Policy and Procedures

Doc. No.        13Version No.            1
Last Reviewed Approved By     ________________    On behalf of Board
Next Review       Responsibility                    (Manager)

Table of Contents

1. Policy. 1

1.1 Policy Statement 1

1.2 Purpose. 1

1.3 Scope. 1

1.4 Responsibilities. 2

2. Procedures. 3

2.1 Analyse the Context 3

2.2 Identifying the Risks. 4

2.3 Analyse and Evaluate the Risks. 5

2.3.1 Step One – Score the Likelihood. 5

2.3.2 Step Two – Score the Possible Impact 5

2.3.3 Step three: Calculate the Risk Level 5

2.3.4 Risk Matrix. 5

2.4 Manage/Control the Risks. 7

2.4.1 Avoid the Risk. 7

2.4.2 Reduce the Risk. 7

2.4.3 Share the Risk. 7

2.4.4 Accept the Risk. 8

3. Monitoring and Review.. 8

4. Appendix. 10

Appendix A: Stakeholder and Other Risk Factors Form.. 10

Appendix B: Risk Register and Management Plan. 11

    1. Policy   1.1 Policy Statement    Twilight Community Group recognises that the nature of our activities and the environment in which we operate expose us to risk which have the potential to impact or harm our staff, community, stakeholders, reputation, finances, operation and success of our organisation. It is our policy to adopt best practice in the identification, analysis, evaluation, control, monitoring and review of risk to ensure that they are avoided, reduced, shared or accepted. To ensure this, we will: Embed full and effective consideration of risk within the planning and management of new and existing activities across the organisation. Engage with our stakeholders and use our knowledge and understanding to identify our risks.Determine the level of risk for our organisation by considering the likelihood and impact of identified risks. Risks will be ranked in order of importance.Ensure that acceptable net risk thresholds are clearly defined and managed. Effectively manage risk to ensure that our objectives, goals and purpose are achieved.Create and maintain a risk register and management plan. Monitor and review the risk register on a regular basis.Put a contingency plan in place in case of a severe business disruption.
1.2 PurposeTo provide a risk management framework to ensure levels of risk and uncertainty are identified and managed in a systematic, structured way, so any potential threat to the delivery of our service is appropriately managed and completed successfully.
1.3 ScopeAll operational activities and staff, Board members and volunteers involved in the delivery of those activities.
    1.4 Responsibilities    Board Determining the appropriate level of risk that the organisation is willing to accept.  Ensuring that the organisation has effective risk management in place. Delegating authorities and responsibilities. Approving the completed Risk Management PolicyApproving the Risk Register and Management Plan. Agreeing the risk appetite having regard for the environment in which the organisation operates. Reviewing the ongoing effectiveness of the risk management process in achieving the organisation’s objectives. Reviewing the organisation’s risk profile against its agreed strategy ensuring that they are aligned and within the agreed risk appetite. Providing direction on the development of the criteria to use in analysing and ranking the impact of identified risk areas.Identifying, analysing and evaluating risk associated with strategies and activities. Advise on the level of risk acceptable to the organisation. Monitor and review the effectiveness of the risk management environment. Manager Ensuring the development of the risk management policy and procedures and the risk register and management plan.Ensuring the development, a reporting mechanism for all ‘critical’ and emerging risksDevelop operational policies for dealing with and reporting identified risk situations and status changes.Develop a culture of risk awareness – risks as innovation and strategic opportunity.Ensuring that the risk management policy and procedures are understood and effectively communicated to staff and internal volunteers.Ensuring staff are consulted in respect of risk management issues. Ensuring all activities under their supervision are performed in accordance with the Risk Management Policy and Procedures. Risk management procedures are effectively applied.   Staff Being aware of those aspects of the risk management system that are immediately relevant to their jobs. Complying with all policies and procedures and communicate any breaches promptly and accurately to management. Reporting any real or perceived risks to the health, safety and working environment of themselves, their colleagues or associated stakeholders.Reporting any real or perceived risks that may significantly affect the performance or reputation of organisation or that may leave it exposed to legal or regulatory action. Looking for opportunities to improve operational efficiencies, optimise outcomes and minimise risk. Undertaking their part in, the actions and requirements of risk action and mitigation plans.



