Photo: via VisualHunt.com
Risky business
Mahmood Reza explains the importance of good risk management to the health of an organisation.
Risk management is the process of managing your organisation’s exposure to potential liabilities. It gives managers, staff, clients, the board and other stakeholders the confidence to pursue their mission without the fear of legal action or harm, and approaches risk in a structured and calculated manner. It needs full organisational support, and should be developed by a team who can communicate effectively with relevant stakeholders, and who have a working knowledge of the activities, dynamics and history of the organisation, and an awareness of the law.
Risk consists of three elements: choice, likelihood and consequence. If there is no choice then a manager does not have a risky situation, only one beyond the manager’s control. Likelihood implies some level of uncertainty, and some unwanted consequence must exist in one or more of the choices available. The usual steps in developing a risk management plan are: identify, evaluate, decide on appropriate strategies, implement, monitor and review. Identifying risks involves making a systematic and complete assessment of all the hazards that could arise from your organisation’s activities. This will require knowledge of your organisation, its social and legal context, its mission, values and activities.
It is useful to categorise risks. For example, business risks could be sub-divided into strategic, service/product, reputation and operational (including fraud). Risk needs to be considered in terms of how likely it is to occur, and the likely consequences. This can be measured qualitatively, from very likely to rare (likelihood) and trivial to severe (consequence), or quantitatively, from one to ten (likelihood) against zero to ten (consequence). The two measures of likelihood and consequences can be brought together in a ‘level of risk’ matrix. High likelihood with high impact requires high priority, monitoring and mitigation; low likelihood with low impact is acceptable, within limits.
A risk register is used to record the risks you have identified, their likelihood, their probable consequences and their priority. Remember to revise the register periodically – the likelihood and consequences alter over time as circumstances change. Risk management strategies should be approved at board level and adopted across the organisation. The strategies commonly used are avoidance, control, financing and transfer. A combination of strategies is the normal way to manage risks. Organisations can avoid the risk altogether by not providing the service.
Risk avoidance is the most overlooked and misused strategy, but it may not be an option for the core activities of a not-for-profit organisation. Control measures include effective training and development, clear and communicated policies, internal control and the quality of the board. Risk financing involves building up reserves to meet potential liabilities. Risk transfer typically includes insurance cover, indemnity or exemption from liability clauses, and sub-contracting the activity to an independent contractor. Where risks are transferred to another party, a new risk arises that it may not be effectively transferred, for example because of a legal technicality or restriction.
Once a risk management programme has been approved, the next stages are implementation, monitoring and review. The programme should be reviewed at least once a year, but also whenever there are any changes in the law or the organisation’s activities. The challenge is to treat the risks in an appropriate and cost-effective manner to protect the organisation and its stakeholders. This must be done without dampening the inspiration, goodwill and social spirit of staff, volunteers or board members with inflexible bureaucratic rules and procedures.
Join the Discussion
You must be logged in to post a comment.