7.1 what is risk assessment 7.2 the importance of risk ...a project: project risk management...

MO

DU

LE 7

MODULE 7

RISK MANAGEMENT7.1 What is risk assessment

7.2 The importance of risk management

7.3 How to do it?

Annex: Examples of potential risk areas, their impact and mitigation

COLOPHONCNV Internationaal

P.O. Box 2475

3500 GL Utrecht

The Netherlands

T: 00 31 751 1260

E: [email protected]

I: www.internationaal.nl

Author: Funding Support, Michael Schwerzel

© Copyright CNV Internationaal, 2015 All rights reserved. Any part of this publication may be reproduced by trade union partner organisations of CNV Internationaal without specific permission, provided that the source is cited as follows: “CNV Internationaal, 2015, Toolkit Financial Management for Trade Unions (P.O. Box 2475, 3500 GL Utrecht, The Netherlands)”.

If non trade union partner organisations of CNV Internationaal wish to reproduce parts of this publication, written permission from CNV Internationaal is required.

3

MODULE 0INTRODUCTION AND OVERVIEW

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

Purpose of the Financial ToolkitThis Financial Toolkit aims to help recipients of CNV Internationaal (CNVI) funds to improve their financial management capacities. It aims to help organisations to comply with the financial standards that are set out in the contract between CNV Internationaal and partner organisations worldwide. Its specific objectives are:

• To improve budgeting, accounting and financial reporting of partner organisations.

• To improve the transparency and accountability of partner organisations.

• To increase knowledge on the financial standards of CNVI.

• To increase skills of financial staff, working at partner organisations, to comply with these financial standards.

• To provide for best practices, tools and templates and to be a practical guidance how to use these tools and templates.

What the Toolkit is not

The Toolkit:

• is not a set of rules in addition to the existing legal, contractual and regulatory framework and guides.

• is not an interpretation of the existing contractual regulations.

• is not a substitute for reading the contractual conditions and existing guides and instructions.

Use of the Toolkit

The Toolkit is developed for recipient of CNVI funds. Recipients of CNVI funds can either be Confederations (direct funding) or Federations (indirect funding). Recipients of CNVI funds can be:

• National Trade Union Confederations that have engaged into a contract with CNVI;

• Trade Union Federations being member of the National Trade Union Confederation and participating in the National Program that is mainly funded by CNVI.

This Toolkit should be a guidance for organisations, and in particular for financial staff, to help them with specific tasks, like preparing a budget or a financial report. When working on a specific financial management area, organisations and financial staff can better prepare themselves by studying the corresponding module of the Toolkit first. By studying the corresponding module, organisations will better understand how to comply with the financial standards of CNVI and also be able to work with the provided templates. In principle the modules only need to be studied and used when organisations (or financial staff) are working on a specific financial management area. It’s not intended as a book to read from beginning to end but as a work book: only study a module when it’s relevant.

4

Structure and content of the Financial Toolkit The Financial Toolkit covers 8 financial management areas and is structured into 8 modules. The content of the Financial Toolkit is:

Module 7 – Risk management

7.1 What is risk assessment? P. 8

7.2 The importance of risk management P. 9

7.3 How to do it? P. 11

Annex: Examples of potential risk areas, their impact and mitigation

5

The toolkit and the financial templates can also be downloaded from the partner intranet at CNVI’s

website, at http://www.cnvinternationaal.nl/

(see below “partner login” )

7

MODULE 7RISK ASSESSMENT

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

REAL LIFE STORYA financial manager, working for an non-profit organisation, providing food relieve and

shelter for refugees, found out that one of the financial staff members working on a project

for developing new shelters, belonged to a family that owns ‘Building Support’, a construction

business in the region. This construction company had participated in a tender of the

organisation and was a serious candidate to get the building assignment.

During the assessment of all bidders, the financial staff member advocated in favour of

‘Building Support’. The financial manager found this suspicious and decided that the financial

staff member should not have been involved in this process, because of her family ties. He took

her off this project. The financial staff member, who had properly revealed her association

with the construction company, was offended because she felt her integrity was in doubt.

In anger she quitted her job. The construction company was offended too and withdraw

themselves from the tender.

The non-profit organisation was very upset and reviewed the process. They assessed

that the financial manager should not have made this decision all alone. Also the

organisation assessed that they had no clear policies forbidding staff members

to work on projects to which they may have personal interests in. They

concluded that had they performed a risk assessment, they would have

detected these flaws in the organisation and would have been able to

take corrective measures.

8

Risk Assessment Standards

The FPMF requires that each organization identify the risks to the achievement of their objectives. Current actions and policies used to manage the risks should also be identified and any further action plans should be determined.

On an annual basis the management actions identified in the previous year’s risk assessment exercise should be reviewed to assess the effectiveness of actions taken in response to the identified risks.

