Policies and Resources


In the Kayndrex Foundation, risk management enhances strategic planning and prioritisation, assists in achieving objectives and strengthens the ability to be agile to respond to the topics faced. While risk management practices have improved over time across the foundation, the volatility, complexity, and ambiguity of our operating environment has increased, as have demands for greater transparency and responsibility for managing the effect of risks. This guidance builds on the Security, Wellbeing, and Prosperity at Role Initiative to assist improve risk management further and to embed this as a routine of how we operate.

Risk is inherent in everything we do. Effective and significant risk management in the Kayndrex Foundation remains as important as ever in taking a balanced view to managing opportunity and risk. It is an integral part of informed decision-making; from project inception through implementation to the everyday delivery of benefit. At its most effective, risk management is as much of evaluating the risks and implications within options as it is of managing effects once choices are made. It is regarding being realistic in the assessment of the risks to projects and programmes and in the consideration of the effectiveness of the actions taken to manage these risks.

As an integrated part of our management systems, and through the normal flow of information, the Foundation’s risk management strategy harnesses the activities that identify and manage the uncertainties faced and systematically anticipate and prepare successful responses.

As with all aspects of good governance, the effectiveness of risk management depends on the individuals responsible for operating the systems put in place. Our risk culture embraces openness, supports transparency, welcomes constructive research, and promotes collaboration, consultations and co-operation. We invite scrutiny and embrace expertise to inform decision-making. We also invest in the necessary capabilities and seek to continually learn from experience.

This policy document has benefited from discussions with stakeholders and practitioners across the industry. We are grateful for their time and their valuable insights.

This document is intended for application by everyone involved in the design, operation, and delivery of efficient trusted public investments. Its primary audience is likely to be:

  • Executive and non-executive members of the foundation,
  • Audit and Risk Assurance Committee members,
  • Risk practitioners,
  • Senior leadership,
  • Policy leads, and
  • Programme and Project Senior Responsible Officers (SROs).

The members of the foundation should actively seek to recognise risks and direct the response to these risks. It is for each accounting officer, supported by the members, to decide how. The members and accounting officer should be supported by an Audit and Risk Assurance Committee, who should provide proactive support in advising on and scrutinising the management of key risks and the operation of efficient and effective internal controls.

This policy document lists the main principles for risk management in the foundation. In considering the effectiveness of risk management arrangements, assessing compliance with the foundation’s Code of Conduct requirements, and overseeing the preparation of the governance statement, the members shall consider adherence with the main principles, which are mandatory requirements.

The main principles are the core of this policy. The way in which they are applied should be the central question for a member as it determines how it is to operate in accordance with the Code of Conduct. The foundation is required to disclose compliance or to explain their reasons for departure clearly and carefully in the governance statement accompanying their annual resource accounts. The requirement for an explanation allows flexibility, but also ensures that the process is transparent, allowing stakeholders to hold firms and their leadership to account.

The principles can be applied within and across departments, arm’s length bodies and firms with linked objectives, and to activity at any level of decision-making.

The principles should be applied to inform the foundation’s approach to risk management and its own more detailed policies, processes, and procedures. Implementing and improving the risk management strategy should support an incremental approach to enhancing risk management culture, processes, and capabilities over time, building on what already exists to achieve improved results.

Risk Management Strategy

The risk management strategy supports the consistent and robust identification and management of opportunities and risks within desired levels across the foundation, supporting openness, research, innovation, and excellence in the achievement of objectives. For the risk management strategy to be considered effective, the following principles shall be applied:

  • Risk management shall be an essential part of governance and leadership, and fundamental to how the foundation is directed, managed, and regulated at all levels.
  • Risk management shall be an integral part of all the foundation’s activities to support decision-making in achieving objectives.
  • Risk management shall be collaborative and informed by the best available information and expertise.
  • Risk management processes shall be structured to include:
    • Risk identification and assessment to determine and prioritise how the risks should be managed;The selection, design, and implementation of risk treatment options that support achievement of intended results and manage risks to an acceptable level;The design and operation of integrated, insightful, and informative risk monitoring; and
    • Timely, accurate, and applicable risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities.
  • Risk management shall be continually improved through learning and experience.

Risk categories

Strategy Risks

Risks arising from identifying and pursuing a strategy, which is inadequately defined, is based on inaccurate data or is unsuccessful in supporting the delivery of commitments, plans, or objectives due to a changing macro-environment.

Governance Risks

Risks arising from unclear plans, priorities, authorities, and responsibilities, and/or ineffective or disproportionate oversight of decision-making and/or performance.

