Small Charities Coalition
Risk management
Catherine Rustomji
Head of Third Sector North – Hempsons
12 June 2012
for more information visit us at www.hempsons.co.uk
Agenda
• Catherine Rustomji - Hempsons
•
Charity Commission
•
Compliance
•
Risk
• Detlev Anderson - Ryecroft Glenton
•
Practical Example & CC26
The Regulator of Charities
• Increase effectiveness and public confidence
• Risk-based and proportionate approach
• Target help and resources:•
charity’s beneficiaries
•
services
•
assets
•
reputation
The Charity Commission and
Regulation
• Ensure charities meet legal requirements and
equipped to operate properly and within the law
• Check charities are run for public benefit
• Ensure independence and trustees take
decisions free of control or undue influence
• Detect and remedy serious mismanagement or
deliberate abuse by or within charities
Charity Commission’s Seven
Principles
• Accountability
• Independence
• Proportionality
• Fairness
• Consistency
• Diversity and Equality
• Transparency
Charity Commission’s Objectives
• Increase public trust and confidence in charities
• Promote awareness and understanding of public
benefit
• Promote trustees’ compliance with the law in
control and management
• Promote effective use of charitable resources
• Enhance accountability to donors, beneficiaries
and the general public
Risk – what do you need to know?
• Trustee responsibility
• Regular review and assessment
• Effective governance
• Risk appetite
• Risk tolerance
Risk Framework
• Identify major risks
• Decide how to respond
• Include statement in annual report
• Risk mapping/risk reporting
But ….
“However beautiful the strategy, you should
occasionally look at the results.”
Winston Churchill
Catherine Rustomji
Head of Third Sector North
0191 230 6052
c.rustomji@hempsons.co.uk
Disclaimer
• This presentation and any accompanying notes
are made available on the basis that no liability is
accepted for any errors of fact or opinion they may
contain. Professional advice should be obtained
before applying the information in particular
circumstances.
Small Charities Coalition
Risk management –
Practical Example & CC26
Detlev Anderson
Charities Partner– Ryecroft Glenton
12 June 2012
Charities and Risk
Management
(CC26)
www.charity-commission.gov.uk/publications/cc26.aspx
Effective risk management means …
• Trustees make informed decisions and
take timely action
• Charity makes most of opportunities
• Forward and strategic planning are
improved
• Charity’s aims are achieved more
successfully
Stage 1:
Establishing a
risk policy
“An effective charity
regularly reviews and
assesses the risks it
faces in all areas of its
work and plans for the
management of those
risks. The
implementation of an
effective risk
management policy is a
key part of ensuring
that a charity is fit for
purpose.”
Stage 2:
Identifying risks
“Although there are
various tools and
checklists available, the
identification of risks is
best done by involving
those with a detailed
knowledge of the way
the charity operates.”
Types of Risk
• Governance
• Operational
• Financial
• External/environmental
• Compliance
Stage 3:
Assessing risk
“Identified risks need
to be put into
perspective in terms of
the potential severity
of their impact and
likelihood of their
occurrence. Assessing
and categorising risks
helps in prioritising and
filtering them, and in
establishing whether
any further action is
required.”
•
Previous CC guidance gave equal prominence to
impact (y) and likelihood (x) so likelihood score
times impact score (x * y) = risk score.
•
Since June 2010 advice is that high impact but
low likelihood should have a greater risk score
than low impact but high likelihood so greater
weight given to impact (y).
•
This means likelihood score times impact score
plus impact score (x * y) + y = risk score.
Example of a risk map
High
3
I
m
p
a
c
t
2
1
Low
1*3+3
=6
2*3+3
=9
3*3+3
=12
1*2+2
=4
2*2+2
=6
3*2+2
=8
1*1+1
=2
2*1+1
=3
3*1+1
=4
2
1
Likelihood
3
High
Example produced by Ryecroft Glenton
RISK MAP - uncontrolled
HIGH IMPACT
over-dependence on one product
inadequate insurance
loss of k ey personalities
catastrophes / acts of God
internally induced business interruption
poor health, safety & welfare
non-compliance with laws in operational areas
mismatch between staff levels / sk ills and k ey objectives
failure of IT systems
non-compliance with Charity Commission regulation
Allerburn Lea Residents' Association
inadequate capital
lack of trustees' sk ills and availability
controlling dynamics of the larger organisation
failure to report relevant information to trustees on a timely basis
cash flow
quality and integrity of management information
customer dissatisfaction
failure to achieve / record non-financial targeted outputs
externally induced factors affecting business interruption
failure to adequately fundraise
failure to meet funding criteria
over-crowding in the tree house
human resource issues and employee relations
the weather
burst pipes
fraud including incurring and settlement of liabilities without appropriate authorisation
lack of succession planning / staff sk ills
reliance on professional advisors
poor publicity - loan from Duk e
inadequate volunteer management
misapplication of restricted reserves
security of data / intellectual property
changes to grant-mak ing and fiscal policies of government and grant givers
inadequate security of tangible assets
contract risk s
vandalism
dilapidations
inadequate procedures and systems documentation
poor products / poor buying decisions
separation from the Castle
power cuts
increased competition from other venues
failure to comply with anti-discrimination legislation
loss of novelty
inadequate maintenance
trustees' conflicts of interest
dependency on k ey suppliers
inadequate control of cash
onerous long term supply contracts
misapplication between trading and non trading income
inadequate segregation of duties
downturn in the economy / fuel prices
