Risky business. Risk management best practices for an increasingly risky world

  • 89 views
Uploaded on

Risk management provides an organized approach to ensure that high quality reputation and relationship will be sustained. With boards of directors and management now required to formally address risk, …

Risk management provides an organized approach to ensure that high quality reputation and relationship will be sustained. With boards of directors and management now required to formally address risk, risk management has become a hot topic for the industry.
Having a strong risk management framework delivers a number of organizational benefits, including those related to the overall vision and mission of the organization.

More in: Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
89
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. G ALSG ALS Risky business Risk management best practices for an increasingly risky world G ALS
  • 2. CONTENTS It’s too important to leave to chance .......................................3 Role of the board of directors and management ......................3 How can you ensure your organization has an appropriate risk management process in place? ....................................... 3 Identify risks..........................................................................4 How to track and manage all of this........................................6 Improving the organization, enhancing the vision......................7 Don’t let risk derail your organization.......................................7 Key contacts .........................................................................7 In the world of not-for-profit organizations (NPOs), reputation and relationships are essential. But, as important as they are, many organizations don’t think about the potential risks that could impact these. That’s why it’s so important to actively engage in risk management—and to have a plan in place. Risk management provides an organized approach to ensure that high quality reputation and relationship will be sustained. With boards of directors and management now required to formally address risk, risk management has become a hot topic for the industry.
  • 3. Management While the board plays a significant role, usually the heavy lifting is done by management (depending on the resources available). Tasks such as development of the risk assessments, implementation of risk management systems (policies, procedures and monitoring) and mitigation strategies may be delegated to management. However, the fewer the resources available, the more involved the board will need to be in the process. How can you ensure your organization has an appropriate risk management process in place? Determine risk capacity, tolerance and appetite The first step is to describe your overall ability to absorb risk, and therefore, the total of individual risks you can tolerate. This involves describing your risk capacity, tolerance and appetite. It’s too important to leave to chance NPOs are funded by owners—the members— who often have an emotional connection with the organization, which goes beyond just financial considerations. Damage to this connection can result in reactions that threaten the organization’s survival. Because expectations have increased, members now expect that their leadership is anticipating and assessing risk. Leaders must provide strong assurance to their members that they are acting prudently to protect the organization from a wide range of risks. Roleof the board of directors and management Board of directors Effective risk management begins with the group that has ultimate responsibility for the NPO—the board of directors. Board members need to explicitly acknowledge the importance of risk management, and ensure, within the size and context of their organization, that it is appropriately addressed. This is probably something they won’t take on themselves, so frequently a significant component of the detailed oversight responsibility is delegated to a standing committee, such as an audit or operations committee. But members must carefully assess how much responsibility it authorizes and, in what areas. However, as final responsibility rests with the board, it’s important that directors have the appropriate skills and training to manage this process. Risky business 3
  • 4. 4 Risky business REPUTATIONAL Social media, privacy,litigation INFORMATION TECHNOLOGY Data availability, data security (including that related to mobile devices) OPERATIONAL AND PROGRAM Service quality, capacity constraints, vendor dependencies FINANCIAL Liquidity, capital availability, investment, theft GOVERNANCE Failure to have an appropriate governance structure or skills proportionate to the intended governance structure EXTERNAL Macroeconomic conditions, volatility, structural change, competition, industry cyclicality, natural disasters STRATEGIC Failure to implement strategy, ineffective strategy, or absence of strategy COMPLIANCE Non-compliance with laws and regulations Identify risks While there are many definitions, most simply, risk can be defined as anything that affects an organization’s ability to meet its objectives and preserve its reputation. Just as no two organizations will share the same objectives, no two organizations will share the same risk profile. To identify the risks specific to your organization, it may be helpful to use the following risk categories to see which may apply to you. When going through this exercise, you will probably identify a long list of possible risks specific to your organization and your situation. Assess and prioritize risks It’s not feasible to simply eliminate or mitigate all risks. In fact, if your organization has a higher risk appetite, the more risks you’re willing to accept. Instead of trying to eliminate, assess and prioritize each type of risk, preparing a response for those which may have a significant impact on the organization. In order to assess these risks, you will need to analyze a range of factors, including: • the likelihood of the risk occurring; • the impact the risk will have on the organization; • the interconnectivity of that risk with other risks; • the ability of the organization to react the risk (i.e., clockspeed risk); and • the ability to mitigate the risk.
