RISK MANAGEMENT MODULE 7

Transcription

1 MODULE 7 RISK MANAGEMENT 7.1 What is risk assessment 7.2 The importance of risk management 7.3 How to do it? Annex: Examples of potential risk areas, their impact and mitigation

2 COLOPHON CNV Internationaal P.O. Box GL Utrecht The Netherlands T: E: I: Author: Funding Support, Michael Schwerzel Copyright CNV Internationaal, 2015 All rights reserved. Any part of this publication may be reproduced by trade union partner organisations of CNV Internationaal without specific permission, provided that the source is cited as follows: CNV Internationaal, 2015, Toolkit Financial Management for Trade Unions (P.O. Box 2475, 3500 GL Utrecht, The Netherlands). If non trade union partner organisations of CNV Internationaal wish to reproduce parts of this publication, written permission from CNV Internationaal is required.

3 MODULE 0 INTRODUCTION AND OVERVIEW / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ Purpose of the Financial Toolkit This Financial Toolkit aims to help recipients of CNV Internationaal (CNVI) funds to improve their financial management capacities. It aims to help organisations to comply with the financial standards that are set out in the contract between CNV Internationaal and partner organisations worldwide. Its specific objectives are: To improve budgeting, accounting and financial reporting of partner organisations. To improve the transparency and accountability of partner organisations. To increase knowledge on the financial standards of CNVI. To increase skills of financial staff, working at partner organisations, to comply with these financial standards. To provide for best practices, tools and templates and to be a practical guidance how to use these tools and templates. What the Toolkit is not The Toolkit: is not a set of rules in addition to the existing legal, contractual and regulatory framework and guides. is not an interpretation of the existing contractual regulations. is not a substitute for reading the contractual conditions and existing guides and instructions. Use of the Toolkit The Toolkit is developed for recipient of CNVI funds. Recipients of CNVI funds can either be Confederations (direct funding) or Federations (indirect funding). Recipients of CNVI funds can be: National Trade Union Confederations that have engaged into a contract with CNVI; Trade Union Federations being member of the National Trade Union Confederation and participating in the National Program that is mainly funded by CNVI. This Toolkit should be a guidance for organisations, and in particular for financial staff, to help them with specific tasks, like preparing a budget or a financial report. When working on a specific financial management area, organisations and financial staff can better prepare themselves by studying the corresponding module of the Toolkit first. By studying the corresponding module, organisations will better understand how to comply with the financial standards of CNVI and also be able to work with the provided templates. In principle the modules only need to be studied and used when organisations (or financial staff) are working on a specific financial management area. It s not intended as a book to read from beginning to end but as a work book: only study a module when it s relevant. 3

4 Structure and content of the Financial Toolkit The Financial Toolkit covers 8 financial management areas and is structured into 8 modules. The content of the Financial Toolkit is: Module 7 Risk management 7.1 What is risk assessment? P The importance of risk management P How to do it? P. 11 Annex: Examples of potential risk areas, their impact and mitigation 4

5 The toolkit and the financial templates can also be downloaded from the partner intranet at CNVI s website, at (see below partner login ) 5

6 6

7 MODULE 7 RISK ASSESSMENT / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ REAL LIFE STORY A financial manager, working for an non-profit organisation, providing food relieve and shelter for refugees, found out that one of the financial staff members working on a project for developing new shelters, belonged to a family that owns Building Support, a construction business in the region. This construction company had participated in a tender of the organisation and was a serious candidate to get the building assignment. During the assessment of all bidders, the financial staff member advocated in favour of Building Support. The financial manager found this suspicious and decided that the financial staff member should not have been involved in this process, because of her family ties. He took her off this project. The financial staff member, who had properly revealed her association with the construction company, was offended because she felt her integrity was in doubt. In anger she quitted her job. The construction company was offended too and withdraw themselves from the tender. The non-profit organisation was very upset and reviewed the process. They assessed that the financial manager should not have made this decision all alone. Also the organisation assessed that they had no clear policies forbidding staff members to work on projects to which they may have personal interests in. They concluded that had they performed a risk assessment, they would have detected these flaws in the organisation and would have been able to take corrective measures. 7