I
M
P
A
C
T
inadequate stock control
unforeseen consequences of fiscal and other regulation
dependency on external transport services
prices charged by suppliers
credit control
theft
seasonal nature of work force
conversion to Euro
LOW
LIKELIHOOD
HIGH LIKELIHOOD
Risk Responses
• Tolerate
• Terminate
• Treat
• Transfer
Risk register template
Potential or uncontrolled risk
Disaster recovery and planning
Potential impact
•
•
Likelihood of occurrence (x score)
Medium (2)
Severity of impact (y score)
High (3)
Uncontrolled risk score (x * y) + y
Too high (9)
Control procedures
•
•
•
computer system failures or loss of data
destruction of property, equipment,
records through fire, flood or similar
damage
agree IT recovery plan
implement data back up procedures and
security
measures
review insurance cover
create disaster recovery plan including
alternative accommodation
Likelihood of occurrence (x score)
Medium (2)
Severity of impact (y score)
Low (1)
Managed or controlled risk score (x * y) + y
Acceptable (3)
Monitoring process
Reviewed quarterly by trustees
Responsibility
Trustees and I.T. Manager
Further action required
Quarterly agenda item for trustee meetings
Date of review
Quarterly
Example produced by Ryecroft Glenton
RISK CONTROL FRAMEWORK
At date of this review
Managed risk
Uncontrolled risk
Risk
loss of key personalities
poor health, safety & welfare
Risk Category
operational
operational
Im pact
3
3
Likelihood
3
3
Overall
Risk
Consequences
9
9
failure of IT systems
financial
3
3
9
inadequate capital
financial
3
3
9
Controlling dynamics of the larger
organisation
operational
3
3
9
cash flow
Development
programme - phase
2
3
3
9
customer dissatisfaction
operational
3
3
9
over-dependence on one product
operational
3
2
6
inadequate insurance
operational
3
2
6
-
loss of high profile / charismatic personality
loss of vision
reduction in positive publicity
increased capital marketing costs
reduction in staff morale
loss of data
inconvenience to customers on admission
additional work
additional errors /fraud
inadequate data protection
- failure to proceed with future developments of
maintenance programme, which would affect
sustainability of the project
-
Underachieve against budgets
reduce staff morale
poor service/quality
increased fixed costs
- Breach of covenants
- need to increase debt
- inability to fund developments
Likelihood
Overall
Risk
Im pact
Likelihood
Overall
Risk
Im pact
Likelihood
Overall
Risk
3
3
9
3
3
9
2
3
6
- follow up existing risk assessments
- perform risk assessments for satellite
operations
- review all risks at the pavilion
- deal with the identified risk of the pavilion
steps
- complete staff training
- form a Health & Safety committee
3
2
6
3
2
6
3
2
6
- daily backups are taken off site
- double servers in safe room with
environmental control
- support contracts for all hardware and
software
- firewall
- virus software updated every night
- improve security to wireless access
- review/increase levels of encription
- use the data safe
- review security around portable chip &
pin devices
2
1
2
2
1
2
2
1
2
- there is presently sufficient capital to
meet current financial commitments
- there is regular cash flow management
- formalise and adhere to a reserves policy
to fund future operational and maintenance
programmes.
3
3
9
3
3
9
3
3
9
- review implications of downsizing
2
2
4
2
2
4
2
2
4
- formalise and adhere to a reserves policy
- develop strategies to maximise cashflow
3
3
9
3
3
9
3
3
9
2
1
2
2
1
2
2
1
2
3
2
6
3
2
6
1
1
1
2
2
4
2
2
4
2
2
4
- budget / targets / corporate objectives
- monthly meetings / reviews
- employment policy / contracts
- monthly review of cashflow
- customer surveys
- customer complaints procedure/policy
- additional facilities for busy periods have
- post phase II - more products on offer therefore a
been developed
greater likelihood of disappointment
- monitoring of projected against actual
- reduction in the quality of the visitor experience
customer numbers
- loss of future revenues
- methods developed to direct customers
- loss of reputation
to less crowded areas
- reduction in return visits
- alternative catering facilities for busy
- the pavilion has raised food expectations
periods are in place
- appointment of customer services
manager
- fall off in customer revenue
- end of the entity
- claw back of funding
- unexpected loss
Phase 3 complete
Managed risk
Im pact
How managed at present
Further Action Required
- not managed, but risk diminishes as a
result of expansion of the management
team and management development
- continue to monitor and review
- key person insurance for the Duchess of
Northumberland
- fatalities / injuries
- risk assessments
- poor publicity
- staff training
- increased insurance costs
- policy statement
- criminal / civil actions
- health and safety manual
- reduced staff morale
- allocation of responsibilities
- impact on fundraising
- introduction of risk assessments
- reduction in visitor numbers
- introduction of staff training
- enforced closure (temporary or permanent)
- standing agenda item for Enterprise
- fire evacuation procedures lead to refunds / loss
Board
of sales
-
Phase 3 in progress
Managed risk
- development programme leading to
diversification of products
- regular contact with brokers
- insurance to cover to replacement value
- follow advice and recommendations of
insurers
- set criteria to follow up complaints
- having raised expectations (e.g. Pavilion
catering), need to concentrate on meeting
them
- develop customer survey techniques
- planning to ensure consistency of
product offering and not to overpromise
(i.e.matching customer expectations with
deliverability)
- None
- communicate levels of insurance to
relevant managers
- monitor on a regular basis, including
levels of excess on new risks
- finalise emergency and disaster
management plan for every area
Example produced by Ryecroft Glenton
Disaster Recovery Plan
1 First steps



