The Importance of Risk Management in NPOs
Posted on 09 April, 2019 at 11:07
By Luxon Kalonga
Traditionally, risk management was considered as vital only for the private sector as it is key in ensuring at least reasonable returns for shareholders. In recent years, the popularity of risk management has also grown in Not-for-profit organisations (NPOs) as a result of heightened political conflicts, corruption, fraud, terrorism and natural disasters. NPOs in Zimbabwe have a much greater need for risk management due to the unpredictable and volatile nature of the macroeconomic environment. Changes in the macroeconomic environment, such as the recent metamorphosis of previous foreign currency bank balances into local RTGS-dollars, have a direct impact on the operations of NPOs which predominantly receive their money as hard currency. There is need for organisations to have in place systems to identify, monitor, control and various manage risks to acceptable levels. In this article, we discuss the different types of risks that organisations are likely to face, how they can be tracked for effective management, risk measurement methodology and some examples of good and poor practices in risk management.
1 Types of Risk
is the likelihood and potential impact of encountering a danger or potential
source of harm or loss. Common risks that NPOs face can be identified as
security, safety, fiduciary, information, legal and compliance, reputational
and operational risk.
Security risk refers to the likelihood and potential impact of events that may threaten the security of the organisation, its staff and other stakeholders. Political instability in the form of civil wars, armed attack on facilities and elections-related violence are sources of security risk. There is a positive correlation between level of crime in the area of operation and security risk which may emanate from robberies and kidnapping of staff. Safety risk on the other hand is concerned with loss that may occur due to fire, natural disaster, accidents or illness. An organisation needs to assess the likelihood and possible impact of loss of motor vehicles due to accidents which may be caused by inadequate road markings and signs, potholes. NPOs operating in areas prone to various natural disasters and terminal illnesses will have high safety risk.
Fiduciary risk is centred on the likelihood and impact of abuse of resources by those responsible for managing and implementing activities through fraud, theft and bribery. Program officers are sometimes involved in diverting aid materials through falsification of aid distribution sheets and collusion with locals. Finance and administration personnel may commit fraud by receiving bribes from suppliers, falsifying documents for financial gain and abusing cash resources through parallel market foreign exchange arbitrage (which has been rampant since the depreciation of bank account balances in 2017-18). In our previous article on Managing Finances in Emergencies, we noted that the risk of cash abuse is high during emergencies due to the urgent nature of implementation.
Information Technology risk looks at the probability and potential effects of loss of data and information, unauthorised breach or misuse of information. This include loss of information saved on organisation’s computers and servers as a result of theft or system crash. The risk is also encountered when an organisation’s credit card information is accessed by unauthorised individuals through scams or phishing. Personnel data and other sensitive information can also be breached by hacking or phishing. The organisation can be exposed to this risk when staff post inappropriate information on social media.
Legal and Compliance risk is the organisation’s exposure to consequences of non-compliance with host country laws and regulations, including counter terrorism restrictions. For example, an international organisation operating in Zimbabwe should ensure that it and its implementing partners are registered as Charitable Trusts, Private Voluntary Organisations or Universitas. The organisations should also comply with taxation regulations such as remittance of employee taxes in accordance with the final deduction system (FDS) and withholding taxes as required by the Income Tax Act [Chapter 23:06] and the Finance Act [Chapter 23:04]. Social security regulations should also be complied with by contributing to Pension and Other Benefits (POB) and the Accident Prevention and Workers’ Compensation Scheme (APWC) as prescribed by the National Social Security Authority (NSSA). The organisation should also abide by the regulations applicable to its focus areas and should seek legal advice before commencing the activities in the country.
Reputational Risk has become key in this information age where information travels at lightning speed and has wide reach due to social media. It is the susceptibility of an organisation to loss due to actions, information or perceptions that are damaging to the integrity or credibility of the organisation. Noteworthy examples include the Oxfam sex scandal and the alleged abuse of USAID funds by local organisations that tainted the images of the implicated organisations and to some extent the civil society organisations at large.
Operational Risk covers all factors that affect the organisation’s ability to achieve its objectives. Human error, capacity deficits and financial deficits are examples. The rapid increase in prices following the announcement of the Monetary Policy on 1 October 2018 compelled some organisations to incur expenses above budget while others had to implement to the level permitted by their budgets, which brought less impact than anticipated.
The risks described above are not a “one size fits all” package; individual organisations can identify risks peculiar to themselves. The key is to identify those factors that expose the organisation to potential harm or loss. Other risks that can be identified include strategic risks related to governance structures and organisational strategy; human resources management risks concerned with the ability of available personnel to implement projects effectively; and sustainability risks that may hinder the organisations from continuing its activities in the foreseeable future.
2. Measurement and Management of Risk
Once the risks in an organisation are identified, they will need to be quantified. An ideal risk management framework is one that encompasses the following:
· a risk register tool for analysing and prioritising risks and planning mitigation measures;
· decision-making and implementation procedures ﬂowing directly from that assessment and planning;
· a systematic follow-up or audit process to ensure good implementation and understanding; and, to incorporate capacity building; and
· a means for weighing criticality, or the degree to which the action is urgent or life-saving, in order to guide decision-making on acceptable levels of risk (sometimes called “program criticality”).
A risk register is a way to build a comprehensive picture of the most serious risks facing an organisation at any given time. It should be built from the ground up, with each country oﬃce and each functional area of the organisation (e.g., program, legal, communications) conducting an exercise to identify and rank the risks they face in all categories. These in turn inform the organisation-wide risk register, which is compiled at the central level at least once per year.
Completing a risk register involves ranking risks in all categories by their perceived degree of likelihood as well as the level of impact they would have on the organisation if realised. Once the risks are indented and prioritised through a risk matrix, the process involves developing strategies to mitigate them, including outlining ways that procedures and practices may need to be adjusted.
The risk register also provides a valuable tool for benchmarking progress against these plans throughout the year, including through “risk audits” or other follow-up measures.
Risk Management is not an event but a process that should be continuously performed. The identification of risks that affect the achievement of objectives should really be a culture embedded in every department’s day-to-day plans, not something that should be viewed as a task to be completed on a certain due date. Departmental heads should maintain their risk registers and update them whenever they discover a risk or realise the changing likelihood and impact of these risks.
KFM Consultants provides risk management services for organisations in the form of Pre-grant partner risk assessments and periodic risk management reviews. Risk analysis is also encapsulated in our internal audit and other assurance services. We are just a call or email away!