputation and whether they are external or internal. Risk Tolerance Management responsible for the risk carrying work will, at the start of a programme or project, assess those risks. They will use the estimation criteria noted above. They will also be responsible for identifying the acceptable tolerance level for the risks involved and confirming them with the Risk Group. As risks are managed this tolerance level will be used as the prompt for the escalation of risk reporting to senior management. Risk Management Risks will be managed in accordance with an agreed approach ranging from terminating the risk, through possible reduction measures, acceptance and monitoring or passing the risk on. Review of the risks will be carried out by the manager assigned responsibility for it. Risks will be reviewed: Annually by the directors as part of the planning cycle; Quarterly by the Exec Team as part of the business plan monitoring process; At each of its meetings by the Board Audit Committee; Monthly by the Exec Team on an exception basis; Monthly by Directorate Management teams for their own subset of risks; Local risk registers will be developed as needed based on these policy principles. Roles and responsibilities Each level of Blue Saffron has a responsibility for risk awareness and management. The main roles and responsibilities are as follows: Board The Board is responsible for identifying and managing the risks arising from the strategic objectives and policies which it sets. In addition the Board has overall responsibility for risk management. The board will be responsible for annual review of the risk management process and for regular review of progress on risk management actions at six monthly meetings. Except in relation to the risks for which the Board has retained direct responsibility, the Board has delegated the responsibility for implementing the process of risk management to functional department leads. Functional Department Leads • Regularly reviewing the risk register and ensuring that the risk management processes and control systems in their area are appropriate. • Developing an open and transparent culture for the identification and management of risk and encouraging employees to instil risk awareness in their behaviour. • Demonstrating that risk issues and any new risks are considered, via an explicit item on the Leadership Teams’ agenda. • Ensuring ownership of risks is properly allocated to permit clear responsibility for controls and action plans. • Ensuring that support and assistance is provided to all employees in fulfilling their individual risk management duties. • Ensuring that appropriate employees are aware of the key risk issues facing the Company. • Providing quarterly reports on risk management activities to KMT which should aim to assess the risks in the area covered and identify steps to mitigate such risks. Employees Each employee shall, in the context of their business unit objectives, be responsible for: • Identifying risks surrounding their work. • Implementing and operating controls over those risks through application of the Company policy and processes. • Highlighting any areas for concern (e.g. new risks, internal control weaknesses or breakdown) through normal management controls.