Risk Management and Continuity Policy

Purpose and Scope

This policy establishes NSEMM’s framework for identifying, assessing, managing, and monitoring risks that could impact our ability to achieve charitable objectives. It applies to all activities, services, and operations across the organisation.

Effective risk management protects NSEMM’s students, staff, reputation, and resources while enabling us to pursue our educational mission with confidence. This policy aligns with Charity Commission guidance CC26 and supports our duty to protect charitable assets and beneficiaries.

Risk Management Framework

Risk Appetite Statement

NSEMM adopts a conservative-moderate risk appetite, which means we take a conservative approach to safeguarding and child protection with zero tolerance for risks in this area, financial management and regulatory compliance where we maintain strict controls, data protection and information security where we implement comprehensive protections, health and safety of students and staff where we prioritise prevention and protection, and reputation and brand protection where we carefully manage public perception and stakeholder confidence.

We take a moderate approach to educational innovation and service development where we balance innovation with proven practice, technology adoption and digital platforms where we embrace beneficial technology while managing associated risks, partnership and collaboration opportunities where we pursue strategic relationships with appropriate due diligence, fundraising and income diversification where we explore new opportunities while protecting existing revenue streams, and geographic expansion of services where we consider growth opportunities within our capacity and expertise.

Our risk tolerance levels are defined as low risk being acceptable without additional controls, medium risk being acceptable with appropriate mitigation measures, high risk requiring immediate action and ongoing monitoring, and critical risk being unacceptable and requiring immediate escalation to trustees.

Governance Structure

The Board of Trustees holds ultimate responsibility for risk management including approving risk appetite and strategy, conducting quarterly review of significant risks, performing annual assessment of risk management effectiveness, and ensuring adequate resources are allocated to risk management activities.

The CEO and Chief Operations Officer manage day-to-day risk management implementation through monthly review of operational risks, escalation of significant risks to trustees when they arise, coordination of risk mitigation activities across the organisation, and ensuring staff understand and implement risk management procedures.

All staff and volunteers contribute to risk management through identification and reporting of risks as they emerge, implementation of risk controls in their daily work, participation in risk assessment processes when required, and compliance with risk management procedures and training requirements.

Risk Categories

Strategic Risks

Charitable purpose and mission risks include failure to deliver educational objectives effectively, loss of charitable status or regulatory compliance issues, inadequate impact measurement and reporting systems, and mission drift or strategic confusion that undermines our core purpose.

Funding and sustainability risks encompass over-dependence on single funding sources, failure to diversify income streams adequately, economic downturn affecting donations and revenue, and grant funding withdrawal or reduction that could impact service delivery.

External environment risks involve educational policy changes affecting operations, increased competition from other providers in our sector, technology disruption in the education sector that could affect our relevance, and regulatory changes impacting charity operations and compliance requirements.

Operational Risks

Service delivery risks include inability to recruit qualified tutors and mentors, service quality falling below acceptable standards, student safety incidents during sessions, and technology platform failures affecting learning delivery and student experience.

Human resources risks encompass key staff departure or absence affecting continuity, inadequate training or professional development limiting effectiveness, workplace accidents or occupational health issues, and volunteer recruitment and retention challenges affecting service capacity.

Infrastructure and resources risks involve IT system failures or cyber security breaches compromising operations, inadequate premises or facilities for service delivery, equipment failure or maintenance issues disrupting services, and supply chain disruption affecting operations and service quality.

Financial Risks

Income management risks include cash flow problems affecting day-to-day operations, fraud or financial irregularities compromising financial integrity, currency fluctuation affecting international activities, and bad debt or uncollectable receivables impacting revenue.

Cash Flow Thresholds: NSEMM maintains a minimum cash threshold of 2 months operating costs, with emergency action triggered when available cash falls to this threshold level. Target reserves of 6 months operating costs are maintained to ensure financial sustainability and operational continuity.

Expenditure control risks encompass budget overruns or uncontrolled spending exceeding approved limits, unexpected major expenditure requirements straining resources, poor value for money in procurement affecting efficiency, and pension or employment liability increases affecting sustainability.

