The aim of risk management is to keep the organization and its employees safe as it is the duty of care of the employer; to provide financial security with regards to money spent on things such as legal fees, payouts to insured parties etc.; and it needs to comply with the national legal and statutory advice set for businesses/organizations alike.
Risk Management within a Domestic Violence Charity will need to ensure that all vulnerable clients and employees are managed effectively. This involves following and ensuring the following of standards to eliminate risk. Cardiff Women’s Aid is a Domestic Violence Charity, which means that it is a high-risk environment for both clients and employees. This means that the standards we need to uphold our organization against are ones that include Safeguarding Children and Young People, Safeguarding Adults etc.
Safeguarding Children and Young People and Safeguarding Adults are written within the policies and procedures to ensure compliance. If these standards are not followed then this could lead to serious repercussions. The standards provide a framework of how best to ensure all staff and clients follow the same training and have the same information given to them in order to prevent risk. For example; if our IPAs (Independent Personal Advisors) are not trained on how to tactfully ask questions surrounding a traumatic event, this could lead to a potential situation where the client becomes offended and lashes out at the IPA, or in turn could affect the IPA through vicarious trauma, leading to that employee becoming unwell.
Health and Safety is another example of how we need standards to ensure correct risk management. There are a set of legal and national standards set by the Health and Safety Executive, which if they are not followed can lead to the shut down of an organization. This is a major risk. To avoid this, we need to ensure training, signs, alarm practices, etc. are issued to everyone to follow. For example: fire exits must be empty and not have clutter in the way – this is to ensure that everyone can get out of the building. Should we not have known that these need to be kept clear, someone could have gotten trapped during a fire and died. The standards ensure that legally we keep them clear and therefore the risk has gone from a high to a very low.
The relationship between risk management and standards is extremely important. They are to make sure that when we are working the clients are safe, we need to ensure that our employees are correctly trained against a nationally recognized set of standards, and that if they do not follow these standards then they are a risk to the business and therefore need to be eradicated.
Business risks are those that can have a large impact on the organization. I include these risks within a risk register and divide them into sections of the business – strategic, financial, operational, H&S, staff, environmental etc. to provide an overall view of each area and its potential risks. Factors that could influence business risks are defective impacts/effects to these areas.
In the area of Health & Safety there are many influences and risks. The main business risk I would look at would be non-compliance to legal national standards. A factor that could influence this risk would be to not have an induction in a new building. Staff legally need to know the location of fire exits in case of a fire, If they do not know this information and we had a fire, there would be a high risk of injury or death which fails on our duty of care to all staff members and it would impact the organization financially and legally.
In the area of legal and regulatory, looking at confidentiality within the organization, the business risk would be divulging client information to a 3rd party that has not been authorized by the client. The factor that would influence this would be non-adherence to the data protection Act, whereby not following the set standards and divulging personal information without permission of the client is a criminal offence.
In the area of environmental and the risk of a pandemic virus spread to all staff and clients. This would be influenced by the lack of a business continuity plan in order to eliminate spread and how to reduce further impact on the organization.
In conclusion, they are essential and together form an analysis of what is needed to prevent these risks and prevent further legal/financial implications for the organization. It is clear that the main influences of business risk can be established and monitored carefully with the correct management tools.
Risk Management as a Strategic Approach
Risk management is a strategic approach by which the organization implements a risk register to identify the risk, its level of impact/likelihood (e.g. critical, high, medium or low) and its mitigation plan. These are compared against the set of risk standards for compliance and must be regulated. For example: a pandemic is a risk, this is rated on how it could be disruptive and at what level within the organization; and how to either eliminate or reduce the risk.
Managing crisis is an operational approach to the disruption caused by a risk. This is ‘attacking’ the risk through careful management, rerouting and alteration of the organization to prevent further damage/disruption. Having looked at the risk register for level and impact, crisis management is to use the mitigation and put it into action. For example, the Covid-19 pandemic risk was at a critical risk level and mitigation plans included allocating staff to safer areas (working from home) to prevent further contamination.
Business continuity is a strategic approach to continuing the organization after a disruption has occurred. This would include highlighting the objectives of the business, understanding how they were disrupted (financially, operationally, resourcefully etc.) and provide a clear plan of how to continue the service, should a disruption occur again. For example, the Covid-19 pandemic caused staff to work from home, this caused a few issues as not all staff were issued with laptops, and needed purchasing. It has now been planned that all staff are to be issued with laptops instead of desk PC’s to continue service from any location and avoid disruption.
Together they all form an essential framework for a business as they are the beginning, middle and end of effectively managing risk as a whole. Following the risk management procedures, managing the crisis and following or/and developing the continuity plan highlights the risk, risk level and provides a basic mitigation plan. This allows for a business to run smoothly operationally and provides the foundation for a solid continuity plan to reduce or eliminate any risk in the future.
Scenario planning is to evaluate the risks of a particular scenario (e.g a pandemic) that may occur and to be prepared for it. A crisis management model would be used to collate this information, depending on the scenario. In order to plan for a scenario, I would use a pre-crisis model PESTLE. The PESTLE is made up of political, economical, social, technological, legal and environmental risks that could affect the organization. These map out a variety of external risks to prepare for all possibilities.
For example: Cardiff Women’s Aid need to be aware of any political changes that could cause risk to the organization, for example, the VAWDASV 2015 Act (Violence Against Women Domestic Abuse and Sexual Violence) is an Act that states the Welsh Government must work with preventative services. The RISE service we provide is under contract with the Welsh Government and if this Act was abolished, the service would not be funded, the work could not be provided and the risk of women being murdered would increase rapidly. By using this we are able to play out varied scenarios and understand how it could impact the organization.