8 Risk Assessment Standards The FPMF requires that each organization identify the risks to the achievement of their objectives. Current actions and policies used to manage the risks should also be identified and any further action plans should be determined. On an annual basis the management actions identified in the previous year s risk assessment exercise should be reviewed to assess the effectiveness of actions taken in response to the identified risks. 7.1 WHAT IS RISK ASSESSMENT? A risk is anything that may have a negative impact on achieving your organisation s mission, goals, objectives and strategies if it becomes reality. It may have an impact on different levels: the organization programs projects processes products services stakeholders Risk assessment is referred as a process, mostly incurred by management, to identify the risks an organisation faces, to assess these risks how likely it is to occur and how severe its impact would be on the organisation if it did occur. Trade unions face risks that can have their origin in the external environment or inside the organization. See Figure 7.1 Figure 7.1: Sources of risks MICRO ENVIRONMENT THE ORGANISATION ITSELF MACRO ENVIRONMENT SOURCES OF RISKS 8

9 7.2 THE IMPORTANCE OF RISK MANAGEMENT Risk Management is a systematic process that aims to help organizations of any type to deal with emerging and changing risks. It involves identifying risks, evaluating them, deciding how to respond and then taking the necessary actions. The focus of Risk Management could be The organization: A project: Security: Finances: Organizational risk management Project risk management Security risk management Financial risk management Financial versus security risks Many trade unions face security risks for their staff, employees and members. Perhaps security risks are the most important risks trade unions face. This Financial Toolkit focuses primarily on financial issues. Therefore this module focuses on financial risks a trade union faces. It doesn t address security risks. The PME manual (Project Monitoring and Evaluation) of CNVI explains in detail how other risk areas can be assessed. KEY MESSAGE: THE TOOLKIT WILL ONLY ADDRESS FINANCIAL RISKS, NOT SECURITY RISKS. HOWEVER, THE METHOD FOR RISKS ASSESSMENT PRESENTED IN THE TOOLKIT MAY BE USEFUL FOR ASSESSING SECURITY RISKS AS WELL. The benefits of Risk Management Managing risk will increase the probability that an organization will survive for a long time and be able to work towards its vision. This is because risk management: Increases the probability that the organization will be compliant with laws, regulations and contracts. Improves the management of projects by anticipating on expected risks Makes organizational processes more efficient due to fewer disruptions Improves planning and decision-making due to a better understanding of the future Increased confidence of donors that funding goals and objectives will be met 9

10 MODULE 7: Risk Assessment Financial Risk management in the Framework The FPMF sets standards for financial risk management. CNVI encourages partner organisations to assess financial risks regularly, at least once a year. Financial risk assessment has important benefits. By assessing financial risks of projects and activities that federations and confederations manage, all stakeholders will gain: More successful projects as risks to failure will be identified and managed, Enhanced accountability of partner organisations by improved internal control processes, Increased confidence that funding goals and objectives will be met. KEY MESSAGE: RISK ASSESSMENT MAY WORK AS INPUT FOR THE WORK PLAN Organizations that have assessed financial risks will develop actions to reduce these risks. CNVI encourages these organizations to include these actions in the annual work plan. By doing that, CNVI can support their partner organizations to strengthen their capacities. Figure 7.2 From Risk Assessment to Action Plan to Annual Work plan Risk Assessment 10 Action Plan Annual Work plan

11 7.3 HOW TO DO IT? A risk management process is made up of a number of stages which will follow normally more or less this order: Stage 1: Stage 2: Stage 3: Stage 4: Stage 5: Identify and describe risk areas and individual risks Estimate the likelihood and impact of risks Rank risks according to their significance Decide about appropriate responses to risks and implement risk focused actions Monitor and evaluate risks and proposed actions annually As figure 7.3 indicates, risk assessment is an on-going process. Based on proposed actions and reviewed controls, the assessed risks will change. However, since organisations operate in a changing environment, risks will also change. Therefore assessing risks can never be a one-off event. Figure 7.3: The Risk management Process ASSESS RISK IDENTIFY RISK RISK MANAGEMENT PROCESS CONTROL RISK REVIEW CONTROLS STAGE 1: IDENTIFY AND DESCRIBE RISK AREAS AND INDIVIDUAL RISKS Who performs the assessment? When assessing financial risks, senior management and board must form a representative group of staff members who have a good insight in the financial risks of the organisation. For example: Financial staff like a financial manager and bookkeeper Financial board member like the treasurer Project management like managers and project coordinators Executive management like executive managers 11

