Providing assurance of risk
How can finance managers engage CEOs in tricky decisions about risks? How do they keep risk management on the board agenda?
These were key questions for delegates at the Providing Assurance of Risk workshop, led by Kate Sayer a Consultant at Sayer Vincent at this year’s Charity Accountant’s Conference.
Kate explained that risk registers can be helpful to start discussions on risk and raise awareness of issues, but they have flaws.
She said, “If the risk register is too long, not relevant or not being read, it’s time to do something different. Most risk registers could be reduced to six or seven key risk items.”
Effective risk registers focus on strategic and high impact risks. To work out which are the most critical, trustees could start with a blank sheet of paper and ask themselves what are the big risks that really worry them. Having fewer high impact and strategic risks means they can be more easily reviewed in greater depth at a finance and audit committee meeting or at board meetings.
Kate is a Trustee at the Association of Chairs and at each board meeting one trustee leads on one area of risk which is then analysed in depth by the trustees.
Flaws in the system
Kate highlighted that traditional risk management also has flaws because it tends to focus on the negatives, which can encourage trustees to be risk averse.
She said, “Risk Management is also sometimes viewed as a separate activity rather than integrated into the main activities of the charity, where it belongs. Also, ranking the risks by their level of gravity doesn’t always work as people have different views – it is very subjective. It is far better to have a strategic conversation about risk.”
A risk register can also never really be complete as people can’t think of everything. Effective risk management relies on people being open minded to the potential of new risks.
Different types of risks
Kate suggested another way for charities to approach risk management was to consider four different types of risks.
- Inherent risks
Inherent risks are risks in the business model, for example, if a social care provider was reliant on employing European staff – their business could be at risk as a result of Brexit.To manage inherent risks, organisations need to fully understand their income and costs and the links between their income and expenditure. How do they operate? How are they funded and are there are any constraining factors?
To mitigate such risks, charities could consider collaborating with other organisations to share risk or get funders to share risk. Alternatively, the charity’s funding model may need to change, for example, if the organisation is too reliant on contracts, they could try to introduce more grant funding.
Some risks could be factored into the pricing. For example, if a charity is a housing provider, they could adjust their pricing to cover periods when they have empty accommodation to reduce their funding risks.
- External Risks
There are many external risks including political changes like Brexit or shifts in public attitude or technological changes. Also, any funding changes, changes in the public services model and competitors new and old are all examples of external risks.External risks are hard to manage because they are ever changing, and unknown. Kate recommended that charities undertake regular PESTLE analysis to identify these risks, regularly monitor for any early warning signs that risks are escalating and report on the status of risks, so this information is fed into the decision-making process.
It is good practice is for organisations to prepare responses and media plans to be actioned in the event of a crisis. These plans should include who will respond, the timescales for response and the key messages for all stakeholders. The organisation’s stakeholders are extremely important so thinking about their expectations and communicating to them in the right way is a major consideration.
- Operating Risks
Operating risks are things that could go wrong in the day to day operations. However, these are usually known risks and can be managed effectively by having good controls, processes, systems and checks in place. Examples would include health and safety and data protection.
- Risk Taking
All charities need to take risks, but boards need to discuss what level of risk is acceptable for them and how they will manage the risk-taking. Who will manage the risk? What are the resourcing and pricing implications? How will we measure success? These are all key questions to consider.
Three lines of defence
To provide greater assurance on risk, Kate recommended thinking about three lines of defence and applying them to each risk.
The first line of defence is operational which is ensuring the organisation is doing the right things. This means having quality processes and procedures in place, ensuring there is proper guidance, inductions and training for staff and clear roles and responsibilities, so everyone is clear on who is doing what.
- Management Oversight
Managers should be responsible for managing operational risk and this is the second line of defence.Providing trustees with assurance reports to demonstrate how they manage day-to-day risk should help to build confidence across the organisation that you are doing the right things and doing them well. Assurance reporting needs to be at least annual and managers should be prepared to sign off on their own assurance report covering the areas under their responsibility.
- Independent Verification
The third line of defence is independent verification. This could be in the form of audit reports or doing spot checks to identify key actions or highlight any issues.Kate recommending charities turn risk management on its head and focus on their strategic goals and what they need to get right. She said risk registers could be viewed as opportunity registers.
She concluded, “All charities must take risks – what’s important is how the risk taking is managed. As Atul Gawande, the surgeon and writer said, “discipline makes daring possible.”