Risk in any organisation is a big issue, albeit one that gets vastly differing levels of attention in New Zealand charities and Not-For-Profit entities (NFPs). From a fundraising perspective risk is often just viewed as the potential for loss of funding streams, however it is much more than that.
We also have new legislation taking effect in New Zealand. The majority of the first phase of regulations to support the new Health and Safety at Work Act 2015 have been finalised and will come into force on 4 April 2016, along with the Act. Accordingly, we thought it worthwhile to take a look at the topic of risk in a broad sense.
What is risk?
Risk, in traditional terms, is viewed as a negative. My trusty Oxford Dictionary defines risk as “the possibility of meeting danger or suffering harm or loss; exposure to this.” Another dictionary defined risk as “exposing to danger or hazard.”
However the Chinese symbol for “crisis” possibly offers a better description of risk. The first symbol is the symbol for “danger,” while the second is the symbol for “opportunity,” making risk a mix of danger and opportunity. By linking the two, the definition emphasises that you cannot have one (opportunity or upside potential) without the other (downside dangers).
Many people become interested in risk management during, or just after, a crisis, and sadly pay it little heed in good times. Yet with reference to the Chinese definition of risk/crisis; good risk-taking organisations should not only approach risk with equanimity, but also manage risk actively in good times and in bad times. Thus, they plan for coming crises, which are inevitable, in good times and look for opportunities during bad times.
Who is responsible for risk?
The ultimate responsibility for risk belongs with the entire board or governing body. Responsibility for risk is a fundamental part of a governance oversight role. The word to focus on in the previous sentence is “oversight”. The board needs to set the organisation’s strategy, tone and culture. They can and should then delegate to management for delivery. They then have a monitoring and oversight role.
Hence while ultimate responsibility for risk lies with the governing body, in most organisations operationally it is management that is charged with having a process in place for identifying key risks and then developing an appropriate approach to mitigate these risks to an acceptable level. The governing body’s role should be more one of oversight. The common conundrum in the New Zealand context though, and especially in small organisations, is that this theoretically “ideal” boundary between governing bodies and management responsibilities in relation to risk is often not practical or possible. And when boundaries are blurred there is an inherent danger of things falling between the cracks.
As such it is important for those in governance of charities and NFP organisations to recognise their roles and their capacity so it is very clear who is doing what...especially in relation to risk.
While risk governance and value creation are often viewed as opposing concepts or even mutually exclusive; they are in fact inseparable. Every decision, activity, or initiative of the organisation involves some degree of risk. Hence the aim for the governing body should be awareness of risk and opportunities, and then appropriate risk management. What is appropriate will be influenced by the nature of both the activity and the organisation, the assessment of the level of risk, the risk appetite of the governing body, and the availability of risk mitigation procedures.
Approaches to Risk Management
The amount of material available on the topic of risk is overwhelming. A Google search on the word ‘risk’ provided 251 million results. Much of this material available is on risk management processes and systems, and a lot of this is academic or quite complex.
However at its essence, risk management involves awareness, identification and assessment, followed by decisions as to action which often involves some form of mitigation.
A useful way for organisations to think about risk is via the following 3 questions:
- What might go wrong?
- What can we do to prevent it?
- What will we do if it happens?
The governing body and management should begin developing their risk management strategies by answering these questions, building up a set of written policies that will help the organisation to:
- Protect itself from legal liability
- Better manage and maintain its assets (and possibly reduce the cost of insurance premiums)
- Protect its reputation with its stakeholders
- Make better informed decisions
The types of risk management strategies that governing bodies and management can employ can include:
- Good practice policies and procedures
- Incident reporting
- Ongoing staff and governing body training
- External reviews
- Establishment of a formal risk management committee
The topic of risk management can seem overwhelming when first being addressed. Therefore a good way to start is to break down the task into more manageable pieces. This can be done by categorising risk or creating a risk profile specific to your organisation.
Common category headings include:
Financial Risk E.G.
- Loss of revenues
- Insolvency / cash shortages
- Negative impacts of interest rate / exchange rate movements
Operational Risk E.G.
- Business operations (efficiency, supply chain, business cycles)
- Information technology
- Product/service obsolescence
- Access to labour
Strategic Risk E.g.
- Reputational (i.e., bad publicity)
- Demographic and social/cultural trends
- Regulatory and political trends
Hazard Risk E.g.
- Fire and other property damage
- Theft and other crime, personal injury
- Health & safety compliance
- Natural disasters
Once you have created your risk profile, acknowledging the risk that your organisation is facing, a next step can be to divide the various risks into three groups so that you can clearly deal with these:
- Risk that should be accepted
- Risk that should be hedged or otherwise mitigated
- Risk that should be exploited
What will be the likely impact of the new Health & Safety legislation?
The Health and Safety at Work Act 2015, replaces the former Health and Safety in Employment Act 1992. It represents a major change to New Zealand’s health and safety legislation and regulation with an aim to reducing New Zealand’s workplace injury and death toll by 25 per cent by 2020. The new Act comes into force from 4 April 2016.
While there has been much comment about the new Act, and unfortunately some fear mongering, the intentions of the new Act should be welcomed. These include the approach of the Act which works to focus effort on what matters, based on business risk, control and size:
- It reinforces proportionality – what a business needs to do depends on its level of risk and what it can control
- It shifts from hazard spotting to managing critical risks – actions that reduce workplace harm rather than trivial hazards
- It introduces the “reasonably practicable” concept – focusing attention on what’s reasonable for a business to do
- It changes the focus from the physical workplace to the conduct of work – what the business actually does and so what it can control
While all of the ramifications of the new legislation will take some time to become totally clear, what is clear are the following important features:
- The new Health and Safety at Work Act imposes some new duties on governing bodies including a positive due diligence duty on those in governance roles to ensure that the entity complies with its health and safety duties.
- Therefore, those in governance roles must be proactively managing workplace health and safety and have evidence based assessment of the health and safety system in place.
- Lack of knowledge will not be an adequate defence.
- A new regulator has been set up in WorkSafe NZ to develop regulations and investigate breaches
- – we will see more prosecutions. However, they are also providing some great plain English education materials and their website (www.business.govt.nz/worksafe) is well worth a visit.
- Just because you don’t pay people doesn’t remove them from Health & Safety responsibilities
- – while there are some specific exemptions, generally the Act applies to volunteer work and a general duty of care applies to volunteer labour under the Act.
- Potential penalties have increased; a maximum of $3m for a body corporate and $600,000 for a primary duty holder.
It is likely most organisations will have to review their health & safety situation and what systems, processes and education they have in place. This applies to all organisations in New Zealand.
The time to act is now!