risky business. risk management best practices for an increasingly risky world

8
G ALS Risky business Risk management best practices for an increasingly risky world

Upload: grantthorntonrussia

Post on 07-Nov-2014

105 views

Category:

Business


0 download

DESCRIPTION

Risk management provides an organized approach to ensure that high quality reputation and relationship will be sustained. With boards of directors and management now required to formally address risk, risk management has become a hot topic for the industry. Having a strong risk management framework delivers a number of organizational benefits, including those related to the overall vision and mission of the organization.

TRANSCRIPT

Page 1: Risky business. Risk management best practices for an increasingly risky world

G ALSG ALS

Risky businessRisk management best practices for an increasingly risky world

G ALS

Page 2: Risky business. Risk management best practices for an increasingly risky world

CONTENTS

It’s too important to leave to chance .......................................3Role of the board of directors and management ......................3How can you ensure your organization has an appropriate risk management process in place? ....................................... 3Identify risks ..........................................................................4How to track and manage all of this ........................................6Improving the organization, enhancing the vision ......................7Don’t let risk derail your organization .......................................7Key contacts .........................................................................7

In the world of not-for-profit organizations (NPOs), reputation and relationships are essential.

But, as important as they are, many organizations don’t think about the potential risks that could impact these. That’s why it’s so important to actively engage in risk management—and to have a plan in place. Risk management provides an organized approach to ensure that high quality reputation and relationship will be sustained. With boards of directors and management

now required to formally address risk, risk management has become a hot

topic for the industry.

Page 3: Risky business. Risk management best practices for an increasingly risky world

ManagementWhile the board plays a significant role, usually the heavy lifting is done by management (depending on the resources available). Tasks such as development of the risk assessments, implementation of risk management systems (policies, procedures and monitoring) and mitigation strategies may be delegated to management. However, the fewer the resources available, the more involved the board will need to be in the process.

How can you ensure your organization has an appropriate risk management process in place?Determine risk capacity, tolerance and appetiteThe first step is to describe your overall ability to absorb risk, and therefore, the total of individual risks you can tolerate. This involves describing your risk capacity, tolerance and appetite.

It’s too important to leave to chanceNPOs are funded by owners—the members—who often have an emotional connection with the organization, which goes beyond just financial considerations. Damage to this connection can result in reactions that threaten the organization’s survival. Because expectations have increased, members now expect that their leadership is anticipating and assessing risk. Leaders must provide strong assurance to their members that they are acting prudently to protect the organization from a wide range of risks.

Role of the board of directors and managementBoard of directorsEffective risk management begins with the group that has ultimate responsibility for the NPO—the board of directors. Board members need to explicitly acknowledge the importance of risk management, and ensure, within the size and context of their organization, that it is appropriately addressed. This is probably something they won’t take on themselves, so frequently a significant component of the detailed oversight responsibility is delegated to a standing committee, such as an audit or operations committee. But members must carefully assess how much responsibility it authorizes and, in what areas. However, as final responsibility rests with the board, it’s important that directors have the appropriate skills and training to manage this process.

Risky business 3

Page 4: Risky business. Risk management best practices for an increasingly risky world

4 Risky business

REPUTATIONAL Social media,

privacy, litigationINFORMATION TECHNOLOGY

Data availability, data security (including that related to

mobile devices)

OPERATIONAL AND PROGRAM

Service quality, capacity constraints, vendor dependencies

FINANCIALLiquidity,

capital availability, investment, theft

GOVERNANCE

Failure to have an appropriate governance structure or skills proportionate to the intended

governance structure

EXTERNALMacroeconomic conditions, volatility, structural change,

competition, industry cyclicality, natural disasters

STRATEGICFailure to implement strategy,

ineffective strategy, or absence of strategy

COMPLIANCENon-compliance with laws and regulations

Identify risksWhile there are many definitions, most simply, risk can be defined as anything that affects an organization’s ability to meet its objectives and preserve its reputation. Just as no two organizations will share the same objectives, no two organizations will share the same risk profile. To identify the risks specific to your organization, it may be helpful to use the following risk categories to see which may apply to you.

