for more information visit us at small charities coalition risk management catherine rustomji head...
TRANSCRIPT
for more information visit us at www.hempsons.co.uk
Small Charities CoalitionRisk management
Catherine Rustomji
Head of Third Sector North – Hempsons
12 June 2012
Agenda
• Catherine Rustomji - Hempsons•Charity Commission
•Compliance
•Risk
• Detlev Anderson - Ryecroft Glenton•Practical Example & CC26
The Regulator of Charities
• Increase effectiveness and public confidence
• Risk-based and proportionate approach
• Target help and resources:-•charity’s beneficiaries
•services
•assets
•reputation
The Charity Commission and Regulation
• Ensure charities meet legal requirements and equipped to operate properly and within the law
• Check charities are run for public benefit
• Ensure independence and trustees take decisions free of control or undue influence
• Detect and remedy serious mismanagement or deliberate abuse by or within charities
Charity Commission’s Seven Principles
• Accountability
• Independence
• Proportionality
• Fairness
• Consistency
• Diversity and Equality
• Transparency
Charity Commission’s Objectives
• Increase public trust and confidence in charities
• Promote awareness and understanding of public benefit
• Promote trustees’ compliance with the law in control and management
• Promote effective use of charitable resources
• Enhance accountability to donors, beneficiaries and the general public
Risk – what do you need to know?
• Trustee responsibility
• Regular review and assessment
• Effective governance
• Risk appetite
• Risk tolerance
Risk Framework
• Identify major risks
• Decide how to respond
• Include statement in annual report
• Risk mapping/risk reporting
But ….
“However beautiful the strategy, you should occasionally look at the results.”
Winston Churchill
Disclaimer
• This presentation and any accompanying notes are made available on the basis that no liability is accepted for any errors of fact or opinion they may contain. Professional advice should be obtained before applying the information in particular circumstances.
Small Charities CoalitionRisk management – Practical Example & CC26
Detlev Anderson
Charities Partner– Ryecroft Glenton
12 June 2012
www.charity-commission.gov.uk/publications/cc26.aspx
Charities and Risk Management
(CC26)
Effective risk management means …
• Trustees make informed decisions and take timely action
• Charity makes most of opportunities
• Forward and strategic planning are improved
• Charity’s aims are achieved more successfully
“An effective charity regularly reviews and assesses the risks it faces in all areas of its work and plans for the management of those risks. The implementation of an effective risk management policy is a key part of ensuring that a charity is fit for purpose.”
Stage 1: Establishing a risk policy
“Although there are various tools and checklists available, the identification of risks is best done by involving those with a detailed knowledge of the way the charity operates.”
Stage 2: Identifying risks
Types of Risk
• Governance
• Operational
• Financial
• External/environmental
• Compliance
“Identified risks need to be put into perspective in terms of the potential severity of their impact and likelihood of their occurrence. Assessing and categorising risks helps in prioritising and filtering them, and in establishing whether any further action is required.”
Stage 3: Assessing risk
• Previous CC guidance gave equal prominence to impact (y) and likelihood (x) so likelihood score times impact score (x * y) = risk score.
• Since June 2010 advice is that high impact but low likelihood should have a greater risk score than low impact but high likelihood so greater weight given to impact (y).
• This means likelihood score times impact score plus impact score (x * y) + y = risk score.
