Risk and Risk Management

 

Risk and Risk Management Risk Ri sk ca can n be de defi fine ned d as th the e co comb mbin inat atio ion n of th the e pr prob obab abil ilit ity y of an ev even entt and it its s conseq con sequen uences ces.. In all types of und undert ertaki aking, ng, the there re is the pot potent ential ial for events events and consequences that constitute opportunities for benefit (upside) or threats to success (downside).

Risk Management is increasingly recognized as being concerned with both positive and ne nega gati tive ve as aspe pect cts s of ri risk sk.. Th Ther eref efor ore e th this is st stan andar dard d co consi nside ders rs ri risk sk fr from om bo both th perspectives. In the safety field, it is generally recognized that consequences are only negative and therefore the management of safety risk is focused on prevention and mitigation of harm.

Risk is anything that can derail your nonprofit from accomplishing its mission. Risk management is a discipline for identifying risks, assessing how serious or severe the risks ri sks are are,, and determin determining ing way ways s to add addre ress ss tha thatt unc uncer ertai tain n fut future ure with a goa goall of  avoiding or minimizing harm and financial losses. Risk management focuses on those events or occurrences that may cause injury or harm to a nonprofit’s clients, its assets (including employees and volunteers) and its reputation.

Risk and Risk Management Risk-uncertainty of the outcome Risk Ris k can bri bring ng une unexpe xpecte cted d gai gains. ns. It can als also o cau cause se unf unfor orese eseen en los losses ses,, ev even en catastrophes. Risks are common and inherent in the financial markets and commodity markets: asset risk (stocks...), interest rate risk, foreign exchange risk, credit risk, commodity risk and so on. There are two totally different attitudes toward risks:

1.

Risk aversion: quantify an identified risk and control it, i.e., to devise a plan to manage the exposed risk and convert it into a desired form. Basically, two kinds of plans are available: a. Replace the uncertainty with a certainty to avoid the risk of adverse outcomes even if this requires giving up the potential gaining opportunity. Be willing willing to pay a certain price price for the potential gaining opportunity, while avoiding the risk of adverse outcomes.

 

Risk seeking: willing to take the risk with one's money, in hope of reaping risk

2.

profits from investments in risky assets out of their frequent price changes. Acting in hope of reaping risk profits from the market price changes is called speculation. The most common risks facing nonprofits: The frequency of a particular risk will depend on what activities your nonprofit is engaged in. Youth-serving organizations and those serving vulnerable persons are always concerned about the safety of their clients in the hands of volunteers or staff  who provide services. Yet, the most common risk for those organizations may be related to the fact that the clients are being transported every day in vans, exposing them and the driver to a possible motor vehicle accident. A serious risk that every nonprofit faces is the risk that its reputation or good will in the community could be eroded erod ed by an any y nu numb mber er of ci circ rcum umst stanc ances es,, fr from om a su surl rly y re rece cept ptio ioni nist st to fi finan nanci cial al improprieties. Each nonprofit needs to conduct an assessment of its activities to determine what its own most common risks may be. Statistically, if your nonprofit has any employees, it is probable that at some point the organization will be faced with an employment-related claim. Common claims in the property and casualty area include slips, trips and falls and motor vehicle accidents. Sorts of events which cause us to lose our tax-exempt status:

Your org Your organi anizat zation ion’s ’s art articl icles es of inc incorp orpora oratio tion n pro probabl bably y mi mirr rror or the IRS re regul gulati ations ons under Code Section by providing a fairly specific checklist of what to avoid: (i) Operating so that more than an insubstantial part of the nonprofit’s activity

furthers a purpose(s) other than its charitable purpose (ii) Conferring private benefit (usually financial) on other entities or individuals (iii) Supporting or opposing a candidate for public office (iv)

Upon dissolution, distributing remaining assets to someone, or something, other than the government or another tax-exempt organization.

Many times the first enforcement step is for the IRS to impose penalties, called “inter “in termed mediat iate e sanc sanctio tions” ns” agai against nst the non nonpro profit fit,, the per person son who rec receiv eived ed the

 

excess benefit and board members who approved the nonprofit’s actions. However, in egregious situations the IRS will move directly to revoke an organization’s status. Some specific circumstances that can cause a charity to lose its tax-exempt status are: •

Taking out an ad in the paper encouraging readers to vote for a particular candidate

•

Running a commercial activity through the nonprofit that has no relation to the missi mi ssion on an and/ d/or or th that at ta take kes s up mo more re th than an an in insub subst stan anti tial al am amou ount nt of ti time me,, energy and resources, so that it overshadows the charitable activities of the organization.

•

Engaging in a transaction that results in compensation to an individual or to anoth ano ther er or orga gani niza zati tion on th that at ex exce ceed eds s th the e fa fair ir ma mark rket et va valu lue e of th the e go good ods s or services rendered to the nonprofit.

•

Failure to file the organization’s annual report, IRS Form 990.

Prioritize all the possible risks facing our organization: To prioritize your risk management ‘to do’ list, you need to determine which risks are most likely to occur, as well as which risks will result in the most severe harm. This exercise is called a “risk assessment.” For some organizations, losing power or water damage dam age du due e to se seve vere re we weath ather er ma may y be a fr freq eque uent nt oc occu curr rren ence ce th that at ha has s be been en succe suc cessfu ssfully lly managed managed so tha thatt if it hap happen pens s in the future future the there re may be min minim imal al disruption and financial impact; while for others, a catastrophic loss such as a child drowning, may be extremely unlikely given the supervision and safety procedures in place, but, because of the severity of the loss, risk management procedures at the waterfront/poolside are a high priority for that nonprofit. •

The Nonp Nonprof rofit it Ri Risk sk Man Manage agemen mentt Cen Center ter off offers ers ris risk k ass assess essmen mentt con consul sultin ting g services to assist nonprofits with an overall assessment of their unique risks. Often a review of a nonprofit’s insurance program is completed simultaneously so th that at th the e no nonp npro rofi fitt ha has s a be bett tter er id idea ea of wh whet ethe herr it its s va vari riou ous s ri risk sks s ar are e adequately addressed through insurance.

