The Importance of Risk Management in NPOs
Posted on 01 August, 2022 at 16:22
Traditionally,
risk management was considered as vital only for the private sector as it is
key in ensuring at least reasonable returns for shareholders. In recent years,
the popularity of risk management has also grown in Not-for-profit
organisations (NPOs) as a result of heightened political conflicts, corruption,
fraud, terrorism and natural disasters. NPOs in Zimbabwe have a much greater
need for risk management due to the unpredictable and volatile nature of the
macroeconomic environment. Changes in the macroeconomic environment, such as
the recent metamorphosis of previous foreign currency bank balances into local
RTGS-dollars, have a direct impact on the operations of NPOs which
predominantly receive their money as hard currency. There is need for
organisations to have in place systems to identify, monitor, control and
various manage risks to acceptable levels. In this article, we discuss the
different types of risks that organisations are likely to face, how they can be
tracked for effective management, risk measurement methodology and some
examples of good and poor practices in risk management.
1
Types
of Risk
Generally, risk
is the likelihood and potential impact of encountering a danger or potential
source of harm or loss. Common risks that NPOs face can be identified as
security, safety, fiduciary, information, legal and compliance, reputational
and operational risk.
Security risk refers to the likelihood and
potential impact of events that may threaten the security of the organisation,
its staff and other stakeholders. Political instability in the form of civil
wars, armed attack on facilities and elections-related violence are sources of
security risk. There is a positive correlation between level of crime in the
area of operation and security risk which may emanate from robberies and
kidnapping of staff. Safety risk on the other hand is
concerned with loss that may occur due to fire, natural disaster, accidents or
illness. An organisation needs to assess the likelihood and possible impact of
loss of motor vehicles due to accidents which may be caused by inadequate road
markings and signs, potholes. NPOs operating in areas prone to various natural
disasters and terminal illnesses will have high safety risk.
Fiduciary risk is centred
on the likelihood and impact of abuse of resources by those responsible for
managing and implementing activities through fraud, theft and bribery. Program
officers are sometimes involved in diverting aid materials through
falsification of aid distribution sheets and collusion with locals. Finance and
administration personnel may commit fraud by receiving bribes from suppliers,
falsifying documents for financial gain and abusing cash resources through
parallel market foreign exchange arbitrage (which has been rampant since the
depreciation of bank account balances in 2017-18). In our previous article on Managing
Finances in Emergencies, we noted that the risk of cash abuse is
high during emergencies due to the urgent nature of implementation.
Information Technology risk looks at the probability and potential effects of loss of data and
information, unauthorised breach or misuse of information. This include loss of
information saved on organisation’s computers and servers as a result of theft
or system crash. The risk is also encountered when an organisation’s credit
card information is accessed by unauthorised individuals through scams or
phishing. Personnel data and other sensitive information can also be breached
by hacking or phishing. The organisation can be exposed to this risk when staff
post inappropriate information on social media.
Legal and Compliance risk
is the organisation’s exposure to consequences of non-compliance with host
country laws and regulations, including counter terrorism restrictions. For
example, an international organisation operating in Zimbabwe should ensure that
it and its implementing partners are registered as Charitable Trusts, Private
Voluntary Organisations or Universitas. The organisations should also comply
with taxation regulations such as remittance of employee taxes in accordance
with the final deduction system (FDS) and withholding taxes as required by the
Income Tax Act [Chapter 23:06] and the Finance Act [Chapter 23:04]. Social
security regulations should also be complied with by contributing to Pension
and Other Benefits (POB) and the Accident Prevention and Workers’ Compensation
Scheme (APWC) as prescribed by the National Social Security Authority (NSSA).
The organisation should also abide by the regulations applicable to its focus
areas and should seek legal advice before commencing the activities in the
country.
Reputational Risk has
become key in this information age where information travels at lightning speed
and has wide reach due to social media. It is the susceptibility of an
organisation to loss due to actions, information or perceptions that are
damaging to the integrity or credibility of the organisation. Noteworthy
examples include the Oxfam sex scandal and the alleged abuse of USAID funds by
local organisations that tainted the images of the implicated organisations and
to some extent the civil society organisations at large.
Operational Risk covers
all factors that affect the organisation’s ability to achieve its objectives.
Human error, capacity deficits and financial deficits are examples. The rapid
increase in prices following the announcement of the Monetary Policy on 1
October 2018 compelled some organisations to incur expenses above budget while
others had to implement to the level permitted by their budgets, which brought
less impact than anticipated.
The risks
described above are not a “one size fits all” package; individual organisations
can identify risks peculiar to themselves. The key is to identify those factors
that expose the organisation to potential harm or loss. Other risks that can be
identified include strategic risks related to governance structures and
organisational strategy; human resources management risks concerned with the
ability of available personnel to implement projects effectively; and
sustainability risks that may hinder the organisations from continuing its
activities in the foreseeable future.
2. Measurement
and Management of Risk
Once the risks
in an organisation are identified, they will need to be quantified. An ideal
risk management framework is one that encompasses the following:
·
a risk register tool for analysing and prioritising risks and
planning mitigation measures;
·
decision-making and implementation procedures ?owing directly from that assessment and planning;
·
a systematic follow-up or
audit process to ensure good implementation and understanding; and, to
incorporate capacity building; and
·
a means for weighing
criticality, or the degree to which the action is urgent or life-saving, in
order to guide decision-making on acceptable levels of risk (sometimes called
“program criticality”).
A risk register
is a way to build a comprehensive picture of the most serious risks facing an
organisation at any given time. It should be built from the ground up, with
each country o?ce and each functional area of the organisation (e.g., program,
legal, communications) conducting an exercise to identify and rank the risks
they face in all categories. These in turn inform the organisation-wide risk
register, which is compiled at the central level at least once per year.
Completing a
risk register involves ranking risks in all categories by their perceived
degree of likelihood as well as the level of impact they would have on the
organisation if realised. Once the risks are indented and prioritised through a
risk matrix, the process involves developing strategies to mitigate them,
including outlining ways that procedures and practices may need to be adjusted.
The risk register also provides a valuable tool for benchmarking progress against these plans throughout the year, including through “risk audits” or other follow-up measures.
Risk Management
is not an event but a process that should be continuously performed. The
identification of risks that affect the achievement of objectives should really
be a culture embedded in every department’s day-to-day plans, not something
that should be viewed as a task to be completed on a certain due date.
Departmental heads should maintain their risk registers and update them
whenever they discover a risk or realise the changing likelihood and impact of
these risks.
KFM Consultants
provides risk management services for organisations in the form of Pre-grant
partner risk assessments and periodic risk management reviews. Risk analysis is
also encapsulated in our internal audit and other assurance services. We are
just a call or email away!