Why Charities Should Care About Risk Management
Cyber attacks, defalcations, privacy breaches, system crashes, key supplier bankruptcies, financial losses from poorly managed campaigns, reputational problems, loss of significant contracts, change of government or change of government policy, member boycotts, global financial crisis, donor complaints, naughty volunteers.
What charity has not experienced at least one of the above listed problems at some point in its history; and if you haven’t personally experienced some problem in your non profit sector career, then you simply haven’t been around long enough.
If you haven’t ever considered or prepared yourself for the potential risks that you may face for your organisation or your own career, you are not alone.
Consulting experts, Grant Thornton have concluded that
“Not for profit organisations tend to have a less comprehensive approach to risk management than other organisations. They are less likely to have a designated privacy officer, and few use risk management software. Over a quarter surveyed said risk management is not well understood in their organisation. Most risk management teams in Not for Profit organisations are smaller than average, with around three part timers in the core team and three risk champions in the wider organisation. They often have additional managerial or HR responsibilities – on average risk management represents 10% of their role. Not for Profit organisations don’t usually have an organisation-wide risk profile. “
Here are some risk scenarios that could impact on a charity
- A major national retailer invites you to sell a small product on their counter for three weeks of the year. You are required to purchase or manufacture the product in advance, and pay for all expenses related to the campaign. It’s going to cost your organisation about $40,000 to invest in the product, but the potential sales could amount to about $200,000. How do you assess the risk?
- Your fundraiser steals from your organisation
- You receive a complaint from the Privacy Commissioner. Someone alleges that you shared information they had supplied to your organisation in confidence, with someone outside the organisation.
- Someone kills themselves claiming that they had been hounded by charity appeals. Your organisation is named as one of the perpetrators.
- A volunteer was jailed for a sex offence committed when they were very young
- A board member is in a conflict of interest situation
- Government policy changes and you lose your sole source of income – government contracts
- You run an event and during the event someone is killed or injured because of your negligence
- A staff member takes a personal grievance suit against you
- Someone hacks into your computer system or comes into your office and steals credit card information
All of the above scenarios are real. And these scenarios could be used as a basis for a risk management identification/template.
If you are a small charity without the resources to call in an expert to identify your risks – what can you do about it?
- You need to identify the possible risks and along with your board members, identify the ways you can reduce the risks. This simple register will show that you have at least considered the risks and taken steps to mitigate them. If someone sues you or complains, or even prosecutes you, your register will show that you are have taken action to reduce the risks.
- Of course just identifying the risks is only step one. The next stage is to put your mitigation measures into your planning documents and assign responsibility for achieving the actions.
- Having taken your actions, you will then report these on a regular basis to your governance body. This should be a regular item on your governance agenda. Keep an eye out for new risks, new mitigation measures, new government policies and legislation that will impact on your charity.
- Remind your governance body that the buck stops with them. That should be motivation enough to take risk seriously.
- If you need a simple risk management template, contact us and we’ll send you one! email@example.com