12 One member must be appointed as chair. The chair person is responsible for facilitating the risk management process. The chair person must ensure that the input and assessments of the members are noted and reported. The output of the risk assessment, including actions to reduce the risks, should be reported in writing and shared with CNVI. By doing that, CNVI will be able to understand why certain actions are implemented in the annual work plan. Identify Financial Risk Areas Financial risks can occur through different factors: internal factors (e.g. lack of internal control processes or lack of knowledge of finance officers) external factors (e.g. loss of paying members due to rising unemployment). operations (e.g. lack of proper project management result in not achieving objectives and leads to critical response of the donor of the project) law and regulation compliance risk (e.g. non-compliance with national of tax laws causes huge penalties for the organisation and leads to loss of financial reserves) As different risks derive from these areas, the group first must determine which risk area they want to review. Describe individual risks For each risk area the group mentions the risks. For a good understanding of the risk, the group should make an effort to describe the risk as clearly as possible. For instance: a risk may be lack of internal control processes. But still this is a very broad and vague term and does not explain exactly what the risk is. Descriptions should be more specific. For example: because no one controls the work of the bookkeeper; any mistakes in recording and payments will not be discovered; the organisation risks loosing money. This example specifies the risk and everybody immediately understands what the risk is about. A more precise description of the risk will probably lead to a more specific solution as well. Tips: Identifying risks from scratch can be difficult and can lead to unsatisfying results. For inspiration and indications of possible financial risks your organisation should seek available information. Annex 7.1 presents a table of possible risks. This annex should not be used as a checklist, but rather to illustrate the type of risks that may be faced. Other input on financial risks may derive from negative incidents that happened in other but similar organisations. The main question should be: can this happen in our organisation as well? Observations from other persons like an auditor (as mentioned in a management letter) or observations from donor organisations when reviewing your reports on the operations of your organisation 12

13 STAGE 2: ESTIMATE THE LIKELIHOOD AND IMPACT OF RISKS Identified risks need to be put into perspective in terms of the potential severity of their impact and likelihood of their occurrence. Assessing and categorising risks helps in prioritising and filtering them, and in establishing whether any further action is required. The method to do this is assessing each identified risk and determines: How likely is it to occur? How severe would the impact for the organisation be if did occur? Determining the likelihood Likelihood of risks expresses the chances that a risk can actually occur. This may vary from not very likely to highly probable. Figure 7.4 presents a likelihood score method: the risk assessment should estimate how likely each identified risk may occur in their organisation. Based on that review, each risk is given a likely score from 1-5. Figure 7.4: Likelihood Score Method Descriptor Score Example Remote 1 May only occur in exceptional circumstances Unlikely 2 Expected to occur in a few circumstances Possible 3 Expected to occur in some circumstances Probable 4 Expected to occur in many circumstances Highly probable 5 Expected to occur frequently and in most circumstances 13

14 Determining impact As not every risk will have the same impact for an organisation, the potential impact of each risk needs to be determined as well. To assess the impact of each risk (if it did occur) figure 7.5 can help. Figure 7.5 Impact Score Method Descriptor Score Impact on reputation and loss of money Unimportant 1 Small 2 Noticeable 3 Critical 4 No impact on reputation or service Complaints unlikely Loss of money very small Slight impact on reputation or service Complaints possible Loss of money small Some service and reputation disruption Potential for adverse publicity avoidable with careful handling Loss of money noticeable Service and reputation disrupted Adverse publicity not avoidable (local media) Loss of money critical Existencethreatening 5 Service interrupted for significant time Major adverse publicity not avoidable (national media) Resignation of senior management and board Loss of confidence of donors and beneficiaries Loss of money catastrophical, leading to bankruptcy STAGE 3: RANK RISKS ACCORDING TO THEIR SIGNIFICANCE Knowing and having ranked both the likelihood and impact of each identified risk, will enable you to rank each risk in accordance of its significance. By using a formula you ll be able to rank each risk and prioritise all risks. The formula is: (score impact * score likelihood) + score impact = risk score Mathematical: xy +y where x is likelihood and y is impact Figure 7.6 is a Risk heat map. In the risk heat map below, likelihood is x and impact is y. The colour codes are: Red: Unacceptable risk, measures to minimize risk urgently needed, score 18 or more Orange: High risk, measures to minimize risk necessary, score between Yellow: Average risk, test measures to minimize risk; score between 10 and 12 Green: Minor or insignificant risks scoring 9 or less 14