Operations Risks

Risks arising from inadequately designed or ineffective/inefficient internal processes resulting in dishonesty, inaccuracy, compromised investor expectations (quality and/or quantity of investment), non-compliance, and/or inadequate value of money.

Legal Risks

Risks arising from an unreliable transaction, a claim being made (including a defence to a claim or a counterclaim) or some other legal event occurring that results in an accountability, or inability to take appropriate measures to fulfil legal or regulatory requirements or to protect assets (for example, intellectual property).

Property risks

Risks arising from property imperfections or inadequately designed or ineffective/inefficient safety management resulting in non-compliance and/or susceptibility of personnel, contractors, investment operators or the public.

Financial Risks

Risks arising from inadequate management of finances in accordance with requirements and financial checks resulting in inadequate returns from investments, inability to manage assets/responsibilities or to obtain value for money from the resources deployed, and/or non-compliant financial reporting.  

Commercial Risks

Risks arising from vulnerabilities in the management of commercial partnerships, supply chains, and contractual requirements, resulting in inadequate performance, inefficiency, inadequate value for money, dishonesty, and/or inability to fulfil firm requirements/objectives.

People Risks

Risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability, industrial action and/or non-compliance with relevant employment legislation/HR policies resulting in undesirable effect on performance.

Technology Risks

If technology is hoarded or not shared, there is a risk that the expected benefits may not be realised because the systems and processes have not been adequately developed or put to work, or because they lack sufficient resilience to handle unexpected challenges.

Information Risks

Risks arising from the inability to produce robust, suitable, and appropriate data/information and to apply data/information to its full potential.

Security Risks

Risks arising from the inability to prevent unauthorised and/or inappropriate access to the estate and information, including cyber security and non-compliance with the foundation’s data protection policy.

Project/Programme Risks

Risks that change programmes and projects are unaligned with strategic priorities, and unsuccessfully and unsafely deliver requirements and intended benefits to time, cost, and quality.  

Reputational Risks

Risks arising from adverse events, including ethical upset, unsustainability, systemic or repeated inabilities or inadequate qualities or inactivity, leading to vulnerabilities to reputation and/or trust and relations.

Inability to manage risks in any of these categories can lead to financial, reputational, legal, regulatory, safety, security, environmental, personnel, investor, and operational consequences.

In stating risks, care should be taken to prevent stating  consequences that can arise as being the risks themselves, i.e. identifying the symptoms while excluding their causes(s). Equally, care should be taken to prevent defining risks with statements that are simply the converse of the objectives, i.e., inability to achieve the intended result.

Firms typically assess consequences applying a combination of criteria, which commonly include financial, reputational, legal, regulatory, safety, security, environmental, personnel, investor, and operational effects. The criteria applied should be dynamic and should be periodically reviewed and amended, as necessary. Scales should allow significant diversity for ranking and prioritisation purposes based on assigning values to each risk applying the defined criteria.

When assigning a consequence rating to a risk, the rating for the highest, most credible severest scenario should be assigned.

The risk analysis process defines the level of risk, based on the assessment of the likelihood of the risk occurring and the consequences should the event happen. Likelihood is the assessment of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described applying general terms or mathematically (such as a risk or a frequency over a given time period).

Risk analysis should also consider:

  • Sensitivity and confidence levels, based on the information available;
  • Complexity and connectivity ;
  • Time-related factors and volatility; and
  • The effectiveness of existing internal management.

Internal Management is the dynamic and iterative strategy of processes, policies, procedures, activities, devices, practices, or other conditions and/or actions that maintain and/or modify risk. Internal managements permeate and are inherent in the way the foundation operates and are affected by cultural and behavioural factors.

Where additional action is required to bring the levels of risk within the nature and extent that a firm is willing to take to achieve its objectives, the firm should select, develop, and implement options for addressing risk through preventive, directive, and/or corrective regulations that manage risks to an acceptable level. These could be manual or automated. This involves an iterative process of:

  • Planning and implementing internal management;
  • Assessing the effectiveness of internal management;
  • Deciding whether the nature and extent of the remaining risk after the implementation of internal managements is acceptable; and
  • If unacceptable, reassessing options and taking further action where appropriate.

Internal management, even if carefully designed and implemented, could prolong the intended or expected results. Internal management can also introduce new risks that need to be managed.

Assurance is a general term for the confidence that can be derived from objective information over the successful conduct of activities, the efficient and effective design and operation of internal control, compliance with internal and external requirements, and the production of insightful and credible information to support decision-making. Confidence moderates when there are risks around the integrity of information or of basic processes.