The charity sector has experienced a series of unfortunate events. Can this be down to poor risk management?
In the next few articles over the coming months, I will look at different aspects of risk management where boards and managers might improve their practices.
First, risk appetite. This is not an entirely straightforward concept. It is intended to create a common understanding of where an organisation should be taking risks to fulfil its mission. However, care is needed. You could end up with a statement that implies you are happy taking risks with personal safety.
The basics: a risk appetite statement indicates the level of risk that can be accepted for a given area of activity. It sets the context for judgements about the amount of effort and resources to be expended. A low-risk appetite indicates that the organisation expects considerable efforts to be made to reduce the level of risk. A high-risk appetite means that you are risk-taking in that area. No appetite means that you will avoid the activity because of the risks involved.
The tricky bits: you might want to say that you have a high-risk appetite for fundraising. In other words, you are prepared to invest funds in new and innovative ways of raising funds. However, you might not be prepared to take risks with your data or practices that mean that vulnerable people are pestered for funds, so you need to craft a risk appetite statement carefully.
Here’s an example for this situation: "We are prepared to accept the risk of financial loss in terms of investing in innovative ways of fundraising and have a high-risk appetite for innovation. However, we expect all fundraising to be conducted in line with our ethical code. We have no tolerance for behaviour that is not in line with our values."
Notice that a new term was introduced – "no tolerance". This refers to standards of behaviour. In practice, you cannot prevent things going wrong. You have to accept a risk that mistakes will be made, such as with data. If you cannot accept some risk in this area, then you have no appetite and would not undertake the activity at all.
Fraud is another tricky example. You can say you have no tolerance for fraud, but that in itself will not prevent it happening, so incidents will still occur. You have to accept a level of risk. So consider a statement along these lines: "We have a low-risk appetite for activities where fraud is likely, but accept that fraud does occur even where procedures are strong. Fraud is theft and it damages our mission. We have no tolerance for fraud and will prosecute offenders."
Risk appetite statements are particularly helpful to boards, creating a high-level policy on risk to provide a context for their decisions. It is then important to consider how these can be used to provide clearer guidance to managers for decision-making in day-to-day situations.
Kate Sayer is senior consultant at specialist auditors Sayer Vincent