. Procedures

Doc. No.13.1Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title2.1 Analyse the Context
PurposeTo consider the environment in which the organisation operates and to establish the context in which risk management will take place. 
ResponsibilityBoard, All Staff
ProcedureThe manager consults with all internal stakeholders and convenes a risk assessment board group.The group convenes and will consider the following:The organisations purpose and objectives and what it takes to achieve them.The structure and key activities the affect the way the organisation operates.Who the internal and external stakeholders are and the potential impact any change in their contribution might have. The risk factors associated with stakeholders and activities. Questions to help identify risk factors:What relationships do you have that are necessary for your organisation to operate successfully?What relationship does the organisation have with those stakeholders?What do they contribute and how important are they?How do those stake holders effect or influence your organisation’s achievement of its purpose and objectives?What changes or trends may affect your stakeholders or your operation?What perceptions do your external stakeholders have about your organisation and your activities?What are your contractual relationships and obligations with your stakeholders?What legislation, regulations, rules or standards apply to the organisation?The risk categories associated with the organisations strategic and operational activities. Common risk categories include:GovernanceHuman ResourcesReputationFinanceLegalTechnologyHealth and SafetyCompliance The group completes the Stakeholder and Other Risk Factor Form.
RecordsRecord of Meetings, Stakeholder and Other Risk Factor Form
Doc. No.13.2Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title2.2 Identifying the Risks
PurposeTo identify and rate organisational risks.
ResponsibilityRisk Assessment Group
ProcedureGive all participants in the group a copy of the stakeholder and other risk factors form.Ask participants to consider the risk factors on the form, one at a time. For each risk factor, group members should consider the following questions:What could go wrong in relation to this risk factor?Has it happened before, and what did we learn?What is already in place to mitigate against this risk?What could change in relation to each risk factor?What could harm people?What legal obligations could we be at risk of breaching?What might a natural event or disaster mean?What might affect our assets or systems?Make decisions about which factors are potential risks.Write each risk on to the risk register and management plan under the identified category.For each risk identified record the possible consequences for the organisation if it were to happen on to the risk register and management plan.
RecordsRecord of Meetings, Risk Register and Management Plan
Doc. No.13.3Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title2.3 Analyse and Evaluate the Risks
PurposeTo establish the probable Impact of the risk on organisational objectives.
ResponsibilityRisk Assessment Group
ProcedureAnalyse the risks in terms of likelihood and impact using the following steps: 2.3.1 Step One – Score the Likelihood Consider the likelihood that each risk identified may occur, using the criteria below to support consistency of the score. Record the level under the column heading – (Likelihood “L”) on your Risk Register and Management Plan. Likelihood Criteria The following applies when considering the likelihood of the event taking place:Remote – The event may only occur in exceptional circumstances. Unlikely – The event will probably not occur.Possible – The event might or could occur at some time. Likely – The event will probably occur in most circumstances.Highly Likely – the event is expected to occur in most circumstances. 2.3.2 Step Two – Score the Possible Impact Consider the possible that each risk identified may have, using the criteria below to support consistency of the score. Record the level under the column heading – (Impact “I”) the Risk Register and Management Plan. Impact Criteria The following applies when considering the impact of the event taking place: Insignificant – Low level impact with negligible consequences on the objectives that can be controlled by routine management procedures. Minor – The consequences would threaten the efficiency or effectiveness of achieving some aspects of the objectives, requiring management effort to minimise impact. Moderate – A significant/medium potential of affecting the achievement of the objectives with moderate financial loss or medium – term Loss of some essential infrastructure/data). Major – A very high potential to impair the achievement of GGA’s aim or activity objectives (major financial Loss or political Impact, significant occupational, health, safety and welfare incident/s, long term Loss of some critical infrastructure/ data). Catastrophic – An extreme potential to threaten the sustainability of activities, huge financial loss or political Impact, very serious occupational health, safety and welfare incident/s, permanent loss of critical infrastructure/data). 