Risk Management - The things that keep us awake at night

Author: Sandy Thompson - LEAD Director & CEO

If you wake up worrying about the next Covid wave, cyber security, losing a key person, expected funding drying up, etc etc - it may be because you are not paying attention to detail.

If we are doing something important, we WILL be facing risks. If we are taking any significant action, there WILL always be the chance of something not eventuating or going wrong. It’s the nature of the world we live in, and the people who inhabit our organisations.

 LEAD partner, Garth Nowland-Foreman, offers 3 key steps and two handy hints you may not be able to afford to ignore, and a couple of handy templates to get you going.

The issue is not ‘how to avoid risks’, but ‘how to respond to them’ – effectively. At the very least, we can all follow this simple 3-step risk management process.

Step 1: Identify the big risks. Brainstorm, what are we most worried about, or concerned could go wrong? What currently keeps us awake at night? and what should!? Things can go wrong anywhere in an organisation, but a good checklist if we get stuck - or find it hard to start - is just to go through all of our organisational assets (broadly defined):

  • What could go wrong with our people (staff, volunteers, board members, people we serve, colleagues we deal with)?

  • What could go wrong with our income (from various sources, starting with the biggest)?

  • What could go wrong with what we own (our investments/accumulated funds, any property, key equipment, including software we rely on)?

  • What could go wrong with our intangible assets (reputation, trust, referral sources, support, goodwill)?

Step 2: Once we have brainstormed a raw list, we need to sort and prioritise them. At this point we can forget about where the risk comes from and instead focus (for each significant risk) on what is the chance of it happening, and what are the consequences if it did occur? One of the easiest ways of doing this is to chart all the significant risks on a two dimensional grid:

Low to high “chance” (or probability) x low to high “consequence” (or impact). You can have as many steps from low to high as you want. The simplest is just to have two, resulting in a 2x2 grid

You can then map your identified risks across the four (or 9 or 16) squares – automatically prioritising them – from high to low-low.

Step 3: Once risks are prioritised, you need to decide how best to respond to them one by one – starting with the highest risks. Generally there are four main ways we can manage identified risks:

  • Avoid – If the activity is just too risky, don’t do it. Replace with something else (i.e change the rules of the game so no tackling is allowed for 12yrs and under teams);

  • Modify – Change or adapt the activity, so the chance of harm occurring and/or the potential negative consequences are reduced and more acceptable (eg include compulsory training on avoiding neck injuries for all players over 12yrs);

  • Transfer – Shift at least some aspects of the risk to someone else, such as by taking out insurance or contacting out responsibility (eg take out public liability insurance for participants, or contract out the harm-minimisation training to a professional);

  • Retain – Accept the risk, and prepare for the consequences (e.g. have an ambulance or trained first-aiders on stand-by during the game in case there is an injury).

Each of these possible strategies have limitations as well as strengths. Thoughtless application of strategies without regard to your particular context can even lead to negative consequences. Letting someone else carry the can by ‘contracting out’ a high risk activity could end up destroying your reputation, for example.

Often the various risk management strategies are most powerful when used in combination. There is also something of a correlation between different strategies and the four different quadrants (as outlined in Fig 2.). However it’s important not to limit our reflection just to these common strategic responses, or where they often apply.  Nevertheless, it would be very unusual where a “retain” strategy was the best way of managing a high chance, high consequence risk.

These are the most important steps in setting up a risk management process for your organisation. However it’s equally important to actually implement your plans and keep them under regular review by your board and leadership team (sometimes referred to as the fourth and fifth steps). Regular review is important because circumstances change in terms of the risk for your organisation and your response strategy may therefore require a change in plan. 

It's useful to set up and regularly monitor a Risk Register. Here are templates for two such Risk Registers – a “rolls royce” version(with all the bells and whistles) and a “suzuki hatch” version (enough to get by at a basic level).

Before we finish, a couple of quick handy hints.

First, don’t rely on an audit to save you from fraud. I am not aware of any fraud, embezzlement or misappropriation that has been picked up by an audit. Fraud is much more likely to be picked up by a whistle-blower. However, a good auditor will be asking you tough questions about the systems you have in place (or not) to reduce the risk. It’s worth considering an audit every few years, if only for that advice. 

Another handy hint: duplication and inefficiency is your best ‘risk management’ friend.

One of the least expected findings of research on the most resilient organisations following the Canterbury Earthquakes, was that they were more likely to have duplicate systems, staff, and equipment. The leanest and meanest organisations - with no waste or inefficiency - usually fell over straight away, as there was no room for error. It’s why I’m glad to fly in jets with two engines, even though they can fly perfectly well with just one engine. Waste and duplication can be a prudent investment!

 One organisation that I’m involved with, identified within its Covid Management Plan, all the key tasks that must keep going for organisational continuity, and ensures there are at least two people currently able to do each task or able to quickly pick it up (with necessary documentation).

Somewhere you may want to include a graphic on 

Murphy’s Law

  1. Anything that can go wrong will go wrong

  2. If there is a possibility of more than one thing going wrong, the thing that will go wrong will be the one that will do the most damage.

  3. Left to themselves, things always go from bad to worse

  4. Nature always sides with the hidden flaw

  5. If it appears that everything is going alright, you are probably unaware of what is happening

And O’Toole’s Addendum is: “Murphy was an optimist”.

Previous
Previous

Regulator fiddles while charities burn

Next
Next

The Value of Volunteers