Beyond compliance
May 2010 supplement
Steve Fowler explains why risk policies, risk registers, action plans and risk monitoring are vital tools for charities
The SORP 2005 puts the reporting of risk management firmly on the agenda of all auditable charities[1]. But effective risk management involves far more than just compliance. It is not a ‘tick box’ exercise but a way of steering the organisation towards more effective decision making, taking advantage of possible opportunities and avoiding potential disasters.
For all aspects of the risk management processes it helps to have a ‘risk champion’. The chief executive may be supportive but is likely to have multiple responsibilities. Ideally one of the trustees should take on the role of risk champion and be prepared to put in some time to look at the risk issues, not just attending trustees’ board meetings but sitting down separately with the chief executive, for example to formulate a comprehensive risk register which will be discussed at board level.
A meaningful risk policy
Typically a charity’s risk policy will be part of its internal control and governance and will be included in the charity’s annual report. It should give details of:
- the underlying approach to risk management;
- roles and responsibilities of those involved including the board, executive management, key staff and volunteers;
- key aspects of the risk management process;
- main reporting procedures; and
- methods of evaluating the effectiveness of internal controls.
Generally, the board and executive committee will be responsible for determining the charity’s ‘risk appetite’, in other words how much risk it feels comfortable to assume. The policy will also often indicate how frequently the charity reviews its risks and approves changes or improvements. Key aspects of the risk management process include policies and procedures, reporting, planning and budgeting, internal and external auditing, and possibly the use of external consultants. For many charities their risk management framework will include:
1) reviewing risk management over the period since the last appraisal;
2) identifying and evaluating risks likely to emerge and grow in importance in the next period;
3) using risk management techniques to deal with risks;
4) recording and monitoring risks using risk registers; and
5) assigning responsibility for risks to the appropriate people.
2) identifying and evaluating risks likely to emerge and grow in importance in the next period;
3) using risk management techniques to deal with risks;
4) recording and monitoring risks using risk registers; and
5) assigning responsibility for risks to the appropriate people.
A formal risk policy of this type is a ‘must have’ for most charities of any size, basically demonstrating that they take risk seriously. However, just as important – if not more so – is establishing risk awareness and a risk culture throughout the organisation. Although in theory the risk policy sets out to do this, in practice it will fail unless there is ‘buy-in’ throughout the whole organisation – and this must start at the top with the board of trustees and senior management.
It can be very dispiriting as was the case with one charity’s risk manager, conducting a training session for junior managers to be told that their own manager was not following the risk management approach. As David Funnell, former risk adviser at Guide Dogs[2], who was involved in preparing the recent Institute of Risk Management (IRM) publication for charities, says: ‘You need senior management at the top to help push it through and also to actually live it as well. If people do not believe in what you are trying to achieve you will never get the buy-in.’
According to John Barton, risk manager for Cancer Research UK, it is important not to have a ‘blame’ culture. ‘We try to set our risk policy around the fact that we want risks to be readily identified and evaluated. Nobody is going to get into trouble for saying that something is a risk.’ In a charity which has a good risk policy and a strong risk culture, all business decisions will be risk based. In other words, before embarking on an initiative, all those concerned will take stock of the risks such as likely public reaction, costs and the downside if the initiative fails. Every business proposal should have its own risk list.
The risk register
If the risk policy is the ‘how’ of risk management, the risk register is part of the ‘doing’. Basically it is a list of the major risks that the charity faces, grading each of them in terms of severity and likelihood. It also identifies the people who are responsible for each risk, details the controls in place, and may also include actions that need to
be taken.
Ideally, the risk register should be compiled through a process that engages each part of the charity. Alyson Pepperill, client projects director, Oval Insurance Broking and IRM Director (see note 2), warns that having a risk register prepared by a single department rather than across functions can result in a skewed register which largely focuses just on that department’s functions. Registers that have input from all the different functions are usually broader and reflect the charity’s objectives better because each function often has its own objectives and needs to think about what is going to stop it achieving those objectives.
Having gathered the information and opinion, the second stage is rationalising that with the executive board and ideally some members of the trustee board, focusing on what the charity wants to achieve over the next one to three years.
Once a risk has been identified, the charity needs to assess the likelihood of it happening and the potential impact on the charity if it does occur. A simple method is to assign a numerical value between 1 and 8 for:
a) the likelihood of the risk happening (frequency), with a score of 1 representing low frequency and a score of 8 representing high frequency (a regular occurrence); and
b) the impact of the risk on the charity if it is realised (consequence), with a score of 1 representing no consequence and 8 representing a major consequence.
Multiplying the factors (frequency x consequence) allows risks to be prioritised – the higher the value, the higher the priority. The risk register documents considered risks as shown in figure 1 below.
Charities can use the risk register in several ways:
1) A tool for demonstrating compliance with the SORP. Production of the register enables the board of trustees to say in the annual report and accounts that there is
a system for identifying, recording and managing the major risks of the charity.
a system for identifying, recording and managing the major risks of the charity.
2) A management tool. The risk register shows the inherent risks, the associated controls, whether these controls are working and, if they are working, the residual risk that remains. Armed with this information, the executive management and trustees can decide if they need to introduce further measures, bearing in mind the risk appetite of the charity.
3) A barometer. The risk register highlights whether specific risks are increasing or reducing, once again aiding management decision making.