Risk Management

 

Risk management is a central part of any organization’s strategic management. It is the process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities. The focus of good risk management is the identification and treatment of these risks. Its It s ob obje ject ctiv ive e is to add ma maxi ximu mum m su sust stai aina nabl ble e va valu lue e to al alll th the e ac acti tivi viti ties es of th the e organization. It marshals the understanding of the potential upside and downside of  all those factors which can affect the organization. It increases the probability of  success, and reduces both the probability of failure and the uncertainty of achieving the organization’s overall objectives. Risk Ri sk ma mana nage geme ment nt sho shoul uld d be a co cont ntin inuo uous us and de deve velo lopi ping ng pr proc oces ess s wh whic ich h ru runs ns throughout the organization’s strategy and the implementation of that strategy. It should address methodically all the risks surrounding the organization’s activities past, present and in particular, future. It must be integrated into the culture of the organi org anizat zation ion wit with h an eff effect ective ive policy policy and a pro progra gramm mmed ed le led d by the most sen senior ior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organization with each manager and employee responsible for the management of risk as part of their job description. It suppor sup ports ts acc accoun ountab tabili ility, ty, per perfor forman mance ce me measur asureme ement nt and rew reward ard,, thu thus s pro promot moting ing operational efficiency at all levels.

 

Risk Management Plan: Just as a nonprofit might design a strategic plan to address its goals and outline how to ac achi hiev eve e th them em,, si simi mila larl rly, y, a ri risk sk ma mana nage geme ment nt pl plan an is a wa way y to id iden enti tify fy ri risk sk management goals, strategies to achieve them, measurable outcomes, as well as who wil willl be acc accoun ountab table. le. A ris risk k man manage agemen mentt pla plan n may inc includ lude e pol polici icies es tha thatt the nonprofit already has, or articulate goals to adopt in the future. Generally the risk management plan is developed by a committee that includes staff and board and adopted by the board as part of the board’s overall commitment to good governance. Risk Management Plan There are four stages to risk management. They are: • Risk Identification • Risks Quantification • Risk Response

 

• Risk Monitoring and Control Risk Identification In this stage stage,, we identify identify and name the risks. The best appro approach ach is a workshop with bbus bb usin ines ess s an and d IT pe peop ople le to ca carr rry y ou outt th the e id iden enti tifi fica cati tion on.. Us Use e a co comb mbin inat atio ion n of  brainstorming and reviewing of standard risk lists. There are different sorts of risks and we need to decide on a project by project basis what to do about each type. Business risks are ongoing risks that are a re best handled by the business. An example is that if the project cannot meet end of financial year deadline, the business area may need to retain their existing accounting system for another year. The response is likely to be a contingency plan developed by the business, to use the existing system for another year. Generic risks are risks to all projects. For example the risk those business users might not be available and requirements may be incomplete. Each organization will develop standard responses to generic risks.

Risks should be defined in two parts. The first is the cause of the situation (Vendor not meeting deadline, Business users not available, etc.). The second part is the impact (Budget will be exceeded, Milestones not achieved, etc.). Hence a risk might be de defi fine ned d as "T "The he ve vend ndor or no nott me meet etin ing g de dead adli line ne wi will ll me mean an th that at bu budg dget et wi will ll be exceeded". If this format is used, it is easy to remove duplicates, and understand the risk. Risk Quantification Risk need to be quantified in two dimensions. The impact of the risk needs to be assessed. The probability of the risk occurring needs to be assessed. For simplicity, rate ra te eac ach h on a 1 to 4 sc scal ale. e. Th The e la larg rger er th the e nu numb mber er,, th the e la larg rger er th the e im impa pact ct or probability. By using a matrix, a priority can be established.

 

Note that if probability is high, and impact is low, it is a Medium risk. On the other hand if impact is high, and probability low, it is High priority. A remote chance of a catastrophe warrants more attention than a high chance of a hiccup.

Risk Response There are four things you can do about a risk. The strategies are: • Avoid the risk. Do something to to remove it. Use another supplier for example. example. • Tra Transf nsfer er the ri risk. sk. Make someone someone else responsi responsible ble.. Pe Perha rhaps ps a Ven Vendor dor can be made responsible for a particularly pa rticularly risky part of the project. • Mi Miti tigat gate e th the e ri risk. sk. Take action actions s to le lesse ssen n th the e im impac pactt or chance chance of th the e ri risk sk occurring. If the risk relates to availability of resources, draw up an agreement and get sign-off for the resource to be available. • Acc Accept ept the risk. risk. The risk risk might be so small small the effor effortt to do anythin anything g is not worthwhile.

A risk response plan should include the strategy and action items to address the strategy. The actions should include what needs to be done, who is doing it, and when it should be completed.

Risk Control The final step is to continually monitor risks to identify any change in the status, or if  they turn into an issue. It is best to hold regular risk reviews to identify actions

 

outstanding, risk probability and impact, remove risks that have passed, and identify new risks.