7.1 WHAT IS RISK ASSESSMENT?

A risk is anything that may have a negative impact on achieving your organisation´s mission, goals, objectives and strategies if it becomes reality.

It may have an impact on different levels:

• the organization

• programs

• projects

• processes

• products

• services

• stakeholders

Risk assessment is referred as a process, mostly incurred by management, to identify the risks an organisation faces, to assess these risks how likely it is to occur and how severe its impact would be on the organisation if it did occur.

Trade unions face risks that can have their origin in the external environment or inside the organization. See Figure 7.1

Figure 7.1: Sources of risks

MACRO ENVIRONMENT

MICRO ENVIRONMENT

SOURCES OF RISKS

THE ORGANISATION

ITSELF

MODULE 7: Risk Assessment

9

7.2 THE IMPORTANCE OF RISK MANAGEMENT

Risk Management is a systematic process that aims to help organizations of any type to deal with emerging and changing risks.

It involves identifying risks, evaluating them, deciding how to respond and then taking the necessary actions. The focus of Risk Management could be

The organization: Organizational risk management

A project: Project risk management

Security: Security risk management

Finances: Financial risk management

Financial versus security risks

Many trade unions face security risks for their staff, employees and members. Perhaps security risks are the most important risks trade unions face.

This Financial Toolkit focuses primarily on financial issues. Therefore this module focuses on financial risks a trade union faces. It doesn’t address security risks.

The PME manual (Project Monitoring and Evaluation) of CNVI explains in detail how other risk areas can be assessed.

KEY MESSAGE: THE TOOLKIT WILL ONLY ADDRESS FINANCIAL RISKS, NOT SECURITY RISKS. HOWEVER, THE METHOD FOR RISKS

ASSESSMENT PRESENTED IN THE TOOLKIT MAY BE USEFUL FOR ASSESSING SECURITY RISKS AS WELL.

The benefits of Risk Management

Managing risk will increase the probability that an organization will survive for a long time and be able to work towards its vision.

This is because risk management:

• Increases the probability that the organization will be compliant with laws, regulations and contracts.

• Improves the management of projects by anticipating on expected risks

• Makes organizational processes more efficient due to fewer disruptions

• Improves planning and decision-making due to a better understanding of the future

• Increased confidence of donors that funding goals and objectives will be met


10

Financial Risk management in the Framework

The FPMF sets standards for financial risk management. CNVI encourages partner organisations to assess financial risks regularly, at least once a year.

Financial risk assessment has important benefits. By assessing financial risks of projects and activities that federations and confederations manage, all stakeholders will gain:

• More successful projects as risks to failure will be identified and managed,

• Enhanced accountability of partner organisations by improved internal control processes,

• Increased confidence that funding goals and objectives will be met.

KEY MESSAGE: RISK ASSESSMENT MAY WORK AS INPUT FOR THE WORK PLAN

Organizations that have assessed financial risks will develop actions to reduce these risks. CNVI encourages these organizations to include these actions in the annual work plan. By doing that, CNVI can support their partner organizations to strengthen their capacities.

Figure 7.2 From Risk Assessment to Action Plan to Annual Work plan

Risk Assessment Action Plan Annual Work plan


11

7.3 HOW TO DO IT?

A risk management process is made up of a number of stages which will follow normally more or less this order:

Stage 1: Identify and describe risk areas and individual risks

Stage 2: Estimate the likelihood and impact of risks

Stage 3: Rank risks according to their significance

Stage 4: Decide about appropriate responses to risks and implement risk focused actions

Stage 5: Monitor and evaluate risks and proposed actions annually

As figure 7.3 indicates, risk assessment is an on-going process. Based on proposed actions and reviewed controls, the assessed risks will change. However, since organisations operate in a changing environment, risks will also change. Therefore assessing risks can never be a one-off event.

Figure 7.3: The Risk management Process

STAGE 1: IDENTIFY AND DESCRIBE RISK AREAS AND INDIVIDUAL RISKS

Who performs the assessment?

When assessing financial risks, senior management and board must form a representative group of staff members who have a good insight in the financial risks of the organisation. For example:

• Financial staff like a financial manager and bookkeeper

• Financial board member like the treasurer

• Project management like managers and project coordinators

• Executive management like executive managers

ASSESS RISK

CONTROL RISK

IDENTIFY RISK

REVIEW CONTROLS

RISK MANAGEMENT

PROCESS


12

One member must be appointed as chair. The chair person is responsible for facilitating the risk management process. The chair person must ensure that the input and assessments of the members are noted and reported. The output of the risk assessment, including actions to reduce the risks, should be reported in writing and shared with CNVI. By doing that, CNVI will be able to understand why certain actions are implemented in the annual work plan.