Investment and assets risks involve poor investment performance affecting reserves, property devaluation or unexpected maintenance costs, equipment obsolescence or replacement needs requiring significant investment, and insurance coverage gaps or claim disputes affecting protection.

Compliance and Legal Risks

Regulatory compliance risks include Charity Commission investigation or sanctions affecting operations, HMRC issues affecting tax status and financial standing, educational regulation non-compliance impacting service delivery, and employment law breaches affecting staff relations and legal standing.

Legal and contractual risks encompass contract disputes with suppliers or partners affecting relationships, intellectual property infringement claims creating legal liability, data protection breaches and GDPR violations compromising privacy, and litigation from students, staff, or third parties affecting reputation and resources.

Reputational Risks

Safeguarding and safety risks include child protection incidents or allegations affecting trust, staff misconduct or inappropriate behaviour damaging credibility, health and safety accidents or incidents compromising confidence, and inadequate response to safeguarding concerns undermining stakeholder faith.

Public relations risks involve negative media coverage or social media criticism affecting reputation, student or parent complaints becoming public and affecting perception, partner organisation controversies affecting NSEMM by association, and transparency or governance criticisms affecting stakeholder confidence.

Risk Assessment Process

Risk Identification

Risks are identified through multiple sources including systematic reviews conducted through annual strategic risk assessment, quarterly operational risk review, monthly departmental risk discussions, and post-incident analysis and learning to prevent recurrence.

Ongoing monitoring involves staff and volunteer reporting of emerging risks, student and parent feedback about concerns, external stakeholder input on potential issues, and regulatory guidance updates that might affect operations.

Environmental scanning includes sector trend analysis to identify emerging risks, policy development monitoring to anticipate changes, technology advancement tracking to understand implications, and economic and social change assessment to understand broader impacts.

Risk Analysis

Each identified risk is assessed using standardised criteria for likelihood assessment where very low represents less than 5% chance in next 12 months, low represents 5-15% chance in next 12 months, medium represents 15-40% chance in next 12 months, high represents 40-70% chance in next 12 months, and very high represents over 70% chance in next 12 months.

Impact assessment considers very low as minimal impact on operations or objectives, low as minor disruption that is easily managed, medium as moderate impact requiring management attention, high as significant impact affecting key objectives, and very high as severe impact threatening organisational viability.

Risk score calculation multiplies likelihood by impact to create a range from 1-25, with risk classification defined as low risk for scores 1-6, medium risk for scores 8-12, high risk for scores 15-20, and critical risk for scores 25.

Risk Evaluation

Risks are prioritised based on their risk score and classification level, potential impact on charitable objectives and mission delivery, regulatory or legal requirements that must be met, available resources for mitigation activities, and time sensitivity of potential impact on the organisation.

Risk Treatment Strategies

Risk Response Options

Risk acceptance is appropriate when the risk level is acceptable within our risk appetite, the cost of mitigation exceeds potential impact, no viable mitigation options are available, or when regular monitoring and review can continue to manage the risk effectively.

Risk avoidance involves eliminating activities creating unacceptable risks, changing processes to remove risk sources, withdrawing from high-risk partnerships or markets, and redesigning services to avoid problematic elements while maintaining service quality.

Risk mitigation includes implementing controls to reduce likelihood of occurrence, developing measures to limit potential impact, creating contingency plans for risk events, and enhancing monitoring and early warning systems to detect problems early.

Risk transfer encompasses purchasing insurance coverage for insurable risks, arranging contractual risk transfer to suppliers or partners, outsourcing high-risk activities to specialist providers, and establishing joint ventures or partnerships to share risks appropriately.

Control Implementation

Preventive controls include comprehensive policies and procedures preventing risk events, training and awareness programmes for all staff, regular audits and compliance monitoring systems, and system controls and access restrictions to prevent unauthorised activities.

