7.1 what is risk assessment 7.2 the importance of risk ...a project: project risk management...
TRANSCRIPT
MO
DU
LE 7
MODULE 7
RISK MANAGEMENT7.1 What is risk assessment
7.2 The importance of risk management
7.3 How to do it?
Annex: Examples of potential risk areas, their impact and mitigation
COLOPHONCNV Internationaal
P.O. Box 2475
3500 GL Utrecht
The Netherlands
T: 00 31 751 1260
I: www.internationaal.nl
Author: Funding Support, Michael Schwerzel
© Copyright CNV Internationaal, 2015 All rights reserved. Any part of this publication may be reproduced by trade union partner organisations of CNV Internationaal without specific permission, provided that the source is cited as follows: “CNV Internationaal, 2015, Toolkit Financial Management for Trade Unions (P.O. Box 2475, 3500 GL Utrecht, The Netherlands)”.
If non trade union partner organisations of CNV Internationaal wish to reproduce parts of this publication, written permission from CNV Internationaal is required.
3
MODULE 0INTRODUCTION AND OVERVIEW
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
Purpose of the Financial ToolkitThis Financial Toolkit aims to help recipients of CNV Internationaal (CNVI) funds to improve their financial management capacities. It aims to help organisations to comply with the financial standards that are set out in the contract between CNV Internationaal and partner organisations worldwide. Its specific objectives are:
• To improve budgeting, accounting and financial reporting of partner organisations.
• To improve the transparency and accountability of partner organisations.
• To increase knowledge on the financial standards of CNVI.
• To increase skills of financial staff, working at partner organisations, to comply with these financial standards.
• To provide for best practices, tools and templates and to be a practical guidance how to use these tools and templates.
What the Toolkit is not
The Toolkit:
• is not a set of rules in addition to the existing legal, contractual and regulatory framework and guides.
• is not an interpretation of the existing contractual regulations.
• is not a substitute for reading the contractual conditions and existing guides and instructions.
Use of the Toolkit
The Toolkit is developed for recipient of CNVI funds. Recipients of CNVI funds can either be Confederations (direct funding) or Federations (indirect funding). Recipients of CNVI funds can be:
• National Trade Union Confederations that have engaged into a contract with CNVI;
• Trade Union Federations being member of the National Trade Union Confederation and participating in the National Program that is mainly funded by CNVI.
This Toolkit should be a guidance for organisations, and in particular for financial staff, to help them with specific tasks, like preparing a budget or a financial report. When working on a specific financial management area, organisations and financial staff can better prepare themselves by studying the corresponding module of the Toolkit first. By studying the corresponding module, organisations will better understand how to comply with the financial standards of CNVI and also be able to work with the provided templates. In principle the modules only need to be studied and used when organisations (or financial staff) are working on a specific financial management area. It’s not intended as a book to read from beginning to end but as a work book: only study a module when it’s relevant.
4
Structure and content of the Financial Toolkit The Financial Toolkit covers 8 financial management areas and is structured into 8 modules. The content of the Financial Toolkit is:
Module 7 – Risk management
7.1 What is risk assessment? P. 8
7.2 The importance of risk management P. 9
7.3 How to do it? P. 11
Annex: Examples of potential risk areas, their impact and mitigation
5
The toolkit and the financial templates can also be downloaded from the partner intranet at CNVI’s
website, at http://www.cnvinternationaal.nl/
(see below “partner login” )
6
7
MODULE 7RISK ASSESSMENT
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
REAL LIFE STORYA financial manager, working for an non-profit organisation, providing food relieve and
shelter for refugees, found out that one of the financial staff members working on a project
for developing new shelters, belonged to a family that owns ‘Building Support’, a construction
business in the region. This construction company had participated in a tender of the
organisation and was a serious candidate to get the building assignment.