Identify Financial Risk Areas

Financial risks can occur through different factors:

• internal factors (e.g. lack of internal control processes or lack of knowledge of finance officers)

• external factors (e.g. loss of paying members due to rising unemployment).

• operations (e.g. lack of proper project management result in not achieving objectives and leads to critical response of the donor of the project)

• law and regulation compliance risk (e.g. non-compliance with national of tax laws causes huge penalties for the organisation and leads to loss of financial reserves)

As different risks derive from these areas, the group first must determine which risk area they want to review.

Describe individual risks

For each risk area the group mentions the risks. For a good understanding of the risk, the group should make an effort to describe the risk as clearly as possible.

For instance: a risk may be lack of internal control processes. But still this is a very broad and vague term and does not explain exactly what the risk is. Descriptions should be more specific. For example: “because no one controls the work of the bookkeeper; any mistakes in recording and payments will not be discovered; the organisation risks loosing money”.

This example specifies the risk and everybody immediately understands what the risk is about. A more precise description of the risk will probably lead to a more specific solution as well.

Tips:

Identifying risks from scratch can be difficult and can lead to unsatisfying results. For inspiration and indications of possible financial risks your organisation should seek available information.

• Annex 7.1 presents a table of possible risks. This annex should not be used as a checklist, but rather to illustrate the type of risks that may be faced.

• Other input on financial risks may derive from negative incidents that happened in other but similar organisations. The main question should be: can this happen in our organisation as well?

• Observations from other persons like an auditor (as mentioned in a management letter) or observations from donor organisations when reviewing your reports on the operations of your organisation


13

STAGE 2: ESTIMATE THE LIKELIHOOD AND IMPACT OF RISKS

Identified risks need to be put into perspective in terms of the potential severity of their impact and likelihood of their occurrence. Assessing and categorising risks helps in prioritising and filtering them, and in establishing whether any further action is required.

The method to do this is assessing each identified risk and determines:

• How likely is it to occur?

• How severe would the impact for the organisation be if did occur?

Determining the likelihood

Likelihood of risks expresses the chances that a risk can actually occur. This may vary from not very likely to highly probable. Figure 7.4 presents a likelihood score method: the risk assessment should estimate how likely each identified risk may occur in their organisation. Based on that review, each risk is given a likely score from 1-5.

Figure 7.4: Likelihood Score Method

Descriptor Score Example

Remote 1 May only occur in exceptional circumstances

Unlikely 2 Expected to occur in a few circumstances

Possible 3 Expected to occur in some circumstances

Probable 4 Expected to occur in many circumstances

Highly probable 5 Expected to occur frequently and in most circumstances


14

Determining impact

As not every risk will have the same impact for an organisation, the potential impact of each risk needs to be determined as well. To assess the impact of each risk (if it did occur) figure 7.5 can help.

Figure 7.5 Impact Score Method

Descriptor Score Impact on reputation and loss of money

Unimportant 1No impact on reputation or service Complaints unlikely Loss of money very small

Small 2Slight impact on reputation or service Complaints possible Loss of money small

Noticeable 3Some service and reputation disruption Potential for adverse publicity –avoidable with careful handling Loss of money noticeable

Critical 4Service and reputation disrupted Adverse publicity not avoidable (local media) Loss of money critical

Existence-threatening

5

Service interrupted for significant time Major adverse publicity not avoidable (national media) Resignation of senior management and board Loss of confidence of donors and beneficiaries Loss of money catastrophical, leading to bankruptcy

STAGE 3: RANK RISKS ACCORDING TO THEIR SIGNIFICANCE

Knowing and having ranked both the likelihood and impact of each identified risk, will enable you to rank each risk in accordance of its significance. By using a formula you’ll be able to rank each risk and prioritise all risks.

• The formula is: (score impact * score likelihood) + score impact = risk score

• Mathematical: xy +y where x is likelihood and y is impact

Figure 7.6 is a Risk heat map. In the risk heat map below, likelihood is x and impact is y. The colour codes are:

Red: Unacceptable risk, measures to minimize risk urgently needed, score 18 or more

Orange: High risk, measures to minimize risk necessary, score between 13-17

Yellow: Average risk, test measures to minimize risk; score between 10 and 12

Green: Minor or insignificant risks scoring 9 or less


15

Figure 7.6: Risk Heat mapIm

pact

Existence –threatening 5

10 15 20 25 30

Critical 4 8 12 16 20 24

Noticeable 3 6 9 12 15 18

Small 2 4 6 8 10 12

Unimportant 1 2 3 4 5 6

1

Remote

2

Unlikely

3

Possible

4

Probable

5

Highly probable

Likelihood

The Risk group should make a calculation of each assessed risk. Based on the score, the most serious risks can be determined.

The Chair may introduce various work forms in which this risk calculation can take place. For example first individual members make their own calculations and after that these outcomes are discussed in the whole group. Of course, other work forms are possible as well.

