RISK MANAGEMENT POLICY
RISK MANAGEMENT POLICY
June 2021
Contents
Summary
Policy Statement
a. Introduction and Objectives
b. Scope and Definitions
c. Roles and Responsibilities
Risk Management Strategy
a. Risk Management Process
b. Monitoring and Reporting
c. Conclusions
Summary
This framework sets out the East Sussex Pension Fund policy on risk management and its strategy for the effective identification, assessment and, where appropriate, management of risks.
Policy Statement
a) Introduction and Objectives
The key objective of the Administering Authority is to effectively run the Pension Fund, paying benefits as they fall due. This policy is intended to allow for the identification and effective mitigation of risks that may undermine the Administering Authority’s ability to do so.
b) Scope and Definitions
There are many definitions of ‘risk’ and ‘risk management’. In simplest terms, these can be defined as follows:
· Risk - ‘the probability of an event occurring and its consequences’;
· Risk management - ‘the processes and structures to enable the effective management of potential opportunities and the elimination / reduction of threats’.
Risk is unavoidable and effective risk management is not about the elimination of risk. The Administering Authority’s ability to manage risk effectively and proportionately, and maximise opportunity, plays a crucial role in its ability to achieve the key objective.
Risk management is not simply a compliance issue but is a decision-making tool, utilised at both strategic and operational levels, and is an essential element of effective governance.
In developing this framework, the Administering Authority recognises that risks cannot be fully managed and that, in being more innovative, efficient and effective, it may choose to take and/or accept more risk. Where this is the case, robust risk management practice will help ensure that the Administering Authority takes appropriately informed decisions, having properly evaluated the potential risks and the associated opportunities.
c) Roles and Responsibilities
Administering Authority
The Administering Authority, also known as the Scheme Manager, is responsible for the operation of the Fund. In practice this role is delegated to the Pension Committee (the Committee).
The Committee meets each quarter and should consider the existing risk register at each meeting, together with the recommendations by Officers or the Local Pension Board with proposed changes. The Committee should also consider whether it would like any additional risks to be considered or for existing risks to be removed from the risk register.
As part of the quarterly meetings it would be appropriate for the Committee to consider those risks subject to possible change, the most significant risks and a selection of the other risks on the risk register.
At least annually, the Committee should review the risk register in its entirety.
Local Pension Board
The role of the Local Pension Board (the Board) is to support the Administering Authority. The knowledge and understanding requirements set out in legislation apply to the Board.
The Board meets each quarter, shortly before the Committee. At each meeting it should consider the risk register with a focus on the most significant risks and any changes recommended by Officers. Additionally, the Board should consider a sample of other risks and make suggestions where it feels changes to the risk register should be made. Minutes of the Board meetings are reviewed at the start of each Committee meeting to take comments and recommendations into account within its decision making.
The Board should consider the risk register in its entirety at least annually. This review should be timetabled to reflect the timing when the Committee will also be fully reviewing the risk register.
Working Groups
From time to time a Working Group will be formed to consider a particular issue. It is likely such a Working Group will include representatives from the Committee, Board along with support from Officers.
The scheduling of meetings will vary depending on the issue to be considered. However, at each meeting relevant risks on the risk register should be considered. A report on the Working Group’s findings should be presented to the full Board and Committee at their next, quarterly, meeting.
As part of this process suggestions for changes to the risk register should be made as appropriate.
Fund Officers
Fund Officers (Officers) carry out the day to day tasks required for the operation of the Fund. This is done in line with the instructions provided by the Committee.
Officers are most closely associated with the Fund operations and are most likely to identify trends and potential risks. Additionally, Officers will be responsible for the mitigation tasks in the risk register.
Before each meeting Officers should consider whether any changes need to be made to the risk register. This may include adding/removing a risk, changing listed mitigations, or rescoring a risk.
Third party service providers
At various levels, people associated with the Fund receive advice from third party advisors. This includes, but is not limited to, the Fund Actuary, Investment Consultants and the Committee’s Independent Advisor.