Another crisis management model would be to use a business continuity plan for a post-crisis recovery. This is where the organization has had something happen that possibly could not have been predicted and therefore enables organizations to learn what to do from after the risk happening in order to prevent/eliminate it from happening again.
For example: Cardiff Women’s Aid had never encountered a pandemic before and therefore had not been prepared. This meant that the model we would need to use was a business continuity plan that was created from the scenario that happened and what did and did not work. It allowed for us to learn from the mistakes we made and evolve a plan for both.
The issue with preparing for risks that haven’t happened with the pre-crisis models, is that it can be a lengthy process and could potentially waste time thinking of endless scenarios to prevent/eliminate a risk. The issue with dealing with the aftermath of a risk with the post-risk models is that the risk has already done the damage, and the way that it was handled could have been appropriate for the moment but possibly not for the business’ reputation for example. I personally think that it is better to have a pre-crisis, crisis and post-crisis response when managing risks due to their unpredictability and to ensure there is more than one way to eliminate or reduce a risk.
Calculating risk probability is determining how a risk will impact the organization by calculating the likelihood it will happen and what the impact will be. This will provide a level at which you can understand the severity of that risk.
Calculating risk probability can be done via quantitative or qualitative methods. These can provide either a figure answer that can be used against other quantitative data and provide more statistical answers within graphs that show trends; or it can provide data which is data gathering and analysis from risk assessments that can provide narrative.
If we calculated risk via a quantitative method, I would use a risk register. The risk register is a tool that provides a final risk level that is linked to a code of a low to high risk. The higher the number, the higher the risk.
For example, the risk of fire in a room that always has candles and a cat in would be calculated like this: the likelihood of the cat hitting a lit candle off the side is high (4) x the impact of the lit candle falling onto the fluffy rug below would be high (x4), therefore the probability of the risk would be critically high (4×4 = 16) and means to eliminate or reduce the risk can be created from this.
If we calculated risk via a qualitative method I would use a risk assessment. The risk assessment is a tool used by an assessor to write down all the risks that they see/predict would happen. This is written on a form with actions on how to eliminate or reduce that risk within a timescale that would be as reasonably as practicable. This can be monitored and provided as checklists for employees to use in the future.
For example, the carpet on the stairs is damaged and sticks up. The assessor writes this as a trip hazard which could cause someone to fall down the stairs, leading to a potential injury or death. The action is to replace the carpet, but as a carpet could take a while to turn up, the instant action would be to provide hazard tape on the carpet and a warning sign for those walking on the stairs.
Both of these methods can be used to effectively calculate risk depending on how the data needs to be presented or used.To break something down into components or essential features, to identify possible causation and/or draw conclusions.
Risk Monitoring Techniques
Risk monitoring techniques are so organizational risks can be eliminated/prevented from returning and how this is done. It is also a way of providing evidence of compliance against the national and legal standards and is a way of showing the organizations effective and efficient risk management.
There are different techniques for different types of risks such as whether they are static risks or dynamic risks. Examples of static risks would be ones that always occur such as dealing with vulnerable adults and the potential of abuse to employees. Working within Cardiff Women’s Aid there is always this risk. This means that the static risk could be regulated by ensuring that all staff have annual safeguarding training and refresher training on a bi-monthly basis to reduce the risk of potential harm.
Dynamic risks examples are ones that occur due to the progression of the business, for example: securing a grant for double the machinery would mean double the risk of potential harm to employees using the machines. This means the dynamic risk could be regulated by ensuring every time funding for machinery is awarded, refresher training is given to all employees on how to use the machines.
The techniques that could be used are reassessing, audits, analyzing the effect, reporting its trends and then communicating these. There are techniques that can be used for different risks depending on the reasons for wanting the data. If you are wanting to report on the amount of risks per year, or how the business is being affected by the risks then these techniques can provide this information. For example, the risk of a computer virus spreading across the work network could be monitored by asking staff to reassess their laptops (antivirus checks every week), reporting back any faults to the ICT team, the ICT team providing monthly and annual checks of the network, then reporting the results with any faults to the Senior Management Team, which could be used within a preventative plan. This also ensures that the risk is being managed to the best of the organization’s ability.
Each technique provides a different way which is needed when monitoring unpredictable risks. It ensures that all risks are monitored for their specific type and to enable the best record for noticing trends or gaps to provide effective risk management.
The essential features of risk governance structures are inbuilt within an organization to ensure the compliance to the national and legal standards for both the employee, employer and client by providing the information so they can understand and accept that if a risk happens, this is how it is dealt with.
It allows for the organization to govern staff and clients into being responsible and taking ownership of their actions that could cause the organization, client or employee from becoming financially or legally responsible should a risk have serious implications; For example, the staff are inducted into the organization on their first day, within this induction includes a staff handbook, a safety handbook etc. to sign once read. These are written guidance and broken down policies and procedures for the employee and for the organization to have clear evidence of whose responsibility it is in case of a risk and who has ownership of the implications caused by actions of non-compliance.
There can also be issues with the risk governance structures by giving onerous responsibilities to individuals or for the organization, that could in turn lead to potentially another risk.
Overall, there needs to be a balance of what is legally the duty of employees, clients and employers, alongside the organization policies and procedures. It is a great way to manage the organization in terms of providing clear, coherent guidelines and gaining the signatures of employees for confirmation of ownership, to prevent further long-term financial or legal risks.