Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP
2 AGENDA About RLB / About Our Not-for-Profit Team Defining Risk Types of Organizational Risk Risk Management Process Board vs. Management Roles in Addressing Risk Risk Management Tools How to Address New Age Risks
3 ABOUT RLB Our offices in Guelph, Kitchener and Fergus have a combined staff of more than 110 team members including 10 partners and 60 accounting professionals. Passion for client success is a hallmark of our firm we go above and beyond for our clients
4 ABOUT OUR NOT-FOR-PROFIT TEAM Dedicated team of professionals who work exclusively with not-for-profit and charitable clients This means that we understand the issues you face and can support your needs year-round Truly experts in the not-for-profit sector we can provide a wide range of training and consulting services above and beyond the year-end audit Actively involved as volunteers in Kitchener- Waterloo, Guelph-Wellington and Dufferin County
5 DEFINING RISK The possibility of a particular event impacting a specific strategy o CICA (2006) The effect of uncertainty on an entity s objectives o ISO 31000 (draft) A chance of possibility of danger, loss, injury or other adverse consequences o Oxford Canadian dictionary
6 TYPES OF ORGANIZATIONAL RISK Economic Geopolitical Environmental Social Technological Strategic Business/Operational Resource Compliance Reputational Financial
7 RISK MANAGEMENT PROCESS Set organizational/strategic objectives Identify risks consider all types Assess risks o o o Likelihood Detection Severity Determine appropriate course of action: o Avoid risk o Eliminate risk o Mitigate/reduce risk o Share/insure risk o Accept risk Monitor and report Consider opportunities for the organization
8 BOARD vs. MANAGEMENT ROLES IN ADDRESSING RISK Generally speaking Planning - Board and management Risk Management Management Oversight - Board
9 BOARD vs. MANAGEMENT ROLES IN ADDRESSING RISK Planning: Adopt an annual Strategic Planning Process that identifies business opportunities and risks Use strategic objectives as a framework to identify key risks o Consider all risk types (economic, techological, reputational ) Identify principal risks and ensure there are appropriate systems to manage these risks Risks are interconnected holistic approach
10 BOARD vs. MANAGEMENT ROLES IN ADDRESSING RISK Planning (continued): Board to provide input on risk appetite and tolerance o Draw on significant and varied expertise of Board members Some risks may be delegated to management; others may be addressed by the Board Framework and process / disciplined team approach with management Risks that can have massive impact, can evolve slowly and are not always easy to detect
11 BOARD vs. MANAGEMENT ROLES IN ADDRESSING RISK Risk Management: Identify appropriate and effective resources to address key risks / hold these resources accountable Primary action plans required to avoid/eliminate/mitigate/ share/accept risk Create a framework to measure and monitor
12 BOARD vs. MANAGEMENT ROLES IN ADDRESSING RISK Risk Management (continued): Create and assess Plan B / secondary actions Emerging risk analysis / assign accountability Risk management must integrate with business strategy and operations
13 BOARD vs. MANAGEMENT ROLES IN ADDRESSING RISK Oversight: Risk management system should be brought to the Board on a regular basis (quarterly perhaps on a rotating basis) Board should evaluate/challenge all major assumptions tied to major strategies / have the conversation have it again Focus on full organization for view of risk Even when reviewing an existing risk management plan, always consider any new risks the organization may face o Your plan is only as good as the risks you ve included in it
14 BOARD vs. MANAGEMENT ROLES IN ADDRESSING RISK Oversight (continued): Avoid: o Overconfidence o Checklists o Nothing has changed conversations o Annual tune-up
