By Hayes Knight – 6 October 2014

Risk in any organisation is a big issue, albeit one that gets vastly differing levels of attention in New Zealand charities and Not-For-Profit entities (NFPs). From a fundraising perspective risk is often just viewed as the potential for loss of funding streams, however it is much more than that. The focus on risk generally will probably need to increase because New Zealand is likely to introduce a new Health and Safety at Work Act next year. Accordingly, we thought it worthwhile to take a look at the topic of risk in a broad sense.

What is risk?

Risk, in traditional terms, is viewed as a negative.   My trusty Oxford Dictionary defines risk as “the possibility of meeting danger or suffering harm or loss; exposure to this.”  Another dictionary defined risk as “exposing to danger or hazard.”

However the Chinese symbol for “crisis” possibly offers a better description of risk.  The first symbol is the symbol for “danger,” while the second is the symbol for “opportunity,” making risk a mix of danger and opportunity. By linking the two, the definition emphasises that you cannot have one (opportunity or upside potential) without the other (downside dangers).

Many people become interested in risk management during or just after a crisis and sadly pay it little heed in good times.  Yet with reference to the Chinese definition of risk/crisis; good risk-taking organisations should not only approach risk with equanimity, but also manage risk actively in good times and in bad times.  Thus, they plan for coming crises, which are inevitable, in good times and look for opportunities during bad times.

Who is responsible for risk?

The ultimate responsibility for risk belongs with the entire board or governing body.  Responsibility for risk is a fundamental part of a governance oversight role.   The word to focus on in the previous sentence is “oversight”.  The board needs to set the organisation’s strategy, tone and culture.  They can and should then delegate to management for delivery.  They then have a monitoring and oversight role.

Hence while ultimate responsibility for risk lies with the governing body, in most organisations operationally it is management that is charged with having a process in place for identifying key risks and then developing an appropriate approach to mitigate these risks to an acceptable level.  The governing body’s role should be more one of oversight.  The common conundrum in the New Zealand context though, and especially in small organisations, is that this theoretically “ideal” boundary between governing bodies and management responsibilities in relation to risk is often not practical or possible. And when boundaries are blurred there is an inherent danger of things falling between the cracks.

As such it is important for those in governance of charities and NFP organisations to recognise their roles and their capacity so it is very clear who is doing what…especially in relation to risk.

While risk governance and value creation are often viewed as opposing concepts or even mutually exclusive; they are in fact inseparable.  Every decision, activity, or initiative of the organisation involves some degree of risk.  Hence the aim for the governing body should be awareness of risk and opportunities, and then appropriate risk management.  What is appropriate will be influenced by the nature of both the activity and the organisation, the assessment of the level of risk, the risk appetite of the governing body, and the availability of risk mitigation procedures.

Approaches to Risk Management

The amount of material available on the topic of risk is overwhelming.  A Google search on the word ‘risk’ provided 251 million results. Much of this material available is on risk management processes and systems, and a lot of this is academic or quite complex.

However at its essence, risk management involves awareness, identification and assessment, followed by decisions as to action which often involves some form of mitigation.

A useful way for organisations to think about risk is via the following 3 questions:

  1. What might go wrong?
  2. What can we do to prevent it?
  3. What will we do if it happens?

The governing body and management should begin developing their risk management strategies by answering these questions, building up a set of written policies that will help the organisation to:

  • protect itself from legal liability
  • better manage and maintain its assets (and possibly reduce the cost of insurance premiums)
  • protect its reputation with its stakeholders
  • make better informed decisions

The types of risk management strategies that governing bodies and management can employ can include:

  1. Good practice policies and procedures
  2. Incident reporting
  3. Ongoing staff and governing body training
  4. External reviews
  5. Establishment of a formal risk management committee

The topic of risk management can seem overwhelming when first being addressed.  Therefore a good way to start is to break down the task into more manageable pieces.  This can be done by categorising risk or creating a risk profile specific to your organisation.

Common category headings include:

  • Financial Risk
  1. Loss of revenues
  2. Insolvency / cash shortages
  3. Negative impacts of interest rate / exchange rate movements
  • Operational Risk
  1. Business operations (efficiency, supply chain, business cycles)
  2. Information technology
  3. Product/service obsolescence
  4. d. Access to labour
  • Strategic Risk
  1. Reputational (i.e., bad publicity)
  2. Demographic and social/cultural trends
  3. Regulatory and political trends
  • Hazard Risk
  1. Fire and other property damage
  2. Theft and other crime, personal injury
  3. Health & safety compliance
  4. Natural disasters

Once you have created your risk profile, acknowledging the risk that your organisation is facing, a next step can be to divide the various risks into three groups so that you can clearly deal with these:

  1. Risk that should be accepted
  2. Risk that should be hedged or otherwise mitigated
  3. Risk that should be exploited

What will be the likely impact of the new Health & Safety legislation?

The Health and Safety Reform Bill will create the new Health and Safety at Work Act, replacing the Health and Safety in Employment Act 1992.  It represents a major change to New Zealand’s health and safety system with an aim to reducing New Zealand’s workplace injury and death toll by 25 per cent by 2020.  The Government’s intention is that the Bill will be passed in 2014, with the new Act coming into force from 1 April 2015.

All of the ramifications of the new legislation are not yet totally clear.  However what is clear are the following important features:

  • The new Health and Safety at Work Act will impose new duties on governing bodies including a positive due diligence duty on those in governance roles to ensure that the entity complies with its health and safety duties.
  • Therefore those in governance roles must be proactively managing workplace health and safety and have evidence based assessment of the health and safety system in place.
  • Lack of knowledge will not be an adequate defence.
  • A new regulator has been set up in WorkSafe NZ to develop regulations and investigate breaches
    – we will see more prosecutions.
  • Just because you don’t pay people doesn’t remove them from Health & Safety responsibilities
    – volunteers will be treated as workers under the Act.
  • Potential penalties have increased; a maximum of $3m for a body corporate and $600,000 for a primary duty holder.

It is likely most organisations will have to review their health & safety situation and what systems, processes and education they have in place.  This applies to all organisations in New Zealand.  The time to act is now!

Want to learn a bit more about how to prepare yourself for this new legislation and what the possible implications are of non-compliance – take a look at this other article on the Health and Safety changes.