Risk management

Sponsored: How to get comfortable with risk

Mark O'Connor April 18, 2016

2 min read

Most NFPs will have high level policies and processes in place to manage risk. Some will have identified and documented the controls required to mitigate risk. But how many organisations can be fully confident that the effectiveness of those controls has been robustly assessed?

Sadly, there are many organisations out there who lack one of the most essential elements of good governance – a strong risk and compliance framework.

While senior management is usually involved in setting the organisation’s risk appetite and the subsequent risk identification and rating processes, this is often as far as their involvement goes.

For organisations with a mature approach to risk management, this isn’t necessarily an issue.

However, for others with less mature processes, the confidence placed in risk mitigating controls and safeguards may be seriously misplaced. This situation is fraught with danger as it exposes the organisation to potentially catastrophic consequences that could have been avoided with a more robust approach to risk.

The solution is to regularly monitor and review controls and safeguards.

Ideally, every organisation should implement a control assessment and testing plan to confirm that identified safeguards and controls are in place and that their effectiveness in being continually assessed. Particular attention should be focused on those controls that are relied on to reduce a high risk rated event to a much lower level.

Here are five simple steps for residual risk assessment.

Check that appropriate safeguards and controls have been identified for each risk.
Have key management and staff document and assess the effectiveness of the identified controls.
Determine which safeguards are responsible for the highest reduction in risk (i.e. reduce high inherent risks to low residual risk).
Test safeguards and controls to confirm their existence and effectiveness.
Establish a plan to address any deficiencies and either improve those controls or reassess for an alternate mitigation strategy

If you’re considering a full blown organisational risk project (and we strongly recommend you do so if one hasn’t been carried out recently), outcomes should include an assessment of:

Gaps between risks addressed in the current business plan and those documented in the register.
The appropriateness of controls identified to address causes and triggers for each risk.
The effectiveness of monitoring actions as documented and monitoring for action within the specified time periods.
The implementation of actions as reported in Business Risk Reports
The existence of organisation-wide assurance processes that are in place to assess the effectiveness of the documented controls.

If your organisation has not undertaken a risk assessment, there are plenty of resources that have been written specifically for the NFP sector. Standards Australia and New Zealand Standard AS/NZS ISO 31000:2009 Risk Management Principles is the source of the risk assessment approach referred to in this article. It’s also been applied in a handbook published as HB:266:2010 Guide for Managing Risk in Not-for-Profit Organisations.

Senior management engagement and well documented policies and procedures are the basis of a comprehensive risk management framework.

However, unless the key mitigation controls and safeguards are tested and confirmed as being reliable, the documented strategies may not do the job when it really matters.

So, how effective are your risk reduction strategies?

For a no-obligation discussion about your circumstances, contact Mark O’Connor on 1800 988 522 or cnmail@cutcher.com.au