What is a corporate wellbeing programme?

An employer-funded service combining mental, physical, financial and social health support for staff. MEM Academy pairs coach-led corporate fitness sessions with a self-serve wellbeing curriculum and ESG/SROI reporting so the spend is provable at year-end.

How much does it cost?

Programmes start at a fixed per-seat monthly fee. A 100-person pilot typically lands between £6 and £14 per seat per month depending on coach hours, on-site cadence and reporting depth.

How quickly can we launch?

Two to four weeks from contract — Week 1 diagnostic, Week 2 design, Week 3 launch comms, Week 4 first sessions delivered. First board report at end of Q1.

What ESG evidence do we get back?

A quarterly board-ready report with workforce KPIs (absence, wellbeing score, participation) plus a verified SROI figure showing social value per £1 spent — suitable for the Social-S section of your annual report.

07 — Risk Policies & Control Library

For every risk family in 06-risk-register.md, this file lists the policies and active controls. Controls are either preventive (P) or detective (D) or corrective (C).

Safeguarding

P — Coach assessment + Ethics Gate (Sprint 7 §04)
P — Mandatory safeguarding training, refreshed annually
P — Clear scope statement: MEM is non-clinical; signposting only (see project memory)
D — Weekly DSL review of all flags; monthly safeguarding review meeting
C — Suspension protocol (Sprint 7 §09); incident runbook §08

Regulatory (esp. FCA boundary, financial wellbeing strands)

P — FCA boundary card (Sprint 4 §01) issued to every coach
P — Decision tree for signposting vs advice (Sprint 4 §06)
D — Quality assurance rubric scores boundary adherence on every observed session (Sprint 7 §08)
C — Immediate retraining or suspension on breach; client notified

Commercial

P — ICP discipline (Sprint 6 §01) — hard disqualifications written down
P — SoW with quality gates and service credits (Sprint 6 §07)
D — Weekly pipeline review; client health RAG in 03-weekly-delivery-review.md
C — Save-the-client protocol; pricing discount approvals per §02 RACI

Financial

P — Cash forecast updated monthly; 9-month minimum runway target
P — Discount approval matrix (§02); no client > 35% of ARR without board approval
D — Monthly finance pack at MBR; AR ageing dashboard
C — Hiring freeze trigger at 6-month runway; spend freeze trigger at 4-month runway

Data & Privacy

P — DPO accountable; sub-processor list maintained; DPIA on every new data flow
P — Suppression rules (n<5) in published reports (Sprint 8 §05)
P — Least-privilege IAM; RLS on all participant tables
D — Quarterly access review; automated breach detection on auth + storage logs
C — Breach runbook per §08 (Sev 1); ICO notification within 72h when in scope

People

P — Coach supervision (Sprint 7 §07); CPD requirements; eNPS quarterly
P — Workload caps per coach (max cohorts, max 1:1s)
D — Monthly utilisation review at MBR
C — Coach offboarding protocol (Sprint 7 §09)

Delivery

P — Hybrid playbook + modality decision matrix (Sprint 5)
P — Cohort RAG thresholds (§03)
D — Weekly delivery review; pulse surveys; rolling NPS
C — Coach swap protocol; client recovery plan template

Reputational

P — Publication & correction policy (Sprint 8 §10)
P — Composite case study protocol (Sprint 8 §09)
D — Media monitoring; quarterly comms review
C — Public correction workflow (5-day SLA); CEO + Board chair sign-off on statements

Strategic

P — Key-person plan: every C-level role has a documented deputy + 90-day continuity note
P — Quarterly strategy review (§05) forces re-examination
D — Top-15 risk snapshot tracked QoQ
C — Board-led intervention triggers documented in shareholder agreement

Control effectiveness review

Every control is rated annually:

Rating	Meaning
Effective	Operating as designed, tested in last 12 months
Partially effective	Operating, but with known gaps or no recent test
Ineffective	Not operating, or failed last test → escalate to MBR

A High residual risk with no Effective controls is an MBR escalation by default.