15 Figure 7.6: Risk Heat map Existence threatening Critical Impact Noticeable Small Unimportant Remote 2 Unlikely Likelihood 3 Possible 4 Probable 5 Highly probable The Risk group should make a calculation of each assessed risk. Based on the score, the most serious risks can be determined. The Chair may introduce various work forms in which this risk calculation can take place. For example first individual members make their own calculations and after that these outcomes are discussed in the whole group. Of course, other work forms are possible as well. STAGE 4: DECIDE ABOUT APPROPRIATE RESPONSES TO RISKS AND IMPLEMENT RISK FOCUSED ACTIONS For each of the major risks identified, senior management will need to consider any appropriate action that needs to be taken to manage the risk. Management can strive to lessen the likelihood of the event occurring, or to lessen its impact if it does. The review should also include assessing how effective existing controls are. The following actions are examples of possible actions (indicative): The risk may need to be avoided by ending that activity (e.g. to stop with a entire project) The risk could be shared with others ( e.g. collaboration with other trade unions) The exposure to the risk can be limited (e.g. establishment of reserves against loss of income) The risk can be reduced or eliminated by establishing or improving control procedures ( e.g. internal financial controls, controls on recruitment, personnel policies) The risk may need to be insured against (this often happens for residual risk, e.g. employers liability, theft, fire) The risk may be accepted as unlikely to occur and/or low impact and therefore will just be reviewed annually (e.g. a low stock of publications may be held with the risk of temporarily running out of stock or a petty cash float of USD 25 held on site overnight) Senior management will develop and implement appropriate actions. Preferably the actions will be attached to the annually risk assessment, so it will be easier to assess the effectiveness of those actions taken after some time. 15

16 STAGE 5: MONITOR AND EVALUATE RISKS AND PROPOSED ACTIONS ANNUALLY Risk management is a dynamic process ensuring that new risks are addressed as they arise, organizations should perform a risk assessment annually. In doing this, it should also focus how previously identified risks may have changed. A successful process will involve ensuring that: New risks are properly reported and evaluated Any significant failures of control systems are properly reported and auctioned There is an adequate level of understanding of individual responsibilities for both implementation and monitoring of the control systems Any further actions required are identified Last tip: federations can choose to perform a financial risk assessment during the annual meeting that is organized by the confederation. It is even possible to perform a risk assessment with colleagues working at other federations, as they face similar situations and similar risks. By doing that, they can learn from each other and will have a great stimulus on the process of risk management. Annex 7.1: Examples of potential risk areas, their impact and mitigation This list is intended to be an indication of some of the main financial areas of risk that may be considered by trade unions. Illustrative examples of potential impact is given as well. The risks are classified as follows: Governance Operational Financial Environmental or external Compliance (law or regulation) 16

17 Governance risks Potential risk Board members are benefiting from the organization (e.g. remuneration) Potential impact Poor reputation, morale and ethos Adverse impact on overall control environment Conflicts of interest Possibility of regulatory action Lack of information flow and poor decision making procedures The organizational structure is not effective Remoteness from operational activities Uncertainty as to roles and duties Decisions made at inappropriate level or excessive bureaucracy Experience or skills lost Loss of key staff Operational impact on key projects and priorities Loss of contact base and institutional knowledge Operational risks Potential risk Potential impact Loss or damage Assets are not secured Theft of assets Infringements of intellectual rights Lack of competences, training and support The organization depends too heavily on volunteers Poor services for members High turnover of volunteers causes loss of knowledge and experience Loss of experience or key technical skills High staff turnover Recruitment costs and lead time Training costs Operational impact on staff morale and service delivery 17

18 Financial risks Potential risk Potential impact Budget does not match key objectives and priorities Insufficient budget control and financial reporting Decisions made on inaccurate financial projections or reporting Decisions made based on unreliable costing data or income projections Poor credit control Poor cash flow and treasury management Inability to meet commitments Cash flow sensitivities Lack of liquidity to cover variance in costs Impact on operational activities Dependency on income sources Cash flow and budget impact due to loss of income form one source Currency exchange losses Foreign currency Uncertainty over project costs Cash flow impact on operational activities Non-compliance issues with donor imposed restrictions Repayment of grant Future relationship with donor and other beneficiaries Regulatory actions Financial losses Reputational risks Fraud or error Loss of staff morale Regulatory actions Impact on funding 18

19 Environmental or external factors Potential risk Potential impact Loss of members Negative public perception Loss of contributions of members Impact on use of services by members Ability to access grants or contract funding Impact of general legislation or regulation on activities undertaken Restrictive government policies Impact on availability receiving grant from foreign institutions Loss of income due to restrictive tax laws Relationship with funders Deterioration in relationship may impact on funding and availability of support Compliance risk (law and regulation) Potential risk Non-compliance with legislation and regulations to the activities, size and structure of the organization Potential impact Reputational Risks Penalties and fines Judicial procedures, going to court 19

20