Risk protocol case study: The Institution of Engineering and Technology
Dom Pickersgill discusses the Institution of Engineering and Technology’s recent review of its risk protocol.
The recent very sudden - and very public - demise of Kids Company has thrown the Charity Commission’s guidance statement that ‘Risk is an everyday part of charitable activity and managing it effectively is essential if the trustees are to achieve their key objectives and safeguard their charity’s funds and assets’ into very sharp relief.
Beyond the obvious very immediate, tragic impact on that charity’s beneficiaries and employees, the collapse of Kids Company is a vivid demonstration of the need to identify and manage risk. For trustees it is a tangible reminder that the buck stops with them, and that being a charity trustee is about more than a warm feeling and burnishing the CV.
Here at the Institution of Engineering and Technology (IET), following a review of our approach to risk management earlier in the year, we are in the process of rolling out a new approach designed to bring alive the subject of risk at all levels of the organisation and integrate risk management much more closely into our activities.
Who we are
To give a bit of background, the IET is a charity whose objects are ‘to promote the general advancement of science, engineering and technology and to facilitate the exchange of information and ideas on these subjects amongst the members of the IET and otherwise’. This translates into a complex organisation with revenue of £55-60m per year, which undertakes a substantial amount of publishing (both academic and commercial), has 163,000 members in 127 countries, organises many events, is licensed to award certain professional qualifications, has over 400 employees, and various sites in the UK and overseas. To deliver our activities, we rely on about 4,000 volunteers. The IET has a board of 15 trustees, and day to day management is carried out by an executive team of eight.
Given the scale and diversity of activity, managing risk is clearly a key concern. The requirement for the trustees to make a risk management statement in their annual report drives home the need to be able to give the required assurance that risk is being effectively managed.
Out with the old…
Historically, in common with many organisations, the IET tackled risk via a risk register, which:
- identified risks;
- identified owners of each risk;
- recorded the potential impact of the unmanaged risk;
- set out ways of mitigating the risk;
- recorded the potential impact of the managed risk; and
- gave regular prompts to the various risk owners to review and, if necessary, update the details of the risk for which they were responsible.
A report and heatmap was produced for each meeting of the audit committee, the body within our governance structure with overall oversight of risk.
The concern with that structure was whether it engendered the correct approach and culture with regard to risk: by relying on a register-based approach, with identified risk owners (all at senior management team level), was risk in danger of becoming a rather abstract concept, viewed as the responsibility of a few, and managed by completing software-prompted tasks and actions?
…In with the new
Accordingly, we took a step back and looked at what we wanted risk management to achieve. This boiled down to managing risk – and importantly, opportunity – effectively. This enables informed decision making, which helps the IET to better achieve its aims and gives the trustees assurance that risk is effectively dealt with.
To achieve this, we are going to move risk from the abstract and embed it as part of the IET’s culture – as the Institute of Risk Management recently stated, ‘Risk management should be embedded in the general management of an organisation. It should not be practised in isolation, but integrated fully with other functions’. The management of risk is the responsibility of everybody at every level of the IET, and must be considered as part of everything we do – but equally importantly, fear of risk should not be allowed to stifle opportunities. This is where the concept of ‘risk appetite’ raises it head.
We considered whether the IET’s risk appetite could be distilled into a set of parameters but concluded that would be at best very difficult to achieve, but more importantly, would probably be overly rigid, and wouldn’t reflect variations in risk appetite which occur across the IET’s spectrum of activities. Accordingly, we have adopted a descriptive approach, based on the risk appetite of our current board of trustees. This appetite will be reviewed regularly and any changes cascaded throughout the IET as necessary.
The concept of ‘cascading’ is key to our new approach, moving from a recording-based approach centred on a few individuals, to engaging with and discussing risk at all levels in the organisation. We have articulated a risk strategy, which categorises risks (strategic, project and operational), and sets out how the categories of risk are managed and the IET’s expectations of individuals’ roles in managing risk.
This will be backed up by a risk manual, which will help people identify, quantify, discuss, manage and record risk. The risk management software will remain, but as part of a suite of support materials. Everyone involved in delivering the IET’s objectives will be encouraged to consider and speak up about risk, and ‘blamestorming’ if things go wrong will not be tolerated.
Top down and bottom up
We are implementing a ‘top down’ and ‘bottom up’ approach to risk, elevating it from an abstract concept to something that everyone in the organisation can recognise, discuss openly and engage with, and not be frightened of. In doing so, we aim to manage risk in a much more proactive, agile fashion that strikes the balance between informed decision making and embracing opportunities, whilst giving our trustees the confidence to make their annual statement in the report and accounts.