Detective controls encompass performance monitoring and reporting systems, regular review and inspection processes, incident reporting and investigation procedures, and external audit and independent assessment to identify issues.

Corrective controls involve incident response and recovery procedures, business continuity and disaster recovery plans, crisis management and communication protocols, and learning and improvement processes to prevent recurrence.

Risk Monitoring and Reporting

Ongoing Monitoring

Key Risk Indicators are defined for each significant risk and monitored regularly to provide early warning of potential problems. Safeguarding KRIs include the number of safeguarding concerns reported, time taken to respond to incidents, staff training completion rates, and DBS check compliance levels across the organisation.

Financial KRIs encompass monthly cash flow position monitoring, budget variance analysis, debtor payment times, and reserve levels against target to ensure financial sustainability and early identification of potential problems.

Operational KRIs include student satisfaction scores, tutor recruitment and retention rates, technology platform uptime percentages, and complaint volumes and resolution times to monitor service quality and operational effectiveness.

Compliance KRIs cover policy review completion rates, training compliance levels across all staff, audit recommendation implementation progress, and regulatory correspondence volume to ensure ongoing compliance with legal and regulatory requirements.

Reporting Structure

Monthly reports provide operational risk dashboard information for senior leadership, key risk indicator updates, details of new risks identified and assessed, and mitigation action progress updates to ensure ongoing oversight.

Quarterly reports include comprehensive risk register review for trustees, strategic risk assessment updates, risk appetite and tolerance review, and external risk environment analysis to inform strategic decision-making.

Annual reports encompass complete risk management effectiveness review, risk strategy and appetite reassessment, benchmark comparison with sector organisations, and risk management policy and procedure updates to ensure continuous improvement.

Risk Register Management

Risk Register Content

Each risk entry includes a comprehensive risk description with a clear statement of the risk event, potential causes and triggers, impact description and consequences, and links to strategic objectives that might be affected by the risk materialising.

Assessment details cover current likelihood and impact scores, risk classification and priority level, assessment date and reviewer information, and previous assessment history to track changes over time and identify trends.

Control measures encompass existing controls and their effectiveness ratings, planned mitigation actions and implementation timelines, responsible individuals and departments for each action, and resource requirements and costs associated with risk management activities.

Monitoring information includes key indicators and trigger points for escalation, review frequency and next review date, escalation procedures and thresholds for senior management attention, and related risks and interdependencies that might affect risk assessment.

Comprehensive Risk Assessment

A detailed risk assessment is maintained and available on the organisation intranet, providing in-depth analysis accessible to authorized personnel. Regular updates are maintained by the Chief Operations Officer to ensure currency and accuracy of risk information.

Register Maintenance

Update procedures require monthly review of all high and critical risks, quarterly review of medium risks, annual review of all risks and register structure, and immediate updates for significant risk changes that occur between scheduled reviews.

Quality assurance involves senior leadership validation of risk assessments, independent review of critical risks, consistency checks across risk categories, and alignment with organisational objectives to ensure relevance and accuracy.

Crisis Management and Business Continuity

Crisis Response Framework

A crisis is defined as any event threatening NSEMM’s ability to protect students, staff, or stakeholders from harm, maintain critical operations and services, preserve reputation and public confidence, or meet legal and regulatory obligations effectively.

Decision Authority: Joint decision-making rests with the CEO and Chief Operations Officer. In cases of disagreement, the matter escalates to Board motion under standard Board procedures. Emergency communication utilises website as primary channel with email as secondary support.

Response levels are categorised as Level 1 for operational incidents managed by local teams, Level 2 for significant incidents requiring senior management coordination, and Level 3 for major crises requiring trustee involvement and external support.

Business Continuity Planning

Critical functions have been identified as student safeguarding and welfare, essential tutoring and mentoring services, financial management and control, and regulatory compliance and reporting to ensure continuity of our most important activities.

Recovery Time Objectives: Critical safeguarding functions must be restored within 1 hour, essential tutoring services within 24 hours maximum, and full operational capability within 72 hours to maintain service continuity and stakeholder confidence.

