Our Risk Assessment and Management Policy | One Future Collective

This policy draft is adapted from the internal policy infrastructure applicable at One Future Collective and is made publicly accessible in the interest of our mission to build safe, just, and inclusive workplaces for all. If you are an organisation curious to know more about how to build socially just workplaces, we invite you to use and adapt these policies to make them relevant to your context. If you have used any of our policies, we request you to please credit us. 

You can know more about us, our journey, how we work, and our commitment to Nurturing Radical Kindness through our internal organisational Manifesto: Sunflowers.  We would also love to hear from you – if you have any feedback, questions, or comments, please feel free to use this form.

Some guidance on using this policy:

We understand that each organisation is distinctly placed, works in different contexts, and within diverse realities and organisational policies have to be resilient and responsive to these contexts. In this background, we would like to share the following guidance for your reference:

1. All the segments marked in yellow and/or left blank are spaces for you to update with details which are relevant to your organisational contexts. 
2. The entire policy may not be applicable as it is – please treat this as an invitation to adapt parts of it to better suit your demands. 
3. The policies are developed in the context of the legal obligations, politics, and resources available to One Future Collective. Whenever you are developing your organisational policies, please ensure that you are conducting your own due diligence in relation to compliance and other obligations that you may have to adhere to. 
4. Some key identifying information and details about processes unique to our organisation are anonymised from the drafts below for reasons of privacy and confidentiality. 

In case you would like to reach out to us to get to know more about a policy or are feeling a bit stuck, please don’t hesitate to reach out to us at info@onefuturecollective.org.

Our Risk Assessment and Management Policy

Date of adoption	_____________________
Date of review	_____________________
Policy Holder	_____________________
Queries	_____________________

1) Purpose

The purpose of this risk assessment and management policy is to identify areas of vulnerability for <Name of Organisation> and to pinpoint potential risks which can cause harm [financially or otherwise] to its organisational and business goals, assets, and staff members. This policy is to be used by employees at <Name of Organisation>  in order to identify potential risks in their work and develop strategies to mitigate them. 

2) Process

This policy was developed in order to address the need for identifying key risks that <Name of Organisation>  should be mindful of in the process of developing its projects and plans of action. This policy has been drafted with the intention of serving as an overview of the existing categories of risk that may exist at <Name of Organisation>  while simultaneously providing a framework for an evolving risk assessment and management framework for the team to develop as against every project that is or will be undertaken. 

3) Scope and Applicability

This policy applies to all the activities carried out by <Name of Organisation> . It forms a part of the governance framework at <Name of Organisation>  and is applicable to all employees, contractors, volunteers, and interns engaged by <Name of Organisation>  in whichever capacity, whether paid or unpaid. 

4) Definitions

1. Impact rating matrix refers to the matrix laid out in Section 9 of the policy. It helps in identifying the likelihood of the potential risk identified as well as the severity of its impact. 
2. Risk refers to a situation which can expose <Name of Organisation>  to any form of danger. This includes exposure of <Name of Organisation>  business activities, business assets, as well as its staff members. 
3. Risk assessment refers to the process of identifying potential risks that fall within this policy and developing suitable strategies to avoid them, mitigate their impact, or respond to them so as to reduce their negative impact to the greatest possible extent. 
4. Risk Governance Structure refers to the risk governance structure laid out in Section 5 of this policy. 
5. Risk Management Process refers to the process that should be followed by all <Name of Organisation>  employees, contractors, volunteers, and interns engaged by <Name of Organisation>  if they are faced with a potential risk impacting, directly or indirectly, <Name of Organisation>  or any of its staff members in their professional capacity. 
6. Risk Mitigation refers to the process of developing strategies to ensure that risks are avoided to the best possible extent.
7. Risk Mitigation and Response Matrix refers to the matrix laid out in Section 10 of the policy. It helps the different project leads to identify risks and strategise accordingly in order to avoid, mitigate, or respond to them adequately. 
8. Risk mitigation and response measures refers to measures which are to be taken as a response to a situation where a risk has already arisen. 