During the assessment of all bidders, the financial staff member advocated in favour of
‘Building Support’. The financial manager found this suspicious and decided that the financial
staff member should not have been involved in this process, because of her family ties. He took
her off this project. The financial staff member, who had properly revealed her association
with the construction company, was offended because she felt her integrity was in doubt.
In anger she quitted her job. The construction company was offended too and withdraw
themselves from the tender.
The non-profit organisation was very upset and reviewed the process. They assessed
that the financial manager should not have made this decision all alone. Also the
organisation assessed that they had no clear policies forbidding staff members
to work on projects to which they may have personal interests in. They
concluded that had they performed a risk assessment, they would have
detected these flaws in the organisation and would have been able to
take corrective measures.
8
Risk Assessment Standards
The FPMF requires that each organization identify the risks to the achievement of their objectives. Current actions and policies used to manage the risks should also be identified and any further action plans should be determined.
On an annual basis the management actions identified in the previous year’s risk assessment exercise should be reviewed to assess the effectiveness of actions taken in response to the identified risks.
7.1 WHAT IS RISK ASSESSMENT?
A risk is anything that may have a negative impact on achieving your organisation´s mission, goals, objectives and strategies if it becomes reality.
It may have an impact on different levels:
• the organization
• programs
• projects
• processes
• products
• services
• stakeholders
Risk assessment is referred as a process, mostly incurred by management, to identify the risks an organisation faces, to assess these risks how likely it is to occur and how severe its impact would be on the organisation if it did occur.
Trade unions face risks that can have their origin in the external environment or inside the organization. See Figure 7.1
Figure 7.1: Sources of risks
MACRO ENVIRONMENT
MICRO ENVIRONMENT
SOURCES OF RISKS
THE ORGANISATION
ITSELF
MODULE 7: Risk Assessment
9
7.2 THE IMPORTANCE OF RISK MANAGEMENT
Risk Management is a systematic process that aims to help organizations of any type to deal with emerging and changing risks.
It involves identifying risks, evaluating them, deciding how to respond and then taking the necessary actions. The focus of Risk Management could be
The organization: Organizational risk management
A project: Project risk management
Security: Security risk management
Finances: Financial risk management
Financial versus security risks
Many trade unions face security risks for their staff, employees and members. Perhaps security risks are the most important risks trade unions face.
This Financial Toolkit focuses primarily on financial issues. Therefore this module focuses on financial risks a trade union faces. It doesn’t address security risks.
The PME manual (Project Monitoring and Evaluation) of CNVI explains in detail how other risk areas can be assessed.
KEY MESSAGE: THE TOOLKIT WILL ONLY ADDRESS FINANCIAL RISKS, NOT SECURITY RISKS. HOWEVER, THE METHOD FOR RISKS
ASSESSMENT PRESENTED IN THE TOOLKIT MAY BE USEFUL FOR ASSESSING SECURITY RISKS AS WELL.
The benefits of Risk Management
Managing risk will increase the probability that an organization will survive for a long time and be able to work towards its vision.
This is because risk management:
• Increases the probability that the organization will be compliant with laws, regulations and contracts.
• Improves the management of projects by anticipating on expected risks
• Makes organizational processes more efficient due to fewer disruptions
• Improves planning and decision-making due to a better understanding of the future
• Increased confidence of donors that funding goals and objectives will be met
MODULE 7: Risk Assessment
10
Financial Risk management in the Framework
The FPMF sets standards for financial risk management. CNVI encourages partner organisations to assess financial risks regularly, at least once a year.
Financial risk assessment has important benefits. By assessing financial risks of projects and activities that federations and confederations manage, all stakeholders will gain:
• More successful projects as risks to failure will be identified and managed,
• Enhanced accountability of partner organisations by improved internal control processes,
• Increased confidence that funding goals and objectives will be met.
KEY MESSAGE: RISK ASSESSMENT MAY WORK AS INPUT FOR THE WORK PLAN
Organizations that have assessed financial risks will develop actions to reduce these risks. CNVI encourages these organizations to include these actions in the annual work plan. By doing that, CNVI can support their partner organizations to strengthen their capacities.
