• +263 242 306 315

Blog Description


The Urgency of Risk Management in NGOs

Posted on 08 July, 2019 at 15:55

By Luxon Kalonga


Abrupt changes in the economic policies in Zimbabwe have made the operating environment uncertain for the corporate and non-profit sectors alike. Significant policies post dollarization can be traced back to the October 1 Monetary Policy Statement which split the Nostro and RTGS Foreign Currency Accounts (FCAs) but still maintained parity between the US Dollars and bank account balances and bond notes and coins. The parallel market however remained stubborn and priced the US Dollars above the RTGS balances. This led to the abuse of foreign currency in some Non-Profit Organisations as they would withdraw hard currency and somehow use bond notes in their activities. We were involved in some forensic audits but could only prove prejudice to the organisations on hypothetical value-for-money grounds as there was the “parity fallacy”. The authorities then issued SI 33 of 2019 and another Monetary Policy Statement in February 2019 which conceded that there was no equivalence between the bank balances and hard currency and life was breathed into the previously dormant interbank market. The managed float of the interbank market could not keep pace with the parallel market, leading to yet another shocker SI 142 of 2019 of June 2019 which outlawed the multiple currency regime and resurrected the much dreaded Zimbabwe Dollar. All these changes took place in less than 9 months! One can only imagine the financial implications this had on NGOs’ budgets and finances. But have we seen enough of such changes yet, or is there something cooking? There is a myriad of risks in the macroeconomic environment and these also cascade down to also affect the day to day operations of organisations.


Risk Management has become more urgent that ever to enable organisations to be cushioned against any adverse impacts of such changes in their operations. An international standard of Risk Management, ISO 31000:2018, provides guidelines on how an organsiation can manage the external and internal risks it faces in pursuing its objectives. At KFM Consultants, we are guided by the standard in ensuring that our clients minimise their risks to acceptable levels and hence continue positively impacting societies. ISO 31000:2018 gives an umbrella description of the Principles, Framework and Processes which the organsation can employ in managing risks.

 We discuss below how an NGO operating in the current environment can manage its risks.


Risk Management Strategy/Framework

Traditionally, organisation would only talk about risk when confronted with an audit or inspection exercise. Some boards would discuss risk issues just in passing for minuting but there was no process followed, risk quantification, risk monitoring and follow-up. ISO 31000:2018 requires an organisation to integrate risk management into its decision-making processes. A Risk Management Strategy outlines the organisation’s risk management philosophy, risk appetite, assessment techniques, risk classification, documentation and record-keeping, reporting and other pertinent issues with the aim of integrating risk management into the organisations governance and management systems.


As a standard the function of risk management should sit with the Audit Committee of the Board and delegated to the relevant departments. To ensure effective risk management, it should be part and parcel of monthly and quarterly reports discussed by management. The organisation should treat risk management as an ongoing process of detection, mitigation and improvement rather than a once off event. It should be embedded in the organisation’s culture and values; policies and procedures should be adjusted to incorporate the risk management thrust. Communication structures should also be well defined to avoid confusion on responsibilities. Risk management should also be extended beyond the organisation; risks that employees and other stakeholders may face due to their association with the organisation should also be considered. We have a lot of Civil Society Organisations (CSOs) which advocate for good governance and state accountability to citizens and this may have political implication for individuals involved in advocacy.


A clear risk management strategy would ensure that the organisation is well able to cope with abrupt changes in the environment whilst also managing existing risks efficiently. It should be tailored to the organisation.


Risk Management Plan, Matrix and Register

A Risk Management Strategy discussed above is more of a static document which describes how the organisation would deal with risks in general. For day-to-day management of risks, organisations should have Risk Management Plans, Matrices and Registers.


Each departmental head needs to create a risk matrix peculiar to their domain and these should be consolidated for monthly reporting purposes. A summary of these risk matrices would be a risk register which shows the key risks being faced by the organisation and the action plan of mitigation.


When properly executed, the risk management process would ensure that the organisations would not only be quick to react to situations as they arise, but also be proactive in dealing with impending risks before they negatively impact the organisation.


Opportunity/Positive Risks 

I can already anticipate the “head-scratching-thinking emoji” on the reader’s face as they read this heading; how can a risk be positive? By definition, risk is the effect of uncertainty on an organisation’s objectives. These can be potential threats to achieving objectives or potential opportunities for achieving those objectives. Therefore, an organisation should not be blinkered to only look at risk in the negative frame. A separate “Opportunities Register” should also be put in place to consider the potential gains that may result from uncertainties. The organisation can then work on ensuring that such opportunities are realised.


Does your organisation have proper Risk Management systems in place? Have they been incorporated in the management structures? Have you been performing consistent risk reviews and are confident with the outcomes? Do you have that sixth sense telling you that more can be done in managing risks? Have you been relying merely on third parties to decide for you how you are going to respond to changes in the operating environment? KFM Consultants is there to assist you in coming up with a tailor-made risk management strategy or framework, build the capacity of your staff in managing risks, follow up on crucial issues you are facing that might not be solved by internal parties. We’re here to help!





International Organization for Standardization. (2018, February). ISO 31000:2018. Risk Management. Retrieved July 19, 2019, from https://www.iso.org/standard/65694.html



NMap Technologies