4) An indicator of accumulations of risk. It is not uncommon for different departments in a charity to report the same or a very similar risk which individually they do not see as significant but which cumulatively could have a more severe effect on the charity as a whole. The oversight provided by the risk register allows the charity to identify this kind of situation.
3) A barometer. The risk register highlights whether specific risks are increasing or reducing, once again aiding management decision making.
4) An indicator of accumulations of risk. It is not uncommon for different departments in a charity to report the same or a very similar risk which individually they do not see as significant but which cumulatively could have a more severe effect on the charity as a whole. The oversight provided by the risk register allows the charity to identify this kind of situation.
To sum up, in the words of Oliver Boyle, chair of the IRM charities special interest group: ‘The risk register is a kind of aide-memoire to help engender discipline within the board of trustees primarily to look at the growing number of risks they have to face.’ This is particularly valuable for charities as trustees may meet infrequently when they will tend to focus on immediate issues rather than what has occurred since they last met. The risk register provides an overview of all the major risks and needs to be high on the board agenda so that the trustees know exactly what is happening.
In order to get the full benefits from the risk register charities need to recognise that it has to be a dynamic document. The charity must review it frequently and change it as necessary to reflect its strategies. For example, a charity that has been holding lots of small events may decide that going forward it will be more effective to hold just three large scale events. A decision like that could totally reshape its risk register.
The register also needs to reflect external trends. For example, the fall in property prices that occurred two years ago had the effect of reducing the value of legacy donations which are a significant source of income for some charities[4]. Identifying this risk at an early stage was important in planning for additional income streams – which brings us to action plans.
Action plans and risk monitoring
Action plans involve the introduction of risk controls to lessen the likely occurrence and/or severity of a risk. Charities may include these within the risk register, as shown in the example above, or may list them separately. Generally, it is preferable to include them in the register so that all information is in one place and can be reviewed easily at the same time.
Clearly, the high-ranking risks require controls. Indeed, even the smallest charities that do not have a formal risk register are likely to be managing to some extent what they perceive as their biggest risks. A more critical decision is whether action plans need to be expanded with the
addition of extra controls to drive a risk down the ranking even further.
For example, a charity may have identified data protection as a risk (which it is for most charities) and will then consider whether this is a severity and/or frequency issue. It will then assess what it is currently doing to control that risk. Existing controls may include a data protection statement and training staff on how to protect data. Assessing the risk after taking these controls into account produces the ‘net’ risk. Although data protection is still potentially a big risk the controls have perhaps moved it from high to medium severity and low frequency.
The charity then needs to decide whether it wants to move the ranking of this risk from medium to low severity. If medium is acceptable, it does not need to take any further actions. If it wants to get from medium to low, it needs to consider additional control measures. Should it restrict the number of people who have access to data? Does it need to introduce user ID systems and passwords? All of these become part of the action plan.
An action plan has to include who is responsible for implementing it and by when. And some action plans may just involve monitoring the risk to see how it develops and whether a more proactive approach may be needed in the future. Action plan monitoring asks whether the action plans introduced have had the desired effect on a particular risk or whether further action is required. It is also a check that people have actually taken those actions that they were required to do.
Risk monitoring is similar but whereas monitoring action plans involves checking progress on risk improvement and mitigation, risk monitoring tracks the risks themselves – are they increasing, decreasing or static? Is there a particular risk associated with a specific activity, which could be getting out of control so that something needs to be done? Does a change in the charity’s strategy or other circumstances affect the potential severity/frequency of a particular risk, whether a risk still exists, and whether there are new risks? Essentially charities need to monitor all their major exposures to see if they are changing or developing across the whole base.
Practicalities
Having established a dynamic risk register, charities need to ensure the system for treating the risks appropriately are all in working order. Figure 2 sets out the risk treatment options that should be in place.
Figure 3 is a useful checklist for trustees for inclusion in all trustee induction and training materials. By the very nature of their role, trustees are unlikely to be closely involved with the day-to-day running of the charity but are liable if disaster strikes.
An example of how third sector organisations are increasingly acknowledging the importance of effective risk management in safeguarding their work can be seen the case study shown in figure 4.
To conclude, charities should direct most of their income to achieving their charitable goals. But committing some time and resources to risk management processes will enhance rather than detract from fulfilment of this duty. It comes down to good management and best practice.
[1] The SORP requires that the trustees’ Annual Report should include a ‘statement confirming that the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and that systems have been established to manage those risks’ (para 45). See also page 5 of this supplement.
[2 ] See also Charities Management Magazine, Mitre House Publishing, early Summer 2009, page 34
[2 ] See also Charities Management Magazine, Mitre House Publishing, early Summer 2009, page 34
[3] www.theirm.org/events/documents/ProceedingsoftheIRMCharitiesSpecialistInterestGroupEmbeddingriskmanagementatatimeofneed2009.pdf
Author: Steve Fowler
Steve Fowler is CEO of the Institute of Risk Management (IRM), the leading professional education and membership body for enterprise risk management in the UK. He studied chemistry at university and then joined what is now RSA, the insurance company, as a chemical risk engineer. After a career move into business project and change management, Steve became commercial IT director for RSA, before founding his own change consulting business, prior to joining IRM as CEO.
There are no comments on this article. Be the first to comment.