Figure 7.2 From Risk Assessment to Action Plan to Annual Work plan
Risk Assessment Action Plan Annual Work plan
MODULE 7: Risk Assessment
11
7.3 HOW TO DO IT?
A risk management process is made up of a number of stages which will follow normally more or less this order:
Stage 1: Identify and describe risk areas and individual risks
Stage 2: Estimate the likelihood and impact of risks
Stage 3: Rank risks according to their significance
Stage 4: Decide about appropriate responses to risks and implement risk focused actions
Stage 5: Monitor and evaluate risks and proposed actions annually
As figure 7.3 indicates, risk assessment is an on-going process. Based on proposed actions and reviewed controls, the assessed risks will change. However, since organisations operate in a changing environment, risks will also change. Therefore assessing risks can never be a one-off event.
Figure 7.3: The Risk management Process
STAGE 1: IDENTIFY AND DESCRIBE RISK AREAS AND INDIVIDUAL RISKS
Who performs the assessment?
When assessing financial risks, senior management and board must form a representative group of staff members who have a good insight in the financial risks of the organisation. For example:
• Financial staff like a financial manager and bookkeeper
• Financial board member like the treasurer
• Project management like managers and project coordinators
• Executive management like executive managers
ASSESS RISK
CONTROL RISK
IDENTIFY RISK
REVIEW CONTROLS
RISK MANAGEMENT
PROCESS
MODULE 7: Risk Assessment
12
One member must be appointed as chair. The chair person is responsible for facilitating the risk management process. The chair person must ensure that the input and assessments of the members are noted and reported. The output of the risk assessment, including actions to reduce the risks, should be reported in writing and shared with CNVI. By doing that, CNVI will be able to understand why certain actions are implemented in the annual work plan.
Identify Financial Risk Areas
Financial risks can occur through different factors:
• internal factors (e.g. lack of internal control processes or lack of knowledge of finance officers)
• external factors (e.g. loss of paying members due to rising unemployment).
• operations (e.g. lack of proper project management result in not achieving objectives and leads to critical response of the donor of the project)
• law and regulation compliance risk (e.g. non-compliance with national of tax laws causes huge penalties for the organisation and leads to loss of financial reserves)
As different risks derive from these areas, the group first must determine which risk area they want to review.
Describe individual risks
For each risk area the group mentions the risks. For a good understanding of the risk, the group should make an effort to describe the risk as clearly as possible.
For instance: a risk may be lack of internal control processes. But still this is a very broad and vague term and does not explain exactly what the risk is. Descriptions should be more specific. For example: “because no one controls the work of the bookkeeper; any mistakes in recording and payments will not be discovered; the organisation risks loosing money”.
This example specifies the risk and everybody immediately understands what the risk is about. A more precise description of the risk will probably lead to a more specific solution as well.
Tips:
Identifying risks from scratch can be difficult and can lead to unsatisfying results. For inspiration and indications of possible financial risks your organisation should seek available information.
• Annex 7.1 presents a table of possible risks. This annex should not be used as a checklist, but rather to illustrate the type of risks that may be faced.
• Other input on financial risks may derive from negative incidents that happened in other but similar organisations. The main question should be: can this happen in our organisation as well?
• Observations from other persons like an auditor (as mentioned in a management letter) or observations from donor organisations when reviewing your reports on the operations of your organisation
MODULE 7: Risk Assessment
13
STAGE 2: ESTIMATE THE LIKELIHOOD AND IMPACT OF RISKS
Identified risks need to be put into perspective in terms of the potential severity of their impact and likelihood of their occurrence. Assessing and categorising risks helps in prioritising and filtering them, and in establishing whether any further action is required.
The method to do this is assessing each identified risk and determines:
• How likely is it to occur?
• How severe would the impact for the organisation be if did occur?