Third party providers may identify emerging risks to the Fund independently. This may be connected to their cross-market view which those more closely connected to the Fund may not otherwise have access to.
Third party services providers are to be encouraged to raise potential risks with Officers to appropriate changes to the risk register can be made.
Risk Management Strategy
d) Risk Management Process
The Fund’s risk profile is dynamic. Consequently, risk management must be a continuous and developing process to ensure that the Fund is always in the best position to take full advantage of opportunities, as and when they arise, and to ensure that resources are utilised to maximum benefit.
To appropriately and effectively manage risk, it is necessary to adopt a systematic approach to its identification, analysis and control. This approach is referred to as the ‘Risk Management Process’ and provides a system that can be applied to risks at all levels within the Fund, irrespective of risks being ‘strategic’ or ‘operational’ in nature.
The Risk Management Process
Risk information is recorded within the risk register, maintained by Fund Officers with oversight from the Committee and the Board.
Risk Identification
The first element of the risk management process is the identification of risks. This will link into the business planning process, where objectives and targets relating to key business activities are identified, along with associated risks. Risks associated with specific projects and partnership working should also be identified at an early stage in the planning process.
Risk identification is an ongoing process. Risks to the Fund are dynamic and can emerge at any time so their identification should not be seen as a one-off exercise.
The consideration of any reason which could undermine the smooth operation of the Fund could identify a risk. If any concern is identified this should be escalated appropriately at the earliest opportunity an in accordance with Table 1.
Table 1 – Escalating new risks
|
Person identifying risk |
Escalation point |
|
Officer below management grade |
Team leader |
|
Officer of management grade |
Head of Pensions |
|
Committee/Board member |
Committee/Board chair |
|
Committee/Board chair |
Head of Pensions |
|
Third party service provider |
Officer acting as principal liaison point |
Any risk identified should represent a specific threat or opportunity. These can be specific risks which occur as a matter of course in the usual operation of the Fund. Risks can, for ease of reference, be categorised using the headings in Table 2.
Table 2 – Risk categories
|
Category |
Definition |
Example |
|
Administration |
Risks relating to the calculation and payment of benefits or member communication |
Failure to issue Annual Benefit Statements on time |
|
Employer |
Risk relating to a failure of admitted bodies to fulfil their obligations |
Late payment of contributions |
|
Governance |
Risk to the effective operation of the Fund |
Key person risk |
|
Investment/Funding |
Risk to Fund assets |
Poor investment return |
Risk analysis
When a risk is identified and placed into the appropriate category, consideration should be given to how likely the risk is to crystallise and what impact this would have on the Fund.
Charts to help allocate risk rating are below in Tables 3.1 – 3.3. These can also be found within risk register document.
Table 3.1 Likelihood
|
% chance of occurring |
Timeframe for occurring |
Likelihood |
Score |
|
91 – 100 |
This week |
Very High |
5 |
|
61 – 90 |
This month |
High |
4 |
|
41 – 60 |
This year |
Medium |
3 |
|
11 – 40 |
Next 5 years |
Low |
2 |
|
0 – 10 |
Next decade |
Very low |
1 |
Table 3.2 - Impact
|
|
Impact |
|||
|
|
Negligible |
Minor |
Major |
Critical |
|
Service delivery |
Handled within normal day-today routines. |
Management action required to overcome short term difficulties
|
Key targets missed. |
Prolonged interruption to core service. |
|
|
|
Some services compromised. |
Failure of key Strategic Project
|
|
|
Financial |
Little loss anticipated. |
Some costs incurred. |
Significant costs incurred. |
Severe costs incurred.
|
|
|
Handled within management responsibilities. |
Service level budgets exceeded. |
Statutory intervention triggered. |
|
|
Reputation |
Little or no publicity. |
Limited local publicity. |
Local media interest. |
National media interest seriously affecting public opinion
|
|
Little staff comment. |
Mainly within local government community. |
Comment from external inspection agencies. |
|
|
|
|
Causes staff concern. |
Noticeable impact on public opinion. |
|
|
|
Score |
1 |
2 |
3 |
4 |
Table 3.3 – Risk scoring
|
Likelihood |
1 |
1 |
2 |
3 |
4 |
|
2 |
2 |
4 |
6 |
8 |
|
|
3 |
3 |
6 |
9 |
12 |
|
|
4 |
4 |
8 |
12 |
16 |
|
|
5 |
5 |
10 |
15 |
20 |
|
|
|
|
1 |
2 |
3 |
4 |
|
|
|
Impact |
|||
Risk Control
It is important to recognise that, by their nature, some risks will remain significant, irrespective of the control measures put in place, because they may be beyond the powers of the Fund to control.