2.3.3 Step three: Calculate the Risk Level Use the risk matrix below to determine the overall risk level for each risk. For example, a risk with a likelihood score of 3 and an impact score of 2 achieves a risk level of acceptable.             2.3.4 Risk Matrix   Risk Matrix – Acceptable “Net Risk” after mitigating action has been taken. Impact Likelihood Remote Unlikely Possible Likely Highly Likely   Score 1 2 3 4 5 Catastrophic 5           Major 4           Moderate 3           Minor 2           Insignificant 1           Legend   Acceptable       Marginal – Activities considered marginal can only be undertaken after detailed scrutiny and with the approval of the Board. Marginal activities include: Catastrophic, considered unlikely. Major, considered possible or likely. Moderate, highly likely.   Unacceptable Record the scores and the overall “Gross Risk” level on the Risk Register and Management Plan.Discuss the actions to be taken to mitigate against each risk and record on the Risk Register and Management Plan.Record the scores and the overall “Net Risk” level on the Risk Register and Management Plan.When you have rated all your risks, prioritise the highest rated risks and sort them in order of importance to your organisation.  Present to the Board/Steering Committee for review.
RecordsRecord of Meetings, Risk Register and Management Plan
Doc. No.13.4Version No.1
Last Reviewed Approved By 
Next Review Responsibility 
Procedure Title2.4 Manage/Control the Risks
PurposeTo identify the appropriate response to managing/controlling the risk.
ResponsibilityRisk Assessment Group
ProcedureConsider one of the following four options to manage a risk:Avoid the riskReduce the riskShare the riskAccept the risk. 2.4.1 Avoid the Risk Avoiding a risk is considered when the consequence of a risk is too much to accept and it cannot easily be reduced or shared. Avoiding might involve: Not undertaking the activity that would create the risk.Engaging in an alternative activity.Removing the source of the risk. Note: If a decision is to avoid the risk, consider what the potential consequences of that decision are for the organisation. 2.4.2 Reduce the Risk Exposure to risk may be limited by reducing or controlling the likelihood of an event occurring. The following may reduce or control the likelihood of an event occurring: Policies and Procedures Internal and External Audits Contractual Conditions Project Management Preventive Maintenance Continuous Quality Improvement ActivitiesAdherence to Quality Standards Technological development Structured TrainingSupport and Supervision Preparations to reduce, control or mitigate the impact of an event can aid in making a particular risk more acceptable. The following may reduce or control the impact of an event occurring: Contingency Planning Contractual Conditions Financial Control Planning Minimisation of Exposure to Sources of Risk Separation or Relocation of an Activity and Resources Reserving Resources Public Relations. Note: These lists are not exhaustive or exclusive – there may be other options.               2.4.3 Share the Risk The following should be considered for sharing risk: Using a third party to complete a specialist or difficult activity. (Any third party needs to be competent and suitably qualified).Using Insurance (Check that the insurer and insurance policies are suitable and will cover specific risks).Limiting liability by using waivers and disclaimers.Partnerships or Joint Ventures. Note: Legal or regulatory risks cannot be shared. Waivers and disclaimers cannot be used to avoid statutory obligations. Seek legal advice when developing and intending to rely on waivers or disclaimers. 2.4.4 Accept the Risk The acceptable net risk (i.e., the risk level after mitigation measures have been put in place) threshold for risks is described as follows:  We will not undertake any activities that would have a catastrophic impact on the organisation unless the likelihood of occurrence is considered to be at worst unlikely after mitigation measures have been taken. We will not undertake any activities that would have a major impact and are highly likely to occur after mitigation measures have been taken. Activities considered marginal (highlighted in amber on the matrix) can only be undertaken after detailed scrutiny and with the approval of the Board. Marginal activities include: Catastrophic risks where the likelihood of occurrence is considered unlikely. Major risks where the likelihood of occurrence is considered possible or likely. Moderate risks where the occurrence is considered highly likely. Activities highlighted in yellow, green or blue on the risk matrix are considered acceptable. Questions to assess risk management options:How adequate are our current ways of managing this risk?Is more than one option necessary to reduce the risk to an acceptable level?Does the option reduce the risk but also reduce our opportunities?How do the costs of an option weigh up against its benefits?Does the option fit with the expectations of stakeholders?Has the risk been reduced to an acceptable level? Assign responsibility for carrying out mitigating actions and set timelines for completion. (Document these on the Risk Register and Management Plan)Complete the Risk Register and Management Plan and submit to the board for approval). 
RecordsRecord of Meetings, Risk Register and Management Plan

