Amanda Ogilvie: INGOs must identify, manage and monitor risks effectively

30 Nov 2017 Expert insight

The risk management landscape is becoming more and more difficult for charities operating internationally to navigate. As such, it is becoming increasingly important that international NGOs identify, manage and monitor risks effectively, says Amanda Ogilvie from BWB.

Increasing challenges for INGOs

Humanitarian need across the globe is growing and INGOs increasingly need to operate in situations of instability, conflict and emergency. As the need for aid in high risk areas increases, the regulatory environment for INGOs is becoming ever more challenging as regulators impose more stringent requirements. HMRC and the Charity Commission for England and Wales have increased scrutiny in relation to charities operating overseas and donor accountability is on the rise as the giving culture shifts from one of grant-making to contract negotiation.

These circumstances give rise to particular risk factors for INGOs which need to be identified, managed and monitored effectively. For example, INGOs operating in high risk areas need to consider factors such as sanctions, corruption and bribery (particularly in countries where “facilitation payments” may be commonplace), safeguarding, operating in areas controlled by proscribed organisations, protection of staff and volunteers, lack of banking facilities and poor infrastructure, to name a few. Although operating in these environments presents unique and difficult challenges, INGOs are often working on the cutting edge of international crises and it is imperative that they can continue to operate and to deliver aid in areas where the need is often greatest.

'Can too easily become a bureaucratic process'

Given the risk factors that are inevitably present when operating in certain areas, many INGOs have to accept a high level of risk in order to carry out their work. Risk management can often be erroneously perceived as a hindrance in these circumstances – as it can be viewed as a process that discourages charities from taking risks. As a result, it can too easily become a bureaucratic process that involves little more than a tick-box exercise. Rather than preventing charities from taking risks, an effective risk management process should allow charities to make informed decisions to better achieve their objectives and, ultimately, to enable and empower charities to take informed risks – in other words, risk management should be seen as a means of enabling charities to be risk aware not risk averse.

So what do charities registered in England and Wales need to do in order to comply with their legal obligations in respect of risk management?

At a minimum, charities that are required to have their accounts audited must make a risk management statement in their annual report confirming that:

“the charity trustees have given consideration to the major risks to which the charity is exposed and satisfied themselves that systems or procedures are established in order to manage those risks”.

Broadly speaking, although the Charity Commission provides guidance on risk management, there is no set form that the risk management statement must take nor is there a prescribed set of systems or procedures that charities must adopt in order to fulfil these requirements. This allows charities the flexibility to implement a risk management process that is appropriate for the risk profile of their particular organisation. However, the Charity Commission’s expectations of charities in respect of risk management have increased over the last few years. The Charities Statement of Recommended Practice (FRS 102) (“SORP”), which came into effect in January 2015, provides that charities that are required to have their accounts audited should also include in their annual report:

“a description of the principal risks and uncertainties facing the charity and its subsidiary undertakings, as identified by the trustees, together with a summary of their plans and strategies for managing those risks”.[2]

This means that, rather than simply acknowledging that the trustees have considered the risks that the charity is facing in the risk management statement, the annual report for these charities should describe some of the charity’s major risks along with a summary of any mitigation measures that have been put in place to manage these. For INGOs operating in high risk areas, this is likely to include risks related to their operations overseas.

So, given the high level of risk that many INGOs need to take to carry out their work, how can they make the risk management statement with confidence?

No one-size fits all approach

Guidance published by the Charity Commission provides that charities will need to consider risk and its management in a “structured way” if a positive risk management statement is going to be made. There are various different risk management frameworks that charities can adopt and there is not one correct model or “one-size fits all”. However, whichever risk management framework a charity adopts, it is important that it follows a structured format which clearly identifies, analyses, evaluates, treats and monitors risk in a formulaic way.

This will often involve adopting tools and processes such as a risk management policy and a risk register.  A risk management policy can provide a useful statement setting out the charity’s approach to risk management, its attitude towards risk and its risk tolerance or risk appetite (i.e. the level of risk that the charity is prepared to accept in order to achieve its objectives). This can provide an important foundation for an effective risk management framework, particularly in larger organisations. 

A risk register will typically set out a list of the charity’s key risks along with an assessment of these risks and any mitigation plans. A sophisticated risk register might include other features such as: a description of the causes and consequences of the key risks; an assessment of the impact and likelihood of a risk occurring at gross, net and target levels; a description of the existing controls that are in place to mitigate the risk and an assessment of their current level of effectiveness; confirmation as to whether any further action will need to be taken in order to further mitigate the risk and an action plan for doing this; and clear role allocation in terms of risk, control and who is responsible for taking action.

Adopting these tools can play a vital role in developing an effective risk management framework and can be invaluable in helping to identify and mitigate risk when operating in challenging environments. However, it is important to recognise that these tools simply provide a foundation for charities to manage risks effectively. This is only a first step and the real challenge can arise when trying to move past this stage to a place where the risk management process is embedded in the culture of the organisation.

Key tips for embedding an effective risk management framework

Embedding an effective risk management framework can be easier said than done, particularly for larger INGOs operating across numerous countries and in high risk environments. Again, there is not one way of doing this or “one-size fits all” solution as each organisation’s needs and requirements will be different and may change on a regular basis. We have set out some key tips below which may provide a useful starting point:

Regular review

INGOs operating in high risk areas may need to keep in mind that the situation for charities operating in these places is likely to be continually changing and adapting – therefore risk assessments need to be carried out regularly to identify and respond to changes in the risk environment. This means that the risk register will need to be reviewed on a regular basis (and not simply taken out of a dusty cupboard once a year) so that the information set out in it reflects an accurate, dynamic and changing picture. 

Wide involvement & consultation

If charities operating internationally are going to identify and respond to changes in the risk environment quickly and effectively, any changes or new risk factors must be reported efficiently and in good time. This requires open and honest communication channels across the organisation between staff, volunteers, teams and offices. To be effective, staff and volunteers across the organisation need to be engaged in the risk management process and collaborate and communicate openly. This requires a culture of trust and transparency. Staff training and regular consultation across offices can help to embed these values.

Applying lessons learned

Finally, most charities will face situations where some risks (large or small) have materialised and it can be important to acknowledge these incidents rather than brush them under the carpet. Reviewing these situations can give charities the opportunity to share information between offices, report the incident and take any further action needed and, significantly, make sure that lessons are learned for the future.

These are just a few key tips. However, putting these measures in place and embedding an effective risk management framework can help INGOs operating in high risk environments to make informed decisions and to take informed risks. This can help the charity to make the risk management statement with confidence and give the trustees an opportunity to demonstrate to their staff, donors, beneficiaries and the general public that they have identified, assessed and evaluated the key risks and have put appropriate measures in place to manage and mitigate these effectively.

Amanda Ogilvie is a charity and social enterprise solicitor at Bates Wells Braithwaite. Having worked in-house for an INGO for more than two years, Amanda has experience advising international not-for-profit organisations, particularly in relation to risk management and legal compliance.

Civil Society Media would like to thank BWB for their support with this article. 

 

More on