Technology Contingency: Primary delivery platform is Lessonspace with Microsoft Teams as backup platform. Platform failure response involves immediate switch to Teams with emergency staff briefing, noting that Teams requires manual recording procedures requiring brief staff training.

Data Storage and Backup: Student data is stored across AWS, Digital Ocean, and Netwise Centra (Krystal) with website and database maintained on separate servers for resilience. Daily backup procedures operate for both systems with 24-hour maximum tolerance for complete system failure.

Continuity strategies include remote working capabilities for all staff, alternative delivery methods for educational services, emergency communication systems, and backup data and system recovery procedures to maintain operations during disruptions.

Recovery priorities are established as ensuring safety and security of all people first, restoring critical safeguarding functions second, resuming essential educational services third, recovering full operational capability fourth, and reviewing and improving continuity arrangements to learn from the experience.

Training and Awareness

Risk Management Training

Trustees receive annual risk management training, participate in quarterly risk register review sessions, engage in scenario planning and crisis simulation exercises, and have access to external risk management development opportunities to enhance their oversight capabilities.

Senior staff participate in comprehensive risk management training programmes, attend monthly risk discussion meetings, develop professional expertise in risk assessment techniques, and engage in cross-sector learning and networking opportunities to share best practices.

All staff receive risk awareness training during induction, regular updates on key risks and controls, incident reporting training and procedures, and understand their role-specific risk management responsibilities within the organisation.

Risk Culture Development

Communication includes regular risk awareness communications, sharing success stories and learning from incidents, providing open discussion forums about risk concerns, and integrating risk considerations into decision-making processes at all levels.

Recognition involves acknowledging good risk management practices, learning from near-miss reporting, encouraging continuous improvement suggestions, and providing professional development support for staff who contribute to risk management excellence.

External Relationships

Insurance Management

Coverage requirements include public liability insurance with minimum £6 million coverage, professional indemnity insurance appropriate to our activities, employers’ liability insurance as required by law, trustees’ and officers’ liability insurance for governance protection, cyber liability insurance for digital risks, and buildings and contents insurance where applicable to our premises.

Insurance review involves annual assessment of coverage adequacy, quarterly claims analysis and trend monitoring, market testing every three years to ensure value for money, and risk assessment updates informing coverage decisions to maintain appropriate protection.

Professional Support

Legal advice includes retained legal counsel for complex risk issues, specialist advice for employment and charity law matters, contract review and drafting support, and litigation management where required to protect the organisation’s interests.

Risk management consultancy encompasses annual external risk assessment review, specialist advice for complex risk scenarios, benchmarking against sector best practices, and training and development support to enhance internal capabilities.

Performance Measurement

Effectiveness Indicators

Quantitative measures include the percentage of risks with current assessments, number of high and critical risks reduced or eliminated, average time for risk mitigation implementation, and cost of risk management as percentage of expenditure to assess efficiency.

Qualitative measures encompass stakeholder confidence in risk management, quality of risk discussions and decision-making, integration of risk considerations in planning, and learning and improvement from risk events to enhance organisational resilience.

Annual Review Process

Review components include assessment of risk management policy and procedure effectiveness, evaluation of risk register accuracy and completeness, analysis of control effectiveness and efficiency, training needs and competency assessment, and benchmarking against sector practices.

Improvement planning involves identification of enhancement opportunities, assessment of resource requirements for improvement initiatives, development of timeline for implementation of changes, and establishment of success measures for improvement activities.

Related Policies

This policy should be read alongside:

• NSEMM Constitution and Strategic Plan
• Financial Management Policy
• Safeguarding Policy
• Health and Safety Policy
• Data Protection Policy
• Crisis Management Plan

Contact Information

For risk reporting and concerns, please visit our contact page. For urgent risk management guidance, the CEO, Chief Operations Officer, and senior leadership team are available through the same contact channels, with access to external advisors when appropriate.

This policy will be reviewed annually and updated to reflect changes in the risk environment, regulatory requirements, and organisational development.