It has been quite a start to the year in South Africa and globally. Very little seems certain and financial markets are responding with volatility. This is an anxious time for community organisations who must navigate the stormy waters of both funding and programme delivery in an increasingly uncertain world. How can organisations plan for and manage risk in an environment that is ever-changing?
A key oversight responsibility of non profit boards and senior managers is to understand, manage and mitigate against risk to ensure their organisations are sustainable and able to deliver high quality programmes to beneficiaries. The NACOSA Training Institute recently started delivering a new Risk Management training in communities, developed with the Global Fund, to build the capacity of community organisations to plan for risk. The training goes beyond financial risk, focusing also on governance, programme implementation as well as procurement and supply management risk.
WHAT IS RISK?
A risk is a future adverse or negative outcome. Operational risk includes things like the possibility of reduced programme impact, not achieving targets, reputational damage and/or wastage or misuse of resources due to specific processes or role players not operating as intended.
Assessment of potential risks and developing a plan to mitigate risks helps organisations achieve programme goals and function optimally so that they can effectively manage funding and be resilient when dealing with a changing environment.
There are different types of risk:
- Strategic risks affect the organisation’s ability to achieve its strategic objectives or affect its reputation negatively.
- External risks are risks outside of the organisation like donor policy or the changing nature of the AIDS epidemic.
- Internal risks are risks within the organization; in their internal control environment through the use of financial resources, systems, staff safety, legal liability and regulatory compliance issues, and attention to ethical behaviour.
WHY HAVE A RISK MANAGEMENT STRATEGY?
A good risk management strategy will ensure that an organisation is able to contribute towards HIV/AIDS disease control and elimination, the achievement of the National Strategic Plan for HIV, TB and STIs, address inequalities in accessing health services, contribute towards the achievement of the global Sustainable Development Goals and can demonstrate its results.
By formally assessing risk, organisations are able to:
- Think strategically about their future and make informed decisions
- Provide reliable assurance to the board, management and constituencies that they are able to reach their objectives and implement new ventures.
- Apply increased consistency and proactiveness in risk management activities
- Manage funding effectively through internal quality assurance, early warning systems and adapting plans when necessary.
- Find remedies to recurrent issues or concerns.
- Greater openness, transparency and accountability in decision-making between all actors in the grant management process.
Managing risk should be a key priority for any organization but many do not do it well. The reasons organisations fall short include:
- Poor capacity within the organisation
- A lack of clarity about where the responsibility lies for the management of risk
- Risk management is not embedded in the day-to-day activities of the organisation
- The risk management plan is not used as a tool for discussing the organisation’s attitude towards the risks or the effectiveness of risk mitigation activities.
- A lack of incentive to manage risk
- High costs associated with managing risk
- A lack of consistency between initial identification of risks and subsequent mitigation activities to manage those risks.
KEY PRINCIPLES
The board, management and other personnel in an organisation must be able to manage risk proactively and take shared responsibility for risk management processes. To be effective, risk management in an organisation should follow these principles[1]:
- Risk management is part of the culture of the organisation and facilitates, rather than hinders, the achievement of objectives.
- Risk management is integral to normal organisational processes and decision making. It should use simple language, straightforward concepts and encourage common sense thinking.
- Risk management is standardised and aligned with the organisation’s external and internal contexts.
- Disclosure of risk is not punished but viewed as an opportunity for new ideas and addressed constructively.
- Risk management needs to be coordinated between the different responsible stakeholders and role players so as to avoid gaps and duplication.
- Risk management is transparent and inclusive, allowing decision makers at all levels of the organisation to participate and stakeholders to be represented.
- Risk management is a dynamic and ongoing process.
In making decisions about risk, the effect of those decisions on the ultimate goal – to achieve maximum impact on HIV and TB in South Africa, for example – needs to be carefully balanced. The net effect of each decision to manage risk on that impact must be positive. The benefits should outweigh the costs.
NURTURING A RISK-AWARE CULTURE
Boards and senior management have a shared responsibility to nurture a risk-aware culture that encourages prudent risk taking within the organisation’s strategy. A strong culture is one in which decisions are made in a disciplined way, taking into account considerations of risk and reward transparently and on an informed basis. This decision-making culture should extend throughout the organisation, from the largest strategic decisions to the most routine day-to-day ones. Effective risk management is a key element of good governance and therefore the board is ultimately responsible.
It is useful for organisations to measure themselves on how well they are currently managing risk before starting the process of building a risk-aware and resilient organisation. With a solid baseline in place, implementing and assessing risk management policies and processes becomes easier.
Find out more by contacting the NACOSA Training Institute >
[1] The Global Fund. 2014. The Risk Management Policy. The Global Fund Thirty-Second Board Meeting. Montreux, Switzerland, 20-21 November 2014. GF/B32/13. Geneva.