Risk Management Policy

IALM

Risk Management Policy

1. Policy objective

The Institute for Advanced Learning and Metacognition (IALM) defines “risk” as the uncertainty surrounding events and their outcomes that may have a significant impact — whether enhancing or inhibiting — on any area of the Institute's work.

In line with Charity Commission guidance (Charities and risk management — CC26), the objective of this Policy is to provide a structured framework for managing organisational risk. This supports the achievement of our strategic objectives, protects our beneficiaries, people and assets, and helps ensure the Institute's long-term sustainability.

The Policy provides a framework to:

  • define risk governance and accountability;
  • identify the principal risks facing the Institute;
  • assess and prioritise the most significant risks;
  • develop and monitor strategies to mitigate them; and
  • communicate and report risks to the Board and stakeholders.

2. Risk governance

IALM maintains a clear hierarchy of responsibility for risk management:

RoleResponsibility
Board of TrusteesHolds ultimate responsibility for the system of risk management and internal control. The Board identifies and reviews strategic, operational, financial, regulatory, people, political and environmental risks, and must be satisfied that risk management is embedded throughout the Institute.
Audit and Risk CommitteeReviews the Priority Risk Log at each meeting, assesses the effectiveness of the risk management system, and provides assurance to the Board.
Executive / operational leadershipReviews key risks, issues and actions, and decides whether priority risks should be introduced, amended or replaced in response to events.
Managers, staff and volunteersComply with the Institute's risk processes and foster an environment in which risks are identified and escalated promptly.

The Institute's governance structure continues to develop. Until an Audit and Risk Committee and an executive team are established, the Board of Trustees fulfils these functions directly.

3. Identifying principal risks

Risk management is integrated into IALM's planning, performance management and project management. While individual projects assess the risks specific to them, the Board focuses on the enterprise-wide risks that could affect the Institute as a whole. IALM maintains a risk register, in which risks are categorised as follows:

  • Strategic — risks to the achievement of our charitable objects and long-term vision;
  • Operational — risks to core service delivery and research activities;
  • Financial — risks to funding, liquidity and financial probity;
  • Legal and regulatory — risks of non-compliance with charity law, data protection law or other legislation;
  • Political and environmental — risks arising from changes in the educational or socio-political landscape; and
  • People — risks relating to the recruitment, retention and wellbeing of staff and volunteers.

Reputational risk is treated as cross-cutting: any mitigation strategy must address the potential reputational impact of the underlying risk.

4. Assessing priority risks

From the risk register, the Board selects a smaller set of priority risks for closer monitoring — those representing the most significant challenges in the current environment. Each priority risk is recorded with the following dimensions:

  1. Risk appetite — categorised as High, Medium, Medium/Low, or Low.
  2. Significance — rated on a scale of 1 to 5 (where 5 is the most significant).
  3. Probability — rated on a scale of 1 to 5 (where 5 is the most probable).
  4. Worst-case outcome — a description of the potential impact, with financial quantification where appropriate.
  5. Direction of travel — whether the risk is static, improving or worsening since the previous review.

5. Mitigation and RAG status

Each priority risk is assigned an owner responsible for its mitigation strategy. IALM uses a Red/Amber/Green (RAG) status to track the progress of mitigation:

  • Red — the mitigation strategy is not yet finalised, or the current strategy has proven inadequate;
  • Amber — a mitigation strategy has been developed but is not yet fully implemented;
  • Green — all planned actions to mitigate the risk have been successfully implemented.

6. Monitoring, review and reporting

  • Annual review: the trustees conduct an annual in-depth review of the principal risks the Institute faces and is willing to take, balancing opportunity with the need to protect the Institute and its reputation;
  • Assurance: assurance and audit activity is informed by the priority risks, so that it focuses on the most critical areas;
  • Partner due diligence: IALM assesses the risk, safeguarding and financial controls of potential partners, and will not partner with organisations whose risk frameworks are inadequate; and
  • External reporting: in accordance with the Charities SORP, IALM describes its principal risks and the adequacy of its risk management in its Annual Report.

7. Related policies and guidance

8. Review of this Policy

This Policy will be reviewed by the Board of Trustees at least every two years, or sooner if required by changes in law, regulation or the Institute's circumstances, to ensure it remains effective.

The Board of Trustees approved this policy on 24th June 2026.

Scroll to Top