5) Risk Governance Structure [Update as necessary]

Designation [Update as necessary]	Responsibility[Update as necessary]
Founder/CEO	The Founder/CEO is responsible for:Review and approval of the Risk Assessment and Management Policy; Signing off of the annual risk assessment and management report;
Leads	The organisation’s risk management framework is overseen and driven by vertical leads at OFC. Accordingly, they are responsible for:Monitoring and implementation of the Risk Assessment and Management Policy; Drafting the annual risk assessment and management report; Coordinating with the Managers to review, update, and amend the risks identified and mitigation strategies as need arises. Identifying the risks that exist and may arise in relation to the projects carried out under their verticals as well as mitigation strategies for the same. Co-implementation of the Risk Assessment and Management Policy along with the CEO;Conducting an annual review of the risks identified and the associated mitigation strategies and updating them.
Project Leads	The respective project leads are responsible for:Identifying the risks associated with their projects and developing a risk assessment and management strategy for the same;Ensuring that they have raised potential risks and presented their mitigation strategies to the respective leads of the vertical and have received their vertical at the beginning of the project as well as subsequently thereafter at suitable points. Carrying out the recommended risk mitigation strategies to ensure that risks are mitigated to the best of their ability.
Staff members including senior associates, associates, volunteers, interns, contractors.	All staff members are responsible for complying with the provisions of this policy and apply them to all areas of work that is being carried for and/or on behalf of OFC. Where relevant, each staff member will be responsible to identify the specific risks associated with their deliverables and mitigate and/or respond to them in accordance with this policy.

6) Risk Management Process 

The risk management process is a four-step process involving the following:

1. Risk identification involves identifying the different risks that may be associated with the vertical and/or project that is being undertaken at <Name of Organisation>. These risks can be strategic,  financial, legal, reputational, and/or related to human resources. 
2. Risk assessment involves carrying out an examination of the seriousness and likelihood of the risk that has been identified. Some questions to consider while carrying out a risk assessment include:
   1. How likely is it that the risk will materialise?
   2. What is the potential impact of the risk, in case it materialises?
   3. How long before the risk is likely to become a realistic possibility? 
3. Risk control measures involve laying down the potential control measures to ensure that the risk is avoided where possible. If the risk cannot be avoided, then these measures should be designed with the intention to mitigate the impact of the potential risk. 
4. Risk Management refers to instances where the risk control measures are to be implemented after a risk has arisen. It is necessary that the risk management process is documented and shared for review after the risk has subsided. 
5. Review control measures refers to the process of reviewing the current risk control measures on a regular basis to inspect for any weaknesses and updating and/or amending them accordingly. 

7) Integration with other processes and systems

Risk management as a process is factored into different areas of <Name of Organisation> operations including its operations, organisational and project continuity plans, and project planning and management. Accordingly, this policy is to be read in conjunction with other organisational policies, project plans, and budgets.  The following is the process to be followed to comply with this policy:

1. Every project proposal should integrate the risk assessment and mitigation sheet. 
2. This sheet is to be reviewed every week and updated in time for the weekly tracking meeting. 
3. Every project lead is in-charge of submitting a risk assessment report to the Vertical Leads at the end of each project or by February of each year (whichever is earlier) in order to facilitate the filing of the risk assessment and mitigation report. 

8) Risk Identification 

The different risks that are likely to arise in relation to <Name of Organisation> as an organisation or in relation to a vertical or project are as follows. 

1. Strategic risks refer to risks associated with the strategy and planning of activities undertaken by <Name of Organisation>. This may include unexpected natural/human-made emergencies, implementational delays, and lack of stakeholder approvals such as from specific government agencies. Very often, these risks may be covered in any of the following criteria as well. 
2. Legal/Regulatory risks refer to risks associated with legal licensing and approvals. These licences and approvals may relate to <Name of Organisation> organisationally as well as for projects specifically.  
3. Financial risks refer to risks associated with funding related aspects of projects including cash flow related risks, funding for physical and technical infrastructure, human resources, and logistical support. 
4. Reputational risks refer to risks associated with <Name of Organisation> reputation as a whole. These generally relate to perceptions of integrity, reliability, expertise, and quality of work carried out by <Name of Organisation> and the relevant team members. 
5. Staff related risks refer to risks associated with staff members, their performance at work, as well as retention and attrition rates. 