When going through this exercise, you will probably identify a long list of possible risks specific to your organization and your situation.

Assess and prioritize risksIt’s not feasible to simply eliminate or mitigate all risks. In fact, if your organization has a higher risk appetite, the more risks you’re willing to accept. Instead of trying to eliminate, assess and prioritize each type of risk, preparing a response for those which may have a significant impact on the organization.

In order to assess these risks, you will need to analyze a range of factors, including:

• the likelihood of the risk occurring;• the impact the risk will have on the organization;• the interconnectivity of that risk with other risks;• the ability of the organization to react the risk

(i.e., clockspeed risk); and• the ability to mitigate the risk.

Page 5: Risky business. Risk management best practices for an increasingly risky world

Risky business 5

Once the appropriate strategy (or strategies) is chosen, you need to take certain steps to ensure that they are followed. Some of these steps include• establishing policies and procedures; • designating specific individuals or groups of

individuals (e.g., the board) as responsible for the execution of these policies and procedures;

• communicating responsibilities need to be those individuals; and

• ensuring that the individuals or group of individuals assigned those responsibilities have the proper resources (systems), training and skills to fulfil those responsibilities.

Monitor and report risksJust as policies and procedures need to be developed to manage risks, metrics and reporting also need to be put in place.

As part of this process, you should determine if, and how, you can avoid crisis situations in the first place. In addition, management, with board consultation,

Upon completion of the heat map, you will then need to determine whether the total risk exceeds your risk tolerance. In the example above, immediate and urgent action is required. However, when the total risk is below the tolerance level, you can then assess the benefits against the costs of priority risks reduction, and take action to manage accordingly.

Manage risksThere are four strategies for dealing with risk:

Risk Likelihood Impact Interconnectivity Clockspeed Overall risk

Low investment returns Moderate High Low Moderate Moderate

Injuries to participants in sports programs

High Moderate Low Low Moderate

Abuse of vulnerable individuals by staff and volunteers

Moderate High High High High

Loss of information systems and information

Moderate High High Moderate Moderate

Chartered Accountants of Canada, 20 Questions Directors of Not-For-Profit Organizations Should Ask About Risk

A useful visual tool for documenting these assessments is a heat map (a partial example of which is provided below). The use of colour facilitates an overview of the results of the assessment, highlighting which out of the many risks examined require the most attention. Prioritizing the risks is then a straightforward process.

Avoidance — Avoiding undertakings that could result in a risk occurring in the � rst place.

Transference — Sharing the risk with someone else (e.g., insurance). Note that the board cannot absolve its responsibility by simply transferring the risk as it still has a due diligence responsibility in this situation.

Mitigation — Developing policies and procedures to detect and reduce the likelihood and/or severity of risks to an acceptable level. This is the most frequently applied strategy.

Acceptance — Accepting or simply monitoring the risk, provided that it is unlikely or would have minimal impact.

Page 6: Risky business. Risk management best practices for an increasingly risky world

6 Risky business

should determine any early indicators that could be monitored to identify a crisis before it occurs or before it becomes significant. Examples of some of these indicators are key operating or financial metrics, or stress testing of the budget assumptions.

How to track and manage all of thisWith so many factors to consider, it can be difficult to track and manage an effective risk management process. So, to help with this, many organizations use a risk register (which also includes the heat map discussed earlier). A partial example is shown below.

A risk register summarizes the risks, how they are managed and monitored, and who is responsible for each procedure. While it may take considerable effort to construct, once complete, it is an effective tool that facilitates review and update.

The risk management process never ends, as risks are not static. Therefore, the risk register needs to be reviewed and updated regularly. Typically this would be annually, but if significant changes occur during the year, it is possible that the risk assessment and processes will need to be revisited earlier.

