RISK MANAGEMENT POLICY
1.0 Background and Rationale
Like every other organization, CRECO faces numerous risks and the risks have the potential to disrupt achievement of its strategic and operational objectives. CRECO is subject to certain risks that affects the ability to operate, provide service and protect assets. Controlling these risks through a formal program is necessary for the wellbeing of the organization and everyone in it. CRECO aims to use risk management to take better informed decisions and improve the probability of achieving its objectives. The process involves identifying risks, evaluating them and deciding on the necessary action. Risk management, like other management activities, must be practical, cost effective, and help the organization survive and prosper.
Risk refers to the uncertainty that surrounds future events and outcomes. It is an expression of the likelihood and impact of an event with potential to influence achievement of an institution’s objectives.
Hence risk is:
– Anything that could prevent the achievement of a Corporate objective, whether they be in the nature of strategic, operating, compliance and reporting objectives.
– Anything that could negatively impact on the interest of stakeholders. Risk is measured in terms of likelihood and consequence. While risk is an exposure to the chance of a loss, risk is not inherently bad and any one has to take risks to operate a successful organization. The important thing is to ensure that the organization takes calculated risks, which reduce the likelihood that a loss will occur and minimises the impact of the loss should it occur.
CRECO cannot completely eliminate its exposure to risk; any effort to do so would be prohibitively expensive, probably beyond the potential losses that it would be seeking to mitigate. Consequently, the institution will seek to strike an appropriate balance between the ‘cost’ of the risk and the cost of the actions instituted to respond to the risk.
The purpose of the risk management policy is to provide guidance regarding the management of risk to support the achievement of corporate objectives, protect staff and business assets and ensure financial sustainability.
This Risk Management Policy explains CRECO’s underlying approach to risk management. It gives key aspects of the risk management process and identifies the main reporting procedures. The Policy shall be approved by the Board. It will guide the implementation of the Risk Management process at CRECO for the posterity of the organization.
In this regard, CRECO has set up mechanisms to ensure that:
– All material risks that could adversely affect the achievement of the organization’s strategic and operating goals and objectives are continually recognised and assessed.
– CRECO has implemented an effective risk management and control system designed to:
– Identify the relative risks of each operational area of activity;
– Assist the institution to focus appropriate attention in terms of time and resources on the higher risk issues.
2.0 Purpose
– The policy forms part of the CRECO’s internal control and governance practices.
– It is a formal acknowledgment of the commitment of the organization to Risk Management.
– The policy explains CRECO’s underlying approach to risk management. It gives key aspects of the risk management process, and identifies the main reporting procedures.
– It describes the process used to evaluate the effectiveness of the CRECO’s internal control procedures.
3.0 Policy Objectives
The general objective of the Risk Management policy and procedures is to ensure that CRECO has a formal process of involvement of all stakeholders in the continuous identification, assessment, management and control of potential risks
and hazards that can impact or threaten safety of people and properties. CRECO aims to make risk management integral to its culture, strategic planning, decision making and resource allocation.
CRECO’s objectives in relation to risk management are to:
-Ensure risk management is adopted through CRECO as a prudent management practice.
– Ensure achievement of program objectives by ensuring that negative risks are appropriately managed and that positive risks are managed for opportunity.
– Ensure compliance with all relevant internal policies, procedures and controls.
– To ensure that all CRECO employees are made aware of the need to manage risk and promote a culture of participation in that process.
– To protect CRECO from adverse incidents, to reduce its exposure to loss and to mitigate and control loss should it occur.
– Ensure responsibility for the management of risks is assigned to staff who have the authority to ensure that they are managed.
– Assure CRECO donors/investors that there is a robust approach in place to assess and manage risk.
– To ensure the ongoing unimpeded capacity of CRECO to fulfill its mission, perform its key functions, meet its objectives and serve its customers.
– Facilitate CRECO Management to deal effectively with future events that create uncertainty.
– Ensure that resources are assigned to the management of risks in such a way to optimize value for money.
– To reduce the costs of risk to CRECO, members and partners.
– To adhere to Kenyan and International Risk Management Standards.
4.0 Types of Risks
| Types of internal risks | Types of external risks |
|---|---|
| Strategic | Political |
| Operations /business processes | Economic |
| Management & Information | Socio-cultural |
| Organizational / General administration | Technological |
| Human capital/ people | Legal/ Regulatory |
| Integrity | Environmental |
| Information technology | Security |
| Financial | |
5.0 Policy Statements
The following principles guide CRECO’s risk management policy and procedures:
– Risk management applies to all aspects of the CRECO’s business and activity.
– Risk management is a shared responsibility of all Members, Board and Secretariat.
– Risk management facilitates the achievement of our objectives.
– Risk management is a continuous improvement process where CRECO continually strives to reduce and manage the likelihood and negative impact of risks.
– Staff, Board members, volunteers and students are provided with training and other support to assist them in managing risk in their roles.
– Internal audit will be required to perform appropriate reviews and provide the Board with independent opinion on the application and effectiveness of policies, procedures and controls designed to mitigate risks.