Determining the likelihood
Likelihood of risks expresses the chances that a risk can actually occur. This may vary from not very likely to highly probable. Figure 7.4 presents a likelihood score method: the risk assessment should estimate how likely each identified risk may occur in their organisation. Based on that review, each risk is given a likely score from 1-5.
Figure 7.4: Likelihood Score Method
Descriptor Score Example
Remote 1 May only occur in exceptional circumstances
Unlikely 2 Expected to occur in a few circumstances
Possible 3 Expected to occur in some circumstances
Probable 4 Expected to occur in many circumstances
Highly probable 5 Expected to occur frequently and in most circumstances
MODULE 7: Risk Assessment
14
Determining impact
As not every risk will have the same impact for an organisation, the potential impact of each risk needs to be determined as well. To assess the impact of each risk (if it did occur) figure 7.5 can help.
Figure 7.5 Impact Score Method
Descriptor Score Impact on reputation and loss of money
Unimportant 1No impact on reputation or service Complaints unlikely Loss of money very small
Small 2Slight impact on reputation or service Complaints possible Loss of money small
Noticeable 3Some service and reputation disruption Potential for adverse publicity –avoidable with careful handling Loss of money noticeable
Critical 4Service and reputation disrupted Adverse publicity not avoidable (local media) Loss of money critical
Existence-threatening
5
Service interrupted for significant time Major adverse publicity not avoidable (national media) Resignation of senior management and board Loss of confidence of donors and beneficiaries Loss of money catastrophical, leading to bankruptcy
STAGE 3: RANK RISKS ACCORDING TO THEIR SIGNIFICANCE
Knowing and having ranked both the likelihood and impact of each identified risk, will enable you to rank each risk in accordance of its significance. By using a formula you’ll be able to rank each risk and prioritise all risks.
• The formula is: (score impact * score likelihood) + score impact = risk score
• Mathematical: xy +y where x is likelihood and y is impact
Figure 7.6 is a Risk heat map. In the risk heat map below, likelihood is x and impact is y. The colour codes are:
Red: Unacceptable risk, measures to minimize risk urgently needed, score 18 or more
Orange: High risk, measures to minimize risk necessary, score between 13-17
Yellow: Average risk, test measures to minimize risk; score between 10 and 12
Green: Minor or insignificant risks scoring 9 or less
MODULE 7: Risk Assessment
15
Figure 7.6: Risk Heat mapIm
pact
Existence –threatening 5
10 15 20 25 30
Critical 4 8 12 16 20 24
Noticeable 3 6 9 12 15 18
Small 2 4 6 8 10 12
Unimportant 1 2 3 4 5 6
1
Remote
2
Unlikely
3
Possible
4
Probable
5
Highly probable
Likelihood
The Risk group should make a calculation of each assessed risk. Based on the score, the most serious risks can be determined.
The Chair may introduce various work forms in which this risk calculation can take place. For example first individual members make their own calculations and after that these outcomes are discussed in the whole group. Of course, other work forms are possible as well.
STAGE 4: DECIDE ABOUT APPROPRIATE RESPONSES TO RISKS AND IMPLEMENT RISK FOCUSED ACTIONS
For each of the major risks identified, senior management will need to consider any appropriate action that needs to be taken to manage the risk. Management can strive to lessen the likelihood of the event occurring, or to lessen its impact if it does.
The review should also include assessing how effective existing controls are.
The following actions are examples of possible actions (indicative):
• The risk may need to be avoided by ending that activity (e.g. to stop with a entire project)
• The risk could be shared with others ( e.g. collaboration with other trade unions)
• The exposure to the risk can be limited (e.g. establishment of reserves against loss of income)
• The risk can be reduced or eliminated by establishing or improving control procedures ( e.g. internal financial controls, controls on recruitment, personnel policies)
• The risk may need to be insured against (this often happens for residual risk, e.g. employers liability, theft, fire)
• The risk may be accepted as unlikely to occur and/or low impact and therefore will just be reviewed annually (e.g. a low stock of publications may be held with the risk of temporarily running out of stock or a petty cash float of USD 25 held on site overnight)
Senior management will develop and implement appropriate actions. Preferably the actions will be attached to the annually risk assessment, so it will be easier to assess the effectiveness of those actions taken after some time.
