Once your board has agreed risk-appetite statements for various aspects of your operations, you need to think about how you can bring these to life for managers making decisions on a day-to-day basis. Risk-appetite statements typically say things like "we have no tolerance for fraud", but everyone knows that the reality is that fraud can still happen. The only way to prevent fraud entirely is to stop activities, which is self-defeating. So how should managers make decisions about the level of risk to accept?
Assessing an acceptable level of risk is like being a set of scales: you need to weigh the level of risk against the costs of managing the risks. Costs include time, effort and the opportunity cost of lack of capacity to do other things. You need to weigh this against the probable impact of the activity. Some charities will undertake activities that are core to their mission that seem high-risk to others, but if they have trained people and established procedures the risk has been reduced to an acceptable level.
A great example of an organisation that understands the risk balance is Volunteering Matters. Many said that its award-winning project, Volunteers Supporting Families, would not work because it was too risky on many levels. The projects recruit, train and match volunteers to mentor and support families with complex needs, such as alcohol or substance misuse, mental health and emotional wellbeing, and where children are at risk of significant harm through neglect. Volunteers make weekly visits to the families, building up a strong relationship with the parent/s, listening to their problems and offering practical help. Having identified the risks, the programme recruits suitable volunteers, trains, supports and supervises them.
This example illustrates that organisations have to accept managed risk and can be risk-taking in activities to achieve their missions. Organisations need to be able to articulate how such decisions are made: it can come down to fine judgements, but it is possible to pick out the components. A simple decision-framework template can guide managers to the points that need to be considered in weighing decisions. The framework should draw out the benefits, risks, costs and effort needed to undertake the activity.
Part of a manager’s induction should help them with making decisions – there are myriad small decisions everyone makes every day. These will not need a decision framework, but managers still need guidance on how the organisation views risk, so that you are not leaving this up to individuals. It is part of the culture of the organisation – "how we do things around here". If you are new to the organisation or newly promoted, you will need to learn how even everyday decisions get made. We tend to learn this socially by observing what goes on in our first weeks. So behaviour by others tends to be our guide to acceptable levels of risk-taking or risk-aversion. Risk culture is the next important factor.
Kate Sayer is senior consultant at specialist auditors Sayer Vincent