While having a risk management plan is obviously important, if employees and volunteers are not aware of its existence, it is of little or no use to the organisation. However, not planning for risk at all can leave an organisation vulnerable to the increasing risks facing them, such as from fraud, public liability claims and information technology.
What is risk?
PPB’s survey of 291 not-for-profit organisations from Australia and New Zealand was based on the International Standard for Risk Management definition of risk:
“Organisations face internal and external factors and influences that make it uncertain whether, when, and the extent to which they will achieve or exceed their objectives. The effect this uncertainty has on the organisation’s objectives is risk.”1
Does size matter?
While it is understandable that the larger the organisation, the more sophisticated their risk management plan, this should not frighten smaller organisations.
A risk management plan should be developed proportionally – the smaller the organisation, the less sophisticated the risk management plan can be.
Adopting a plan
For organisations that have not yet developed a risk management plan, the following may assist with the process.
Buy-in from management
Over 65 per cent of respondents believed that the CEO or the board was responsible for risk management, yet
24 per cent thought that there was a lack of understanding at these levels of the importance of risk management.
One way to get buy-in from senior levels is to establish a risk committee, where the board and management can be involved in the risk management process and can gain an understanding of the effects that risk can have on the organisation.
Budgetary constraints
With budgetary constraints a concern for 46 per cent of respondents, another reason for buy-in is to ensure that adequate resources can be allocated to the risk management process.
Risk identification
Once the board and senior management agree to the process, it is important to identify those risks that are faced by the organisation, as many are known but are not communicated or documented.
By running workshops among management, employees and volunteers, it is possible to obtain the input of those who may have a variety of views and be aware of different types of risk.
Creating a risk register
Once risks are identified, organisations need to document how those risks will be dealt with. A ‘risk register’ should record information such as the likelihood of the risk occurring, mitigation of the risk, and any residual risk that the organisation cannot mitigate. Once classified, the organisation can then make a decision about whether to take further steps to reduce risk.
Ongoing assessment
Risk management is not a one-off program. It needs to be an ongoing process with regular reviews of the risks that the organisation faces. It is also important that it becomes an integral part of all the organisation’s planning.
A full copy of the survey can be downloaded at www.ppb.com.au
1. International Standard for Risk Management
(AS/NZS ISO 31000:2009)