3. Monitoring and Review

Monitoring and ReviewThe risk management policy and risk register and management plan will be systematically reviewed to ensure they are adequate, suitable and effective. The board/Steering committee will review this policy every three years or sooner if required. In addition, they will review and sign off on the risk register and management plan and monitor the implementation of actions identified in it at regularly scheduled meetings. The risk assessment group will meet annually, or sooner if required, to review the risk register and management plan and procedures. They will provide a report to the Board/Steering committee at the next scheduled meeting. Should an unexpected incident or event associated with identified risks occur the risk assessment group will meet to discuss and update the risk register and management plan as required. The manager will have responsibility for monitoring activities on a day- to -day basis. Regularly scheduled staff meetings will provide an opportunity for staff to highlight an issue. The manager will report to the Board/Steering committee at regularly scheduled meetings.
RecordsRecord of Meetings, Risk Register and Management Plan. Document Control Matrix. 

4. Appendix

Appendix A: Stakeholder and Other Risk Factors Form

 Identify all the internal and external people, organisations and other factors that are involved in, influence, or contribute to the organisation’s operation and achievement of objectives.
Who is the stakeholder and what do they do?Are they internal or external?What is the relationship, contribution or influence of this stakeholder or factor and why does it matter?What could go wrong?What would the impact be if the relationship or contribution changed or something went wrong?
Staff/ Volunteers of TCGBothStaff of TCG – fundamental to day to day running of serviceExperienced staff could leave employment Sickness, Covid -19Loss of experience and skills   Staff shortage
DRCDExternalMain funding source for TCGFunding reducedReduction in staff hours Reduction in staff pay Closure of Twilight Community
Service users (Volunteers and VIOs)ExternalPrincipal service users of TCGPoor experience of TCG serviceReputation of TCG tarnished PR crisis
LandlordExternalProvider of premises for TCGLease not renewedNeed to locate new premises accessible to the public Increase in rent and overheads
Board membersInternalThe smooth every day running of TCGRetirement of Board membersThe experience, knowledge and skill will be lost.
CROExternalTCG needs to be always compliant with both the Charities regulator and Companies registration officeNon-ComplianceNoncompliance audits/ bad reputation/fines