STAGE 4: DECIDE ABOUT APPROPRIATE RESPONSES TO RISKS AND IMPLEMENT RISK FOCUSED ACTIONS

For each of the major risks identified, senior management will need to consider any appropriate action that needs to be taken to manage the risk. Management can strive to lessen the likelihood of the event occurring, or to lessen its impact if it does.

The review should also include assessing how effective existing controls are.

The following actions are examples of possible actions (indicative):

• The risk may need to be avoided by ending that activity (e.g. to stop with a entire project)

• The risk could be shared with others ( e.g. collaboration with other trade unions)

• The exposure to the risk can be limited (e.g. establishment of reserves against loss of income)

• The risk can be reduced or eliminated by establishing or improving control procedures ( e.g. internal financial controls, controls on recruitment, personnel policies)

• The risk may need to be insured against (this often happens for residual risk, e.g. employers liability, theft, fire)

• The risk may be accepted as unlikely to occur and/or low impact and therefore will just be reviewed annually (e.g. a low stock of publications may be held with the risk of temporarily running out of stock or a petty cash float of USD 25 held on site overnight)

Senior management will develop and implement appropriate actions. Preferably the actions will be attached to the annually risk assessment, so it will be easier to assess the effectiveness of those actions taken after some time.


16

STAGE 5: MONITOR AND EVALUATE RISKS AND PROPOSED ACTIONS ANNUALLY

Risk management is a dynamic process ensuring that new risks are addressed as they arise, organizations should perform a risk assessment annually. In doing this, it should also focus how previously identified risks may have changed.

A successful process will involve ensuring that:

• New risks are properly reported and evaluated

• Any significant failures of control systems are properly reported and auctioned

• There is an adequate level of understanding of individual responsibilities for both implementation and monitoring of the control systems

• Any further actions required are identified

Last tip: federations can choose to perform a financial risk assessment during the annual meeting that is organized by the confederation. It is even possible to perform a risk assessment with colleagues working at other federations, as they face similar situations and similar risks.

By doing that, they can learn from each other and will have a great stimulus on the process of risk management.

Annex 7.1: Examples of potential risk areas, their impact and mitigation

This list is intended to be an indication of some of the main financial areas of risk that may be considered by trade unions. Illustrative examples of potential impact is given as well.

The risks are classified as follows:

• Governance

• Operational

• Financial

• Environmental or external

• Compliance (law or regulation)


17

Governance risks

Potential risk Potential impact

Board members are benefiting from the organization (e.g. remuneration)

Poor reputation, morale and ethos

Adverse impact on overall control environment

Conflicts of interest

Possibility of regulatory action

The organizational structure is not effective

Lack of information flow and poor decision making procedures

Remoteness from operational activities

Uncertainty as to roles and duties

Decisions made at inappropriate level or excessive bureaucracy

Loss of key staff

Experience or skills lost

Operational impact on key projects and priorities

Loss of contact base and institutional knowledge

Operational risks


Assets are not secured

Loss or damage

Theft of assets

Infringements of intellectual rights

The organization depends too heavily on volunteers

Lack of competences, training and support

Poor services for members

High turnover of volunteers causes loss of knowledge and experience

High staff turnover

Loss of experience or key technical skills

Recruitment costs and lead time

Training costs

Operational impact on staff morale and service delivery


18

Financial risks


Insufficient budget control and financial reporting

Budget does not match key objectives and priorities

Decisions made on inaccurate financial projections or reporting

Decisions made based on unreliable costing data or income projections

Poor credit control

Poor cash flow and treasury management

Cash flow sensitivities

Inability to meet commitments

Lack of liquidity to cover variance in costs

Impact on operational activities

Dependency on income sourcesCash flow and budget impact due to loss of income form one source

Foreign currency

Currency exchange losses

Uncertainty over project costs

Cash flow impact on operational activities

Non-compliance issues with donor imposed restrictions

Repayment of grant

Future relationship with donor and other beneficiaries

Regulatory actions

Fraud or error

Financial losses

Reputational risks

Loss of staff morale

Regulatory actions

Impact on funding


19

Environmental or external factors


Negative public perception

Loss of members

Loss of contributions of members

Impact on use of services by members

Ability to access grants or contract funding

Restrictive government policies

Impact of general legislation or regulation on activities undertaken

Impact on availability receiving grant from foreign institutions

Loss of income due to restrictive tax laws

Relationship with fundersDeterioration in relationship may impact on funding and availability of support

Compliance risk (law and regulation)


Non-compliance with legislation and regulations to the activities, size and structure of the organization

Reputational Risks

Penalties and fines

Judicial procedures, going to court


7.1 what is risk assessment 7.2 the importance of risk ...a project: project risk management...

Documents