LikelihoodLow
High
High
3
3
1
2
21
1*3+3=6
3*1+1=4
2*3+3=9
1*2+2=4
2*2+2=6
3*2+2=8
3*3+3=12
1*1+1=2
2*1+1=3
Example of a risk map
HIGH IMPACT
over-dependence on one product
inadequate insurance loss of key personalities
catastrophes / acts of God internally induced business interruption poor health, safety & welfare
non-compliance with laws in operational areas mismatch between staff levels / sk ills and key objectives failure of IT systems
non-compliance with Charity Commission regulation Allerburn Lea Residents' Association inadequate capital
lack of trustees' sk ills and availability controlling dynamics of the larger organisation
failure to report relevant information to trustees on a timely basis cash flow
quality and integrity of management information customer dissatisfaction
failure to achieve / record non-financial targeted outputs
externally induced factors affecting business interruption
failure to adequately fundraise
failure to meet funding criteria
over-crowding in the tree house human resource issues and employee relations the weather
burst pipes fraud including incurring and settlement of liabilities without appropriate authorisation lack of succession planning / staff sk ills
reliance on professional advisors poor publicity - loan from Duke inadequate volunteer management
I misapplication of restricted reserves security of data / intellectual property
M changes to grant-mak ing and fiscal policies of government and grant givers inadequate security of tangible assets
P contract risks vandalism
A dilapidations inadequate procedures and systems documentation
C poor products / poor buying decisions separation from the Castle
T power cuts increased competition from other venues
failure to comply with anti-discrimination legislation loss of novelty
inadequate maintenance trustees' conflicts of interest
dependency on key suppliers inadequate control of cash
onerous long term supply contracts misapplication between trading and non trading income
inadequate segregation of duties downturn in the economy / fuel prices
inadequate stock control
unforeseen consequences of fiscal and other regulation
dependency on external transport services
prices charged by suppliers
credit control theft seasonal nature of work force
conversion to Euro
LOW HIGH LIKELIHOOD
RISK MAP - uncontrolled
LIKELIHOOD
Example produced by Ryecroft Glenton
Risk Responses
• Tolerate
• Terminate
• Treat
• Transfer
Risk register template
Potential or uncontrolled risk Disaster recovery and planning
Potential impact • computer system failures or loss of data• destruction of property, equipment, records through fire, flood or similar damage
Likelihood of occurrence (x score) Medium (2)
Severity of impact (y score) High (3)
Uncontrolled risk score (x * y) + y Too high (9)
Control procedures • agree IT recovery plan• implement data back up procedures and security measures• review insurance cover
create disaster recovery plan including alternative accommodation
Likelihood of occurrence (x score) Medium (2)
Severity of impact (y score) Low (1)
Managed or controlled risk score (x * y) + y Acceptable (3)
Monitoring process Reviewed quarterly by trustees
Responsibility Trustees and I.T. Manager
Further action required Quarterly agenda item for trustee meetings
Date of review Quarterly
RISK CONTROL FRAMEWORK
Risk Risk Category Impact LikelihoodOverall
Risk Consequences How managed at present Further Action Required Impact LikelihoodOverall
Risk Impact LikelihoodOverall
Risk Impact LikelihoodOverall
Risk
loss of key personalities operational 3 3 9
- loss of high profile / charismatic personality - loss of vision - reduction in positive publicity - increased capital marketing costs - reduction in staff morale
- not managed, but risk diminishes as a result of expansion of the management team and management development - key person insurance for the Duchess of Northumberland
- continue to monitor and review 3 3 9 3 3 9 2 3 6
poor health, safety & welfare operational 3 3 9
- fatalities / injuries - poor publicity - increased insurance costs - criminal / civil actions - reduced staff morale - impact on fundraising - reduction in visitor numbers - enforced closure (temporary or permanent) - fire evacuation procedures lead to refunds / loss of sales
- risk assessments - staff training - policy statement - health and safety manual - allocation of responsibilities - introduction of risk assessments - introduction of staff training - standing agenda item for Enterprise Board
- follow up existing risk assessments - perform risk assessments for satellite operations - review all risks at the pavilion - deal with the identified risk of the pavilion steps - complete staff training - form a Health & Safety committee
3 2 6 3 2 6 3 2 6
failure of IT systems financial 3 3 9
- loss of data - inconvenience to customers on admission - additional work - additional errors /fraud - inadequate data protection
- daily backups are taken off site - double servers in safe room with environmental control - support contracts for all hardware and software - firewall - virus software updated every night
- improve security to wireless access - review/increase levels of encription - use the data safe - review security around portable chip & pin devices
2 1 2 2 1 2 2 1 2
inadequate capital financial 3 3 9
- failure to proceed with future developments of maintenance programme, which would affect sustainability of the project
- there is presently sufficient capital to meet current financial commitments - there is regular cash flow management
- formalise and adhere to a reserves policy to fund future operational and maintenance programmes.