  • 5. Risky business 5 Once the appropriate strategy (or strategies) is chosen, you need to take certain steps to ensure that they are followed. Some of these steps include • establishing policies and procedures; • designating specific individuals or groups of individuals (e.g., the board) as responsible for the execution of these policies and procedures; • communicating responsibilities need to be those individuals; and • ensuring that the individuals or group of individuals assigned those responsibilities have the proper resources (systems), training and skills to fulfil those responsibilities. Monitor and report risks Just as policies and procedures need to be developed to manage risks, metrics and reporting also need to be put in place. As part of this process, you should determine if, and how, you can avoid crisis situations in the first place. In addition, management, with board consultation, Upon completion of the heat map, you will then need to determine whether the total risk exceeds your risk tolerance. In the example above, immediate and urgent action is required. However, when the total risk is below the tolerance level, you can then assess the benefits against the costs of priority risks reduction, and take action to manage accordingly. Manage risks There are four strategies for dealing with risk: Risk Likelihood Impact Interconnectivity Clockspeed Overall risk Low investment returns Moderate High Low Moderate Moderate Injuries to participants in sports programs High Moderate Low Low Moderate Abuse of vulnerable individuals by staff and volunteers Moderate High High High High Loss of information systems and information Moderate High High Moderate Moderate Chartered Accountants of Canada, 20 Questions Directors of Not-For-Profit Organizations Should Ask About Risk A useful visual tool for documenting these assessments is a heat map (a partial example of which is provided below). The use of colour facilitates an overview of the results of the assessment, highlighting which out of the many risks examined require the most attention. Prioritizing the risks is then a straightforward process. Avoidance — Avoiding undertakings that could result in a risk occurring in the first place. Transference — Sharing the risk with someone else (e.g., insurance). Note that the board cannot absolve its responsibility by simply transferring the risk as it still has a due diligence responsibility in this situation. Mitigation — Developing policies and procedures to detect and reduce the likelihood and/or severity of risks to an acceptable level. This is the most frequently applied strategy. Acceptance — Accepting or simply monitoring the risk, provided that it is unlikely or would have minimal impact.
  • 6. 6 Risky business should determine any early indicators that could be monitored to identify a crisis before it occurs or before it becomes significant. Examples of some of these indicators are key operating or financial metrics, or stress testing of the budget assumptions. How to track and manage all of this With so many factors to consider, it can be difficult to track and manage an effective risk management process. So, to help with this, many organizations use a risk register (which also includes the heat map discussed earlier). A partial example is shown below. A risk register summarizes the risks, how they are managed and monitored, and who is responsible for each procedure. While it may take considerable effort to construct, once complete, it is an effective tool that facilitates review and update. The risk management process never ends, as risks are not static. Therefore, the risk register needs to be reviewed and updated regularly. Typically this would be annually, but if significant changes occur during the year, it is possible that the risk assessment and processes will need to be revisited earlier. RISK Likelihood Impact Interconnectivity Clockspeedrisk Overallrisk Control procedure RETAINEDRISK Monitoring process Responsibility Action required Date or review Low investment returns Moderate High Low Moderate Moderate Board approved investment policy, Professional investment mngmt Low Investment committee review quarterly Chair investment committee Include reviews in board agendas Quarterly Injuries to participants in sports programs High Moderate Low Low Moderate Safety training for coaches, Incident reports, Liability insurance Low Observe sports training Sports director Report serious events to Board, include review in board agendas Ad hoc Annual Abuse of vulnerable individuals by staff and volunteers Moderate High High High High Screening of staff and volunteers, Awareness training Moderate Supervision, Review of incident reports Volunteer coordinator Manager Supervisor Report serious incidents to Board, confirm screening annually Ad hoc quarterly Loss of information systems and information Moderate High High Moderate Moderate Off-site back-ups, Alternative processing resources Low Review of incident reports, annual status assessment, Review of controls by auditor VP-IT Chair audit committee Report serious incidents to Board Include reviews in board agendas Ad hoc Annual Chartered Accountants of Canada, A Framework For Board Oversight of Enterprise Risk
  • 7. Risky business 7 Improving the organization, enhancing the vision Having a strong risk management framework delivers a number of organizational benefits, including those related to the overall vision and mission of the organization. These include • supporting smarter business decisions and better organizational performance; • reducing the likelihood of risks occurring; • minimizing the impacts of risks that do occur; • surviving, via a strong response plan, should a catastrophic risk occur; • allocating resources to those areas most in need; and • Increasing the chance of achieving long-term mission and vision success. Don’t let risk derail your organization NPOs need to understand that risk management can have broad, complex consequences. One risk can trigger or exacerbate others, which can quickly lead to a catastrophe. So a holistic approach—such as the framework we have outlined here—is necessary. Adaptable to NPOs of any size or complexity, this approach can help you run your organization more effectively. Moreover, it offers the confidence that risk won’t derail the success of the organization your members care so much about. Key contacts For more information, or to discuss your organization’s risk management preparedness, please contact: Dale Brown, CAT T +1 403 260 2817 E Dale.Brown@ca.gt.com Dale Varney, CPA, CA T +1 416 607 2799 E Dale.Varney@ca.gt.com Donna Diskos, CPA, CAT T +1 604 443 2163 E Donna.Diskos@ca.gt.com Gerry Lacroix, CAT T +1 902491 7747 E Gerry.Lacroix@ca.gt.com Jeffrey Busniuk, CPA, CA T +1 807 346 7203 E Jeffrey.Busniuk@ca.gt.com Kim Simms, CA T +1 709 778 8807 E Kim.Simms@ca.gt.com Rob Collins, CPA, CGMA (ND) T +1 250 712 6862 E Rob.Collins@ca.gt.com Sandra Pietrzyk, CAT T +1 780 401 8236 E Sandra.Pietryzk@ca.gt.com Deryck Williams, National Charities and Not-for-profit Organizations Leader T +1 416 360 4954 M +1 604 787 8530 E Deryck.Williams@ca.gt.com
  • 8. Audit • Tax • Advisory www.GrantThornton.ca Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd About Grant Thornton LLP in Canada Grant Thornton LLP is a leading Canadian accounting and advisory firm providing audit, tax and advisory services to private and public organizations. We help dynamic organizations unlock their potential for growth by providing meaningful, actionable advice through a broad range of services. Together with the Quebec firm Raymond Chabot Grant Thornton LLP, Grant Thornton in Canada has approximately 4,000 people in offices across Canada. Grant Thornton LLP is a Canadian member of Grant Thornton International Ltd, whose member firms operate in over 100 countries worldwide. Except for information that is in or enters the public domain, Grant Thornton LLP will not provide any third party with information related to the client without their permission, unless required to do so by law or professional standards.