This article was first published on RSM
, April 2016. Re-published with permission from RSM.
In an increasingly vulnerable economic and social landscape, NPOs are now playing an even greater role in plugging social gaps, addressing social ills and meeting the needs of the under-served customer segments. Because of the trust that is placed on NPOs, their Boards are expected to govern effectively and maintain credibility.
But why is risk governance and management important to NPOs?
Part of exercising good governance is for the Board to establish an effective risk governance and management framework. Like other publicly listed commercial companies, NPOs contend with their own peculiar risks associated with strategies, reputation, governance, volunteers, staff, programmes and events, services offered, donations and funding, data protection, technology and financial management. These risks should be periodically identified, assessed, monitored and mitigated if the NPOs are to attain their strategic and operational objectives.
Arguably, NPOs are held to higher ethical standards. NPOs must therefore effectively address reputational risks given that a NPO must win the trust and respect from donors, government and society for funding sustainability. Given the recent highly publicized incidents of fund misuse in this sector, one can expect an increasing level of scrutiny from authorities on the effectiveness of risk governance and management by NPO boards.
Donors and sponsors expect transparency and accountability for all programmes financed by them. NPOs should therefore implement controls to mitigate fraud risk and conduct grant programmes in accordance to grant conditions.
NPOs are set up to serve the community, with many dealing directly with their beneficiaries. Should there be any mishap, the NPO would face much scrutiny from the public and the reputational risk that comes along. Hence, there is a great importance and heightened emphasis that NPOs put in place a risk management processes to identify and mitigate operational risks related to program events, volunteers and staffing which impacts the welfare of beneficiaries.”
NPOs must protect the confidentiality of information provided by donors and mitigate leakage risks. NPOs should also monitor and develop communication response mechanisms to counter unauthorised use of social media to deceive the public in forwarding unauthorised collection of funds or sabotaging the reputation of the NPO.
How should the Board be involved in risk management?
The Board sets the tone by overseeing the establishment of a healthy risk culture and leads by example. Senior leadership must articulate and shape the organisation’s risk culture and values, demand the highest level of commitment when addressing critical risks, propagate the benefits of risk management and be willing to make difficult decisions.
The Board must know when to take charge, when to partner and when to step back. In the case of risk governance and management, it would be appropriate for the Board to partner Management in the establishment of an effective risk management framework. The Board should not be excessively involved in operations as there may be a perception by Management that their decision rights are crossed. This does not instil any confidence in Management when it involves their own decision making. There is also a risk that certain issues may not be addressed as both the Board and Management assumes that it would be addressed by the other party.
The Board should oversee the building of a risk governance and management framework. This framework requires the establishment of:
- Risk strategies, risk appetites and tolerances;
- Code of Conduct and Ethics;
- Organisational structure and responsibilities;
- Risk functions and activities;
- Communication of risk programmes and activities to employees;
- Identification, assessment, prioritization and mitigation of critical risks, and
- Formal and periodic reporting of risk management activities and attainment of risk performance indicators(RPI) to the Board and relevant committees
Adopt the three lines of defense
NPOs should consider deploying the three lines of defence critical to effective risk management:
- 1st line of defence: Implement adequate and effective preventive measures through establishment of policies and procedures
- 2nd line of defence: Establish adequate and effective detective controls through quality reporting and independent performance, risk and compliance
- monitoring. In the context of NPOs, due to lack of financial resource, the work of committees or sub-committees comprising members independent from paid staff and operations is therefore critical in ensuring effectiveness of the 2nd line of defence.
- 3rd line of defence: Provide independent assurance to the Board and senior management (e.g. internal audit)
If used effectively, NPOs should reap the following benefits:
- Simplifying and providing consistent reporting for effective risk oversight
- Reducing gaps in risk coverage
- Integrating risk functions to maximise value and decrease cost
- Reducing control redundancies
How should management be involved in risk management?
A committed senior management executive (designated as Risk Champion) who is experienced and respected should be appointed to be accountable to the Board to drive the risk management process. The Risk Champion should lead the designated management team to be responsible for:
- Establishment of delegation of authority
- Effective allocation of resources to drive the risk governance and management process
- Execution and operation of the risk management framework
- Constant communication of the changing risk landscape, meeting of risk management objectives and additional resources required to Board
What now - Board?
NPO Boards need to take risk management seriously. It is insufficient for the board members to just attend meetings and provide comments on the types of programmes being run. Board members who have little or no commercial experience or are locked in 'groupthink' will not reap the benefits of an effective risk management framework. This is especially dangerous when the Board is dealing with an overpowering and charismatic CEO.
NPOs will have to find creative ways to recruit competent key management team members through competitive remuneration or effective emotional engagement with employees. While the intention is to economise, many of the critical functions (cash handling, programme management, procurement and facilities maintenance) may be inadequately resourced. This means that critical control checks may be compromised with a lack of creative ideas on how things need to be run. Needless to say, risk management is relatively starved of adequate resources and this needs addressing. NPOs should not use this as a reason for not seeking external professional assistance.
NPOs must overcome these two towering challenges if they want to sustain and thrive in an increasingly inclusive society. Only then will society will be motivated to effectively support NPOs in their endeavour to make the world a better place.
Marc Wong, Senior Manager, Risk Advisory Division
Dennis Lee, Director, Risk Advisory Division
Sovann Giang, Senior Director, Risk Advisory Division