The key to effective risk control is ensuring that a proportionate and cost effective approach is taken, having regard to the level of actual risk exposure and the benefits to be obtained. As a general rule, the cost of controlling a risk should not exceed the cost to the Fund should the risk materialise. There are various strategies which can be taken in response to an identified risk and these include:
· Terminate – avoid the risk altogether by ceasing the activity to which the risk relates. This tends to be adopted where the level of risk is extreme and where there is little opportunity to control it cost effectively. This option may often be unavailable to the Fund, especially in areas where we have a statutory duty to deliver a service;
· Treat – mitigate or control the risk. Involves implementing actions aimed at reducing either the impact or likelihood of the risk, recognising these actions should not be in excess of the level of risk exposure in terms of cost or resources;
· Tolerate – accept the risk, without any mitigations, based on the potential rewards outweighing the level of risk exposure. This approach tends to be used most often where the rewards or the costs of mitigation are especially high;
· Transfer – achieved through use of insurances or payments to third parties who are prepared to take on the risk as part of a contract. This approach is, however, unlikely to reduce any reputational risk to the Fund.
Whilst all of these strategies are available, there will be some areas of risk which the Fund will not tolerate and will always seek to reduce to an acceptable level. These areas are based on the Fund’s risk appetite which is defined as ‘the amount of risk an organisation is willing to accept’.
Where a decision is taken to mitigate or control a risk (treat), the measures taken should be appropriate and proportionate based on the likelihood, impact and potential consequence of the risk event. The nature of control risk strategies will therefore vary depending on the nature of the identified risk. Some control measures will address the likelihood element of the risk (i.e. reduce the likelihood of the risk event occurring) while others will address the impact element (i.e. once the event has occurred they will reduce the potential harm caused by the risk).
Even where it appears that an identified risk is outside the scope of meaningful control (such as the impact of severe weather events), a regularly reviewed and tested contingency plan will help reduce the detrimental impact.
Control measures will usually constitute some form of positive action and may therefore also form part of organisational service plans. By recording them in this way, targets can be set against the risk controls which can then be subject to ongoing monitoring and review as part of already established management processes.
Post Mitigation Scoring
Once mitigating actions are identified, each individual risk should be re-scored, in terms of both impact and likelihood, using the same scale as noted above (Table 3). This will result in each risk being allocated a ‘post mitigation’ risk score, and associated RAG rating.
The purpose of post mitigation scoring is to assess the effectiveness of the control measures at reducing either the impact or the likelihood element of the risk, thereby illustrating the level of remaining or ‘residual’ risk. Should this remain unacceptably high, management should consider whether further mitigating measures are required.
e) Monitoring and Reporting
The Fund’s risk profile is dynamic and continually changing due to the influence of external factors and / or internal influences.
The level of risk can alter and consequently, identified risks and associated mitigations should be periodically re-assessed by Officers, the Board and the Committee to address and combat the impact of these changes. In addition to this, new risks will periodically emerge which must be identified and analysed as quickly as possible to either reduce the council’s exposure to adverse risk or enable the it to take advantage of business opportunities, as they arise.
As a minimum, the risk register should be formally reviewed and updated on a quarterly basis as part of monitoring by the Board and Committee in line with the roles and responsibilities, described above.
f) Conclusions
The appropriate management of risk is a fundamental element of the Fund’s management process and is essential if the organisation is to successfully deliver its objectives. The aim of this Framework is to provide guidance on the risk management process and to assist with the further embedding of risk management within the culture of the Fund.