9) Risk Assessment 

Once the risks are identified as per Section 7 of this policy, the potential impact of these risks can be mapped on the basis of the following matrix provided as ‘Table 1. Impact Rating Matrix’ below. The vertical axis represents the ‘likelihood’ of the risk taking place and the horizontal axis represents the ‘impact’ or ‘severity’ of the risk, should it take place. On the basis of this combination, risks are classified into low risk, moderate risk, and high risk. 

Table 1. Impact Rating Matrix

Key: 

Vertical axis – Likelihood

Horizontal axis – Impact

	Negligible	Minor	Moderate	Significant	Severe
Very Likely	Low	Moderate	High	High	High
Likely	Low	Moderate	Moderate	High	High
Possible	Low	Low	Moderate	Moderate	High
Unlikely	Low	Low	Moderate	Moderate	Moderate
Very Unlikely	Low	Low	Low	Moderate	Moderate

It is recommended that each organisation has a clear identification of thresholds to identify the severity of the risks identified. 

10) Risk Mitigation and Response 

Once the risks have been identified as per Section 8 and been assessed as per Section 9 of this policy, the following table needs to be filled in order to highlight the different strategies that are in place to control, mitigate, and/or respond to the potential risk that may arise. It is generally recommended that risks are mitigated from the beginning rather than responded to. The mapping matrix for the purposes of risk mitigation and response is provided as ‘Table 2. Risk Mitigation and Response Matrix’ below. Please note that Annexure 1 has a sample risk mitigation and response matrix which can be used as reference. 

All relevant members of the team are requested to develop and fill out the Risk Mitigation and Response Matrix as per Section 7 above. 

Table 2. Risk Mitigation and Response Matrix

Vertical [Which vertical does this risk affect?]	Stream of Work [Which stream of work does this risk affect?]	Risk Event [Which event poses a risk, and of what level?]	Impact Rating [Where does this event fall on the impact rating matrix?]	Mitigation Response [What can we do to ensure that the risk event does not occur?]	Risk Trigger [How do we tell if a risk event is underway?]	Contingency Response [What are steps for immediate corrective action?]	Person Responsible [Who is responsible for mapping this risk and executing the response?]

11) Risk Assessment Report  

The Vertical Lead is responsible for drafting the annual risk assessment report with the following information: 

1. A brief overview of the Risk Assessment and Management Policy in place for the year. If the policy is newly introduced or substantially amended, the report should highlight the process of such drafting and/or amendment;
2. Details of the risks which have taken place over the year and the strategies used to mitigate and/or to respond to them;
3. Assessment of the suitability of the current risk mitigation and management strategy;
4. Recommendations on alterations that need to be made, if any;
5. Any other information which may be relevant. 

Annexure 1. Sample Risk Assessment and Mitigation Sheet

Vertical [Which vertical does this risk affect?]	Stream of Work [Which stream of work does this risk affect?]	Risk Event [Which event poses a risk, and of what level?]	Impact Rating [Where does this event fall on the impact rating matrix?]	Mitigation Response [What can we do to ensure that the risk event does not occur?]	Risk Trigger [How do we tell if a risk event is underway?]	Contingency Response [What are steps for immediate corrective action?]	Person Responsible [Who is responsible for mapping this risk and executing contingency response?]
Digital	Promotions on social media	Fatal threats against the team in comments or DMs	Moderate. (Possible/ Significant)	1. Ensure that no private information about any team members, such as their personal email ID, personal social media handles, phone numbers and addresses are not shared online.  2. Be clear in our communication as being representative of an organisation, not an individual team member.  3. Where possible, be mindful of the content that is being shared online.  4. To the extent possible, monitor our following base to filter out for bots, fake accounts, and trolling accounts.	1. There is a general wave of discomfort/disagreement being shown online at a particular post/piece we have shared.  2. The post that we have made is being circulated widely and beyond our general circles and there are instances where it has been taken out of context and intentionally misinterpreted.	1. Ensure the safety of all team members through an emergency meeting/check in. If needed, inform the next best friend. 2. Disable the comment and direct message functions for a short while.  2. Communicate openly why the chat function and the direct message functions have been disabled.