Appendix B: Risk Register and Management Plan

Risk Register and Management Plan
#Description/Risk AreaGross RiskMitigating Actions TakenResponsibilityWhenNet RiskAction taken if risk materialises
 Governance    Governance code      
1Governing body lacks relevant skills and commitmentPossibleMajor7Board members recruited according to key skillsSkills audits carried out regularlyBoard handbookClear role descriptions provided to TrusteesTrusteesOngoingUnlikelyMinor4Recruit additional board member with relevant skills / commitment if needed
2Conflicts of Interest are not managedPossibleModer6Conflict of Interest Policy Declaration of Interest form completed annually at AGMRegister of Interests keptTrustees and ManagerOngoingUnlikelyModer5Board member with Conflict of Interest will not take part in decision making relating to their interest as outlined of C of I policy
3Organisation lacks direction and forward planningUnlikelyMajor6Strategic Plan 2021-2022 Annual Workplan drawn up annuallyFinances of KVC monitored Feedback sought from stakeholders to inform planning and operationsManagers TrusteesOngoingRemoteMinor3Board will revisit governing document and strategic plan to ensure TCG has a clear direction moving forward
4Loss of key trusteesLikelyMajor8Succession planning Board handbook outlining time commitment and terms of officeEnsuring adequate notice period and handoverTrusteesOngoingPossibleModer6Strategically recruit new board member with key skillsProvide adequate inductionFacilitate handover
5Accuracy and relevance of reporting to governing bodyPossibleModer6Ensure timely and accurate reporting to boardRegular board meetingsRegular contact with between manager and boardTimely and accurate financial reportingAdequate strategic planning in placeManager TrusteesOngoingUnlikelyMinor4Skills audit and retraining of board membersRetraining and appraisal of TCG manager
6Cash flow issuesPossibleMajor7Projected cash flow statements annually which are monitored by board at each board meetingReservesFinancial management policyEnsure adequate information flow and monitoring / reporting mechanismsManager BoardAt each board meetingUnlikelyModer6Use of ReservesReview of financial proceduresReview and revise reporting mechanisms
7Dependency on one source of incomeLikelyCatast9Reserves policyEnsure funding diversification e.g. training, Garda VettingManager BoardOngoingPossibleMajor7Use reserves fundingUtilise funding raised from training, Garda Vetting and other projects
8Lack of financial skills in the governing body.PossibleModer6Board members recruited in accordance with key skillsBoard Handbook outlines roles and responsibilitiesTraining for board on regular basisBoardWhen  neededUnlikelyModer5Additional board members with relevant skills recruited through targeted recruitment drive
9Fraud or ErrorUnlikelyMajor6Financial management policy in place with authorisation limits in placeReserves policyExpense policy Adequate insurance in placeBoard ManagerWhen neededUnlikelyModer5Full review of circumstancesRe-evaluation of financial management policies and procedures
10Complaint by service user (Volunteer / VIO)PossibleModer6Complaint Policy and Complaints resolution protocolUse of Service Policy Policies in place to make sure that the Community is compliant with all the procedures  Manager BoardOngoingUnlikelyMinor4Complaints procedure will be followed and complaint fully investigatedNo comments will be made publicly until complaint fully investigated If complaint upheld about volunteer / VIO – TCG service will be withdrawn as per Use of Service policy
11Public trust in charity sector low    PossibleModer6Audited annual accounts and annual report published to demonstrate transparencyCommunications plan in place to increase transparencyManager UnlikelyModer5Accounts and work report will be made available on our website and TCG will stress how organisation is fully transparent and compliant with all regulatory requirements
12TCG name brought into disreputeUnlikelyMajor6Communications policy and strategy in placeManager Board UnlikelyMinor4Board will be informed of any potential crisis and will lead on any communications to the public on the situation
13Lack of compliance with legislation and regulationUnlikelyMajor6Responsibility for compliance allocated to Officers on Board Audited accounts as per CRO requirementsCompliance with Governance CodeAnnual returns filed with CROGDPR policy in placeHealth and Safety in Workplace policyEquality and Diversity policyAnti-Bullying and Harassment policyContracts and Employee handbook  Insurance policy in placeSafeguarding and Under 18’s policy in place  Manager/ Board of DirectorsYearlyUnlikelyModer5Board notified of all compliance issuesBoard investigates circumstances Seek and access professional advice if requiredStaff of TCG to follow relevant procedures as outlined in operational policies
 Health and Safety          
14Risk to health and safety of staffPossibleMajor7Health and Safety policy in placeLone Working policy and procedures in placeDriving for Work policyInsurance policyManager BoardOngoingPossibleMinor5All health and safety issues brought to attention of manager who will notify boardIncident reports completed Procedures reviewed in light of incident
 Human Resources          
15Staff performance issuesPossibleMajor7Staff appraisals and monthly meetingsStaff recruitment, management, and development policy in placeRobust training procedures for staffManager BoardOngoingPossibleModer6Performance issues raised during appraisalsStaff offered additional training and supportProtocol followed as per staff handbook
16Low morale and high staff turnoverPossibleModer6Staff appraisals and monthly meetingsStaff recruitment, management, and development policy and procedures in placeEffective feedback systems Training and team building days  Manager BoardOngoingUnlikelyMinor4Exit interviews Board kept appraised of staff feedback / issuesReview relevant policies and procedures to address issues
17Breakdown / Out of Date equipmentPossibleMajor7Technology serviced regularly by a support team and updated when needed.Reserves to deal with unforeseen expensesAll information backed up and saved to SharePointManager/ Board of DirectorsOngoingPossibleModer6Reserve funds used to update technologyReview of current systems
18Cyber security threatPossibleCatast8All technology is firewalled, and password protected Cyber security policy in placeManager/ Board of DirectorsOngoingUnlikelyCatastr7Review of current systems Data Commissioner notified if personal data is breached
19Covid – 19PossibleMajor7Covid 19 Response Plan in placeReturn to Work Safely protocol in placePPE and sanitisation equipment providedManager/ Board UnlikelyMajor6Any incidents recorded in incident reportBoard notifiedCurrent policies / procedures reviewed in light of incident