MODULE 7: Risk Assessment
16
STAGE 5: MONITOR AND EVALUATE RISKS AND PROPOSED ACTIONS ANNUALLY
Risk management is a dynamic process ensuring that new risks are addressed as they arise, organizations should perform a risk assessment annually. In doing this, it should also focus how previously identified risks may have changed.
A successful process will involve ensuring that:
• New risks are properly reported and evaluated
• Any significant failures of control systems are properly reported and auctioned
• There is an adequate level of understanding of individual responsibilities for both implementation and monitoring of the control systems
• Any further actions required are identified
Last tip: federations can choose to perform a financial risk assessment during the annual meeting that is organized by the confederation. It is even possible to perform a risk assessment with colleagues working at other federations, as they face similar situations and similar risks.
By doing that, they can learn from each other and will have a great stimulus on the process of risk management.
Annex 7.1: Examples of potential risk areas, their impact and mitigation
This list is intended to be an indication of some of the main financial areas of risk that may be considered by trade unions. Illustrative examples of potential impact is given as well.
The risks are classified as follows:
• Governance
• Operational
• Financial
• Environmental or external
• Compliance (law or regulation)
MODULE 7: Risk Assessment
17
Governance risks
Potential risk Potential impact
Board members are benefiting from the organization (e.g. remuneration)
Poor reputation, morale and ethos
Adverse impact on overall control environment
Conflicts of interest
Possibility of regulatory action
The organizational structure is not effective
Lack of information flow and poor decision making procedures
Remoteness from operational activities
Uncertainty as to roles and duties
Decisions made at inappropriate level or excessive bureaucracy
Loss of key staff
Experience or skills lost
Operational impact on key projects and priorities
Loss of contact base and institutional knowledge
Operational risks
Potential risk Potential impact
Assets are not secured
Loss or damage
Theft of assets
Infringements of intellectual rights
The organization depends too heavily on volunteers
Lack of competences, training and support
Poor services for members
High turnover of volunteers causes loss of knowledge and experience
High staff turnover
Loss of experience or key technical skills
Recruitment costs and lead time
Training costs
Operational impact on staff morale and service delivery
MODULE 7: Risk Assessment
18
Financial risks
Potential risk Potential impact
Insufficient budget control and financial reporting
Budget does not match key objectives and priorities
Decisions made on inaccurate financial projections or reporting
Decisions made based on unreliable costing data or income projections
Poor credit control
Poor cash flow and treasury management
Cash flow sensitivities
Inability to meet commitments
Lack of liquidity to cover variance in costs
Impact on operational activities
Dependency on income sourcesCash flow and budget impact due to loss of income form one source
Foreign currency
Currency exchange losses
Uncertainty over project costs
Cash flow impact on operational activities
Non-compliance issues with donor imposed restrictions
Repayment of grant
Future relationship with donor and other beneficiaries
Regulatory actions
Fraud or error
Financial losses
Reputational risks
Loss of staff morale
Regulatory actions
Impact on funding
MODULE 7: Risk Assessment
19
Environmental or external factors
Potential risk Potential impact
Negative public perception
Loss of members
Loss of contributions of members
Impact on use of services by members
Ability to access grants or contract funding
Restrictive government policies
Impact of general legislation or regulation on activities undertaken
Impact on availability receiving grant from foreign institutions
Loss of income due to restrictive tax laws
Relationship with fundersDeterioration in relationship may impact on funding and availability of support
Compliance risk (law and regulation)
Potential risk Potential impact
Non-compliance with legislation and regulations to the activities, size and structure of the organization
Reputational Risks
Penalties and fines
Judicial procedures, going to court
MODULE 7: Risk Assessment