3 3 9 3 3 9 3 3 9
Controlling dynamics of the larger organisation
operational 3 3 9
- Underachieve against budgets - reduce staff morale - poor service/quality - increased fixed costs
- budget / targets / corporate objectives - monthly meetings / reviews - employment policy / contracts
- review implications of downsizing 2 2 4 2 2 4 2 2 4
cash flowDevelopment programme - phase 2
3 3 9
- Breach of covenants - need to increase debt - inability to fund developments
- monthly review of cashflow - formalise and adhere to a reserves policy - develop strategies to maximise cashflow
3 3 9 3 3 9 3 3 9
customer dissatisfaction operational 3 3 9
- post phase II - more products on offer therefore a greater likelihood of disappointment - reduction in the quality of the visitor experience - loss of future revenues - loss of reputation - reduction in return visits - the pavilion has raised food expectations
- customer surveys - customer complaints procedure/policy - additional facilities for busy periods have been developed - monitoring of projected against actual customer numbers - methods developed to direct customers to less crowded areas - alternative catering facilities for busy periods are in place - appointment of customer services manager
- set criteria to follow up complaints - having raised expectations (e.g. Pavilion catering), need to concentrate on meeting them - develop customer survey techniques - planning to ensure consistency of product offering and not to overpromise (i.e.matching customer expectations with deliverability)
2 1 2 2 1 2 2 1 2
over-dependence on one product operational 3 2 6
- fall off in customer revenue - end of the entity - claw back of funding
- development programme leading to diversification of products
- None 3 2 6 3 2 6 1 1 1
inadequate insurance operational 3 2 6 - unexpected loss
- regular contact with brokers - insurance to cover to replacement value - follow advice and recommendations of insurers
- communicate levels of insurance to relevant managers - monitor on a regular basis, including levels of excess on new risks - finalise emergency and disaster management plan for every area
2 2 4 2 2 4 2 2 4
Uncontrolled risk Managed risk Managed risk Managed riskAt date of this review Phase 3 in progress Phase 3 complete
Example produced by Ryecroft Glenton
Example produced by Ryecroft Glenton
Disaster Recovery Plan
1 First steps commit to planning across the charity develop a plan by a team representing all functional areas of the
charity plan as a project if appropriate
2 Impact/risk assessment identify all major risks each risk to be given an impact and likelihood rating (see Part D) consider overall risk profile of charity
3 Drawing up the plan establish milestones to move charity from disaster to normal operations
start with immediate aftermath outline what functions need to be resumed and in what order plan should identify key individuals and their roles and duties
4 Testing plan process of testing properly reproduce authentic conditions as far as possible plan tested by the key individuals identified in the plan document test procedures and record results consider amendments to plan
5 Training make all charity trustees, staff and volunteers aware of plan and their own duties and responsibilities
stress the importance of planning even if the disaster appears to be a remote likelihood
get feedback from all to ensure that duties and responsibilities are understood
6 Updating and maintaining plan should be updated to be applicable to current activities give someone responsibility for updating plan and communicating any
changes all changes should be fully tested key staff informed of changes in duties and responsibilities
Questions?
Detlev Anderson
Charities Partner
Ryecroft Glenton
32 Portland Terrace
Newcastle upon Tyne
0191 281 1292
This presentation and any accompanying notes are made available on the basis that no liability is accepted for any errors of fact or opinion they may contain. Professional advice should be obtained before applying the information in particular circumstances..
Disclaimer