6.0 Outcomes
The outcomes of this policy are that CRECO:
– Makes informed operational and service delivery decisions while remaining fully aware of risks and impact.
– Members, Board and the Secretariat understand their roles and responsibilities in relation to risk management.
– Risks and risk impact are minimised through compliance with relevant regulatory, legal and financial obligations, and implementation of risk treatments.
7.0 Ownership of Risk Policy
The risk policy and framework shall be owned by CRECO which shall set the appropriate tone and influence the culture of risk management within its ranks. This Policy outlines CRECO’s commitment to facilitating strategic and operational goals and objectives through risk management, enabling continuous improvement in decision making and performance.
CRECO will promote continuous improvement and review of risk management through regular training, monitoring, audit and reporting processes. Employees in all areas and activities are responsible for applying risk management principles and practices in their work areas; employees in supervisory and managerial positions are responsible for ensuring that risk management principles and practices are applied by those under their supervision.
7.1 Role of the Members
The Members of CRECO have significant roles to play in the management of risk.
Their roles are:
– Setting the tone and influencing the culture of risk management. This includes: determining which risks are acceptable and which are not acceptable and setting the standards and expectations of staff with respect to conduct and probity.
– Comply with the Risk Management Policy.
– Ensuring that significant strategic, operational, compliance and financial risks have been identified and prioritized.
– Confirming that appropriate strategies are in place to manage risks, or that there is a plan and timeline for implementing those strategies and the requisite policies, procedures and controls.
– Reviewing management reports and information from internal and external auditors.
– Holding management accountable for continuously identifying and managing
emerging risks and for implementing CRECO risk management framework
within CRECO.
7.2 Role of the Board of Directors (BoD)
The BoD has a significant role to play in the management of risk by setting the tone and influencing the culture of risk management within CRECO.
This includes:
i. Determining what types of risks are acceptable and which are not.
ii. Setting the standards and expectations of staff with respect to conduct.
iii. Determine the level of exposure for CRECO.
iv. Approve major decisions affecting CRECO’s risk profile or exposure.
v. Monitor the management of fundamental risks.
vi. Satisfy itself that the less fundamental risks are being actively managed, with the appropriate controls in place and effective.
vii. Annually review CRECO’s approach to Risk Management and approve changes or improvements to key elements of its processes and procedures.
viii. Ensure orientation of new Board and staff members to the Organization’s risk management processes and activities
ix. Be familiar with the Organization’s legislative requirements regarding risk management.
x. Monitor and update identified risks and risk treatments.
xi. Implement and review risk management plans.
xii. Contribute to internal risk treatment strategies and activities.
xiii. Comply with the Risk Management Policy.
xiv. Document risk management discussions and decisions from Board meetings
7.3 CRECO Risk Management Committee
CRECO Risk Management Committee is an operational committee appointed by the Board to oversee the risk management process. The Risk Management Committee shall comprise the Executive Director (ED), Deputy Executive Director (D. ED), and four members appointed by the ED. Its roles will be to ensure that:
i. Risks arising from the CRECO’s strategies and activities are identified and prioritized.
ii. Appropriate risk management activities are designed and implemented to reduce or otherwise manage risk to a level that the Board has determined to be acceptable.
iii. Ongoing monitoring activities are conducted on Monthly basis to re-assess risks and effectiveness of controls to manage risks.
iv. There shall be an annual report of risks, risk strategies and controls to all stakeholders.
v. Inform the Audit Committee on risks and controls that should be included in the Audit reports, ensuring the integration of Internal Audit into risk management.
vi. Help embed a risk management culture into all major decisions, through risk education, high level controls and procedures.
vii. Recommend to the Board identified need for review of the College Risk Management Policy.
7.4 Internal Audit
i. Internal Audit is an independent, objective assurance and consulting activity. Its roles with regard to risk management are to provide an independent and objective assurance to the Board of Directors on the effectiveness of risk
management framework and recommending appropriate mitigation factors.
ii. Internal Audit will be required to review the risk management process as part of the audit cycle based on the risk registers in place and provide an opinion as to the adequacy and effectiveness of the risk management arrangements and propose improvements where necessary.
8.0 Implementation Date
This Policy takes effect on the date it is approved by the CRECO Board of Directors.
9.0 Monitoring and Evaluation
CRECO shall conduct monitoring and evaluation of the effectiveness of this Policy in
line with the Monitoring, Evaluation and Reporting framework. CRECO shall:
i. Develop and maintain strategies and mechanisms for monitoring and evaluation of this Policy.
ii. Undertake regular check on implementation of the Policy.
iii. Carry out annual evaluation on the implementation of the Policy.
iv. Use the information for planning and management.
v. Propose potential areas for review.
10.0 Review of The Policy
This policy shall be reviewed from time to time to incorporate the emerging risk issues, but not later than five (5) years.
11.0 Effective Date of Implementation
This policy takes effect once approved by the CRECO Board of Directors.