RISK

Like

lihoo

d

Impa

ct

Inte

rcon

nect

ivity

Clo

cksp

eed

risk

Ove

rall

risk

Control procedure R

ETA

INED

RIS

K

Monitoring process Responsibility

Action required

Date or review

Low investmentreturns

Mod

erat

e

Hig

h

Low

Mod

erat

e

Mod

erat

e Board approved investment policy, Professional investment mngmt Lo

w

Investment committee review quarterly

Chair investment committee

Include reviews in board agendas

Quarterly

Injuries to participants in sports programs

Hig

h

Mod

erat

e

Low

Low

Mod

erat

e

Safety training for coaches, Incident reports, Liability insurance

Low

Observe sports training

Sports director Report serious events to Board, include review in board agendas

Ad hoc Annual

Abuse of vulnerable individuals by staff and volunteers M

oder

ate

Hig

h

Hig

h

Hig

h

Hig

h

Screening of staff and volunteers, Awareness training

Mod

erat

e

Supervision, Review of incident reports

Volunteer coordinator Manager Supervisor

Report serious incidents to Board, con� rm screening annually

Ad hoc quarterly

Loss of information systems and information

Mod

erat

e

Hig

h

Hig

h

Mod

erat

e

Mod

erat

e

Off-site back-ups, Alternative processing resources

Low

Review of incident reports, annual status assessment, Review of controls by auditor

VP-IT Chair audit committee

Report serious incidents to Board Include reviews in board agendas

Ad hoc Annual

Chartered Accountants of Canada, A Framework For Board Oversight of Enterprise Risk

Page 7: Risky business. Risk management best practices for an increasingly risky world

Risky business 7

Improving the organization, enhancing the visionHaving a strong risk management framework delivers a number of organizational benefits, including those related to the overall vision and mission of the organization. These include

• supporting smarter business decisions and better organizational performance;

• reducing the likelihood of risks occurring;• minimizing the impacts of risks that do occur;• surviving, via a strong response plan, should

a catastrophic risk occur; • allocating resources to those areas most in

need; and• Increasing the chance of achieving long-term

mission and vision success.

Don’t let risk derail your organizationNPOs need to understand that risk management can have broad, complex consequences. One risk can trigger or exacerbate others, which can quickly lead to a catastrophe. So a holistic approach—such as the framework we have outlined here—is necessary. Adaptable to NPOs of any size or complexity, this approach can help you run your organization more effectively. Moreover, it offers the confidence that risk won’t derail the success of the organization your members care so much about.

Key contacts

For more information, or to discuss your organization’s risk management preparedness, please contact:

Dale Brown, CAT T +1 403 260 2817E [email protected]

Dale Varney, CPA, CAT +1 416 607 2799E [email protected]

Donna Diskos, CPA, CAT T +1 604 443 2163E [email protected]

Gerry Lacroix, CAT T +1 902491 7747E [email protected]

Jeffrey Busniuk, CPA, CAT +1 807 346 7203E [email protected]

Kim Simms, CAT +1 709 778 8807E [email protected]

Rob Collins, CPA, CGMA (ND)T +1 250 712 6862E [email protected]

Sandra Pietrzyk, CAT T +1 780 401 8236E [email protected]

Deryck Williams, National Charities and Not-for-profit Organizations Leader

T +1 416 360 4954M +1 604 787 8530E [email protected]

Page 8: Risky business. Risk management best practices for an increasingly risky world

Audit • Tax • Advisorywww.GrantThornton.ca

Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd

About Grant Thornton LLP in CanadaGrant Thornton LLP is a leading Canadian accounting and advisory firm providing audit, tax and advisory services to private and public organizations. We help dynamic organizations unlock their potential for growth by providing meaningful, actionable advice through a broad range of services. Together with the Quebec firm Raymond Chabot Grant Thornton LLP, Grant Thornton in Canada has approximately 4,000 people in offices across Canada. Grant Thornton LLP is a Canadian member of Grant Thornton International Ltd, whose member firms operate in over 100 countries worldwide. Except for information that is in or enters the public domain, Grant Thornton LLP will not provide any third party with information related to the client without their permission, unless required to do so by law or professional standards.