Managing risk

Our corporate risks are focused in four areas to help us as a regulator to best serve the public good:

Maintaining our relevance

Risk: We do not have credibility as a regulator.

Status: Green: Robust mitigations in place. The work we have done to evolve our planning process provides us with a clear vision while allowing us to adapt quickly. Our new research, data and automation, and insight functions are making increasingly important contributions to our capacity to understand the context within which we operate and maintain our relevance as a regulator.

Maintaining our voice

Risk: We do not say the right thing at the right time.

Status: Green/Amber: Robust mitigations in place but we recognise we have further to go in setting out our regulatory position clearly on key issues. We published a small series of regulatory position statements in 2020/21 but our communications team is putting together a task and finish group in spring 2021 to consider how to make it easier for users to understand our position on key issues.

Building our capability

Risk: We do not have the skills, tools and resources to regulate and uphold the Code.

Status: Amber: Mitigations less robust. Our team adapted quickly and effectively to the remote working environment enforced by the pandemic and our productivity and impact have been at their greatest in our short history. However, despite this extraordinary commitment, the pandemic has of course placed unprecedented strains on a small team with a large responsibility. We are very conscious of the pressures on the team and we will continue to pay strong attention to managing their wellbeing, investing in their skills and development, and ensuring they are well supported with sufficient resource by increasing the momentum and inclusivity of recruitment and effectively prioritising workloads.

Maintaining our independence

Risk: We are perceived by stakeholders not to be able to operate independently as a regulator.

Status: Green/Amber: Robust mitigations in place. We consider that publishing accessible regulatory position statements, as well as strengthening our voice as a regulator, will also serve to further reinforce our independence.

These risks are owned by members of our Senior Leadership Team and reviewed each month through our Programme Review Board. We also report to Regulation Committee twice a year for independent challenge. Throughout this report we have demonstrated how we have sought to manage any threats and exploit our opportunities in these respects.

We expect all projects within our regulatory work programme to manage their risks in a proportionate way and we provide the team with our risk management policy, training, and tools to ensure this happens. Our approach is to empower project managers but to provide a route for support, challenge and escalation of risk to Programme Review Board through assigned Project Sponsors.

There has been one main engagement with Internal Audit this year: an internal audit of our approach to Compliance Checks and Rapid Reviews. Internal Audit awarded a substantial opinion, finding that while minor issues were identified with the quality assurance structure in place, the compliance checks guidance, and potential inefficiencies in the compliance checks process, these do not pose significant risk.