1. VDC.cloud's risk management model
1.1 VDC.cloud recognises that risk management is essential to its governance and to sustainable operation of its services. Risk management in VDC.cloud will be designed to ensure:
- the identification, assessment and management of risk is linked to the achievement of VDC.cloud's objectives.
- all areas of risk are covered - for example, financial, governance, operational and reputational.
- a risk exposure profile can be created that reflects theVDC.cloud's senior management views as to what levels of risk are acceptable.
- the principal results of risk identification, evaluation and management are reviewed and considered.
- risk management is ongoing and embedded in management and operational procedures.
1.2 VDC.cloud will regularly review and assess the risks it faces in all areas of its work and plans for the management of those risks.
1.3 There are risks associated with all VDC.cloud's activities - they can arise through things that are not done, as well as through ongoing and new initiatives. Risk exposure forVDC.cloud will vary depending on circumstance. For example,VDC.cloud may be willing to expose itself to higher risks as the size of our reserves/size of our organization increases. Risk tolerance may also be a factor in what activities are undertaken to achieve objectives. VDC.cloud will therefore ensure that there is an appropriate balance taken between higher and lower risk activities. These considerations will inform VDC.cloud's senior management in their decision as to the levels of risk they are willing to accept.
1.4 VDC.cloud's senior management need to let staff know the boundaries and limits set by their risk policies to make sure there is a clear understanding of the risks that can and cannot be accepted.
2. Identifying our Risks
2.1 As part of its business planning process, a risk register will be developed. This register is a 'living document' and forms the baseline for further risk identification. VDC.cloud recognises that new risks will appear, and other risks will become less or more severe or may disappear over the lifetime of the plan. Risk identification is therefore an ongoing process within VDC.cloud. When new risks are identified by VDC.cloud's senior management or a staff member, these will be referred to the Risk & Compliance Officer who will in consultation with the Managing Director will update the risk register accordingly. VDC.cloud will also annually review the risks identified in the VDC.cloud's risk register at the senior management/staff away day.
2.2 In undertaking this, staff and senior management will consider:
- VDC.cloud's objectives, mission and business plan;
- the nature and scale of our activities;
- the outcomes that need to be achieved;
- external factors that might affect VDC.cloud such as legislation and regulation;
- the VDC.cloud reputation with its major funders and supporters;
- past mistakes and problems that VDC.cloud has faced;
- the operating structure - for example if we established a trading arm;
- comparison with other businesses working in the same area or of similar size; and
- examples of risk management prepared by other organisations.
2.3 In developing VDC.cloud risk register, senior management and staff will identify/update risks in the following areas
- operational risk
- finance risk;
- environmental and external risk;
- law and regulation compliance risk.
3. Assessing , Monitoring and Evaluating risk
3.1 Identified risks need to be put into perspective in terms of the potential severity of their impact and likelihood of their occurrence. Assessing and categorising risks helps in prioritising and filtering them, and in establishing whether any further action is required.
3.2 When a new risk arises, the Risk & Compliance Officer in consultation with the Managing Director will then assess the risks identified by staff and senior management based on how likely they are to occur and how severe their impact using the methodology set out at appendix 1
3.3 They will identify those risks that are major and propose appropriate actions to mitigate these risks. This will update VDC.cloud'srisk register and will be approved by the Managing Director (if a financial risk).
3.4 Where senior management subsequently has a concern about the risk register, s/he should initially seek agreement to amendment via email and if s/he is still not satisfied raise the issue at the next board meeting
3.5 Examples of possible actions to mitigate risks are set out in appendix 2.