Pobal Community Services Programme 2014 Guidance note on RISK MANAGEMENT This is an informal introductory note to the topic of Risk Management, drafted to assist Community Services re-contracting in 2014. It is, we hope, also useful for other community service companies and co-ops in reviewing their plans. This note has been drafted to provide initial guidance only and is not a comprehensive or definitive guide. What does risk management mean to your organisation? Before your board can effectively oversee the management of risk, it needs to know what the term “risk” means for your organisation. People tend to interpret the word differently. To some, “risk” means “threat” — something that could harm the organisation or prevent it from achieving its objectives1. Others see risk as including “opportunity” — something that could help the organisation to achieve new objectives or improve its ability to achieve existing ones. Risk takes many forms but, for the purpose of this note, we mean anything that affects an organisation’s ability to meet its objectives and preserve its reputation. Organisations are more likely to consistently meet their objectives when they have effective processes for identifying and managing risks. They may do so by considering and addressing risk under a number of categories which include: Compliance risk — the risk of fines and other regulatory penalties for such offences as failure to remit payroll deductions, violation of privacy laws, etc. Also, restrictions on the use of funds from donors and funding agencies. External risk — the risk of becoming irrelevant, losing the support of the public and funding sources, and failing to respond to economic, demographic and other trends. Financial risk — the risk of fraud, financial failure and decisions based on inadequate or inaccurate information and/or systems. Governance risk — the risk of ineffective oversight and poor decision-making by the board and management of the company/co-op. Information technology risk — the risk that the information technologies used in the organisation may not provide dependable service and accurate, secure information that is available when needed. Operational or Programme risk — the risk of poor service delivery, day-to-day crises, and misuse or neglect of human capital and other resources.2 Reputation risk — the risk of losing goodwill, status in the community, and the ability to raise funds and appeal to prospective volunteers. Strategic risk — the risk of inappropriate or unrealistic programmes and initiatives, and failure to keep the organisation strong and relevant. Because there are different ways of defining risk, it is of critical importance that the board, staff and (where appropriate) volunteers, all have a common understanding of what the term “risk” means in terms of their individual responsibilities. 1 This is particularly true in the Community Services Programme where a majority of service providers will reference the threat of the loss of public funding as the principal risk, despite many other possible risks being evident. 2 Community Services that work with children, young people and other vulnerable client groups will encounter specific operational risks. Identifying and managing major risks Some risks could severely affect the organisation’s ability to achieve its objectives and continue operations. It is a principal tenet of risk management that the major risks are identified and managed. A risk analysis that is simply a list of all possible risks in all possible eventualities does not provide the board and staff with the information required to direct their attention and resources to dealing with the most significant and likely risks. Below we list some examples of major risks. We then discuss how to go about identifying these in your organisation and devising a course of action. Examples of major risks • Loss of a major source of funding • Reductions in the market value of investments and the income from them • Unsuccessful fund-raising projects • Fraud • Failure of a project or strategic initiative • Inadequate responses to emergencies • Irrelevance because programs or services are no longer in demand or distinctive • Excessive increases in the cost of human and other resources • Actual or alleged sexual misconduct or abuse by an employee or volunteer • Loss or theft of information • Inability to perform critical functions that depend on technology Risk management involves: A basic risk analysis involves working systematically through a comprehensive list of questions such as those below. It is useful to do this in a workshop style meeting with a cross section of participants that bring a variety of perspectives and experience. In a community organisation, this is best done with the board and manager/other senior staff. The first part of the task usually involves creating a list of risks and giving them some level of importance by asking three questions. • • • What could happen that would affect our ability to meet our objectives? How likely is it to occur? How serious might it be? There are a number of risk analyses methodologies, some of which may use a scoring system to provide a level of objectivity. Whether or not scoring is used, asking the questions above helps to establish the extent to which risks are (a) likely and (b) serious, and this allows you to prioritise your list. Once prioritised, the next stage is to make plans to minimise the risks. To do that, consider the questions: • • What should we do to reduce the risk? How can we be prepared to respond to problems? The resulting analysis and actions, in table form, is often referred to as a Risk Register. While large organisations might have a separate risk register or risk management plan, in smaller organisations the plans and actions arising from the analysis might be factored into an annual business or work plan, and monitored through regular board meetings. The main risks would then form some of the agenda items of board meetings. An exercise like this could be carried out annually by a board as part of an annual review or planning session. For those organisations not familiar with the process it may be useful to engage an outside/independent facilitator. This would not only help you to establish your own risk register, but would also provide a format and the experience to be able to undertake your own future risk analyses. More reading http://www.wheel.ie/sites/default/files/ReducingTheRisk_sample.pdf http://www.icaew.com/en/technical/charity-and-voluntary-sector/volunteering/charity-trustee/charitytrustee-role-and-responsibilities-new/maximising-the-benefits-from-effective-risk-management http://knowhownonprofit.org/how-to/how-to-identify-assess-and-manage-the-risks-associated-withtrading