15 RISK MANAGEMENT TOOLS Simple Risk Matrix Heat Map Enterprise Risk Management Insurance Company Matrix Other???
RISK MANAGEMENT TOOLS: SIMPLE RISK MATRIX 16
Likelihood 17 RISK MANAGEMENT TOOLS: HEAT MAP #1 Risk Assessment Template Consequence E Extreme risk detailed action plan required H - High risk needs senior management attention M Medium risk specify management responsibility L Low risk manage by routine procedures High or Extreme risks must be reported to Senior Management and require detailed treatment plans to reduce the risk to Low or Medium. People Reputation Business Process & Systems Financial Injuries or ailments not requiring medical treatment. Internal Review Minor errors in systems or processes requiring corrective action, or minor delay without impact on overall schedule. 1% of Budget or <$5K Minor injury or First Aid Treatment Case. Scrutiny required by internal committees or internal audit to prevent escalation. Policy procedural rule occasionally not met or services do not fully meet needs. 2.5% of Budget or <$50K Serious injury causing hospitalisation or multiple medical treatment cases. Scrutiny required by external committees or ACT Auditor General s Office, or inquest, etc. One or more key accountability requirements not met. Inconvenient but not client welfare threatening. > 5% of Budget or <$500K Life threatening injury or multiple serious injuries causing hospitalisation. Intense public, political and media scrutiny. Eg: front page headlines, TV, etc. Strategies not consistent with Government s agenda. Trends show service is degraded. > 10% of Budget or <$5M Death or multiple life threatening injuries. Assembly inquiry or Commission of inquiry or adverse national media. Critical system failure, bad policy advice or ongoing non-compliance. Business severely affected. >25% of Budget or >$5M Insignificant Minor Moderate Major Catastrophic Probability: Historical: 1 2 3 4 5 >1 in 10 1 in 10-100 1 in 100 1,000 1 in 1,000 10,000 1 in 10,000 100,000 Is expected to occur in most circumstances Will probably 5 Almost Certain M H H E E occur 4 Likely M M H H E Might occur at some time in the future Could occur but 3 Possible L M M H E doubtful 2 Unlikely L M M H H May occur but only in exceptional circumstances 1 Rare L L M M H
Likelihood Consequence Current Level 18 RISK MANAGEMENT TOOLS: HEAT MAP #1 (continued) Risk The Risk Source Impact Current Control Strategies Current Risk Level (1-5) Reference What can happen? How can this happen? From event happening and their effectiveness Responsibility F1 1 2 Low F2 2 3 Medium Governance Board / Executive Director / Director of Finance Governance Board / Executive Director / Director of Finance HR1 3 5 High HR2 1 1 Low HR3 5 5 Extreme Management Director of Human Resources Management Executive Director / Director of Human Resources Governance Board / Executive Director
19 RISK MANAGEMENT TOOLS: HEAT MAP #2 Risks prioritized based on three criteria using 10 point scale: o Likelihood of occurrence (1 being low / 10 being high) o Likelihood of detection (1 being high / 10 being low) o Severity of outcome (1 being low / 10 being high) Each risk is rated on the above, with the results multiplied, thus minimum priority rating is 1, maximum is 1000 o o o o Critical priority 501 to 1000 RED High priority 251 to 500 ORANGE Medium priority 101 to 250 YELLOW Low priority 1 to 100 - GREEN
20 RISK MANAGEMENT TOOLS: HEAT MAP #2 (continued) OPERATIONAL RISKS RESOURCE RISKS COMPLIANCE RISKS Quality of Programs HR & Staff Relations Policies & Processes Program #1 Succession - Sr. Mgmt. Cash controls Program #2 Staff recruitment Purchasing controls Program #3 Staff retention Payroll controls Corporate Governance IT Legal & Regulatory Board oversight Software security Occup.Health & Safety Financial expertise System backups PIPEDA / CASL Legal expertise Hardware maintenance AODA Reputation Physical Assets Funding Agreements Municipal support Building security Relationship with funders Support from community Fire protection Compliance with agreements Media relations Documented inventory confirmations Meeting program objectives
21 RISK MANAGEMENT TOOLS: ENTERPRISE RISK MANAGEMENT A comprehensive framework for identifying, assessing, responding to and monitoring risks and opportunities inherent in the internal and external environments within which the organization operates. This is the COSO* ERM framework *Committee of Sponsoring Organizations of the Treadway Commission
22 HOW TO ADDRESS NEW AGE RISKS Examples: o o o Social media use by employees blurred line between work and personal use Maintaining employee engagement amidst generational differences Strengthening donor relationships in an increasingly competitive fundraising market under more rigorous privacy legislation Admit that you don t know what you don t know, but don t bury your head in the sand. Be proactive addressing these risks early could create a significant opportunity for your organization
23 HOW TO ADDRESS NEW AGE RISKS (continued) Use the skills and experience of all members of an organization for input to the process o Input need not be limited to Board and management Aim for diversity amongst your Board, committees, management and staff Varied knowledge and expertise Different generations Recruit what you don t have
24 THANK YOU ANY QUESTIONS?
25 PANEL DISCUSSION IT S TIME TO ASK YOUR QUESTIONS!