commit to planning across the charity
develop a plan by a team representing all functional areas of the
charity
plan as a project if appropriate
2 Impact/risk assessment



identify all major risks
each risk to be given an impact and likelihood rating (see Part D)
consider overall risk profile of charity
3 Drawing up the plan




establish milestones to move charity from disaster to normal
operations
start with immediate aftermath
outline what functions need to be resumed and in what order
plan should identify key individuals and their roles and duties
4 Testing





plan process of testing properly
reproduce authentic conditions as far as possible
plan tested by the key individuals identified in the plan
document test procedures and record results
consider amendments to plan
5 Training

make all charity trustees, staff and volunteers aware of plan and their
own duties and responsibilities
stress the importance of planning even if the disaster appears to be a
remote likelihood
get feedback from all to ensure that duties and responsibilities are
understood


6 Updating and maintaining




plan should be updated to be applicable to current activities
give someone responsibility for updating plan and communicating any
changes
all changes should be fully tested
key staff informed of changes in duties and responsibilities
Questions?
Detlev Anderson
Charities Partner
Ryecroft Glenton
32 Portland Terrace
Newcastle upon Tyne
0191 281 1292
detlevanderson@ryecroft-glenton.co.uk
Disclaimer
This presentation and any accompanying notes are
made available on the basis that no liability is
accepted for any errors of fact or opinion they may
contain. Professional advice should be obtained
before applying the information in particular
circumstances..