An introduction to the risk management process
A risk management process requires leadership from the board and the backing of all levels of the organisation.
At first glance risk management can appear daunting.
As well as all the other issues that come with managing a not-for-profit organisation, it can be tough to find time to go through the process of identifying all the risks that could affect your organisation, and then work out how to deal with them.
It's far easier if it's done as a joint, cooperative exercise, with leadership from the board and the backing of all levels of the organisation. It's important that everyone is encouraged to get involved in the process. It's the people who are actually doing the jobs or working as volunteers who have the best idea of the risks involved - and usually good ideas on how they can be managed.
Once you have embedded commitment you are on the road.
Establishing a risk management strategy is not about criticising how things were done in the past. It's about ensuring the safety of your organisation and the people involved in its operations, as well as those who come into contact with it.
The process for managing risk can be broken down into the following parts:
- Establishing the Context
- Identifying Risks
- Analysing Risks
- Evaluating Risks and
- Treating Risks
All the while ensuring that you continue to:
- Communicate and Consult, as well as
- Monitor and Review
1. Establishing the context
To ensure that you are able to identify all risks you need to take into account your organisation's own objectives and capabilities as well as factors external to your organisation such as a changing legal environment, moving social standards, etc.
By establishing the context that you are investigating you should be able to detail your organisation's objectives, and work out who will have an impact on or be affected by your risk management process. This information can be used to prioritise the order in which you attack the next task.
Ask:
- What relationships does the organisation have and how important are these?
- What laws, regulations, rules or standards apply to your organisation?
- What are the aims and objectives of the organisation?
- Who is involved with the organisation - internally and externally?
- What are your organisation's capabilities?
- What are you currently doing to manage risk, either formally or informally?
- Have you established some criteria for your organisation that defines what level of risk is acceptable?
Record your answers to use as a guide to your way forward.
2. Identifying risks
Identifying risks requires a broad approach. This part of the process (like all others) needs to be inclusive and should involve management, staff, members, volunteers and other stakeholders.
Often the best way to get things rolling is by providing an opportunity for everyone to provide ideas. Invite people to email ideas, add them to a list on the wall, or hold a brainstorming workshop. Remember there is no right or wrong risks; they should all be identified.
Once this exercise has been completed it may be opportune to start developing some checklists. What you're trying to do here is to identify what is at risk and what the possible effects might be. Ask:
- What can happen? When, where, why and how might this occur?
- Who and what might be involved?
- What are the potential effects and who will be affected? What are we doing about this now?
All risks, regardless of any immediate potential impact, should be recorded.
Look and ask for help from any insurers, risk or insurance experts, local government officers (community development officers are often very helpful), or any similar organisations to you or your peak association.
3. Analysing risks
All of this involves quite a lot of estimation. The next step involves even more estimation.
Don't be afraid of guessing; it's better than waiting till you know for sure, because then it could be too late.
The criteria for analysing risk are based on Likelihood and Consequence - i.e. what is the likelihood of the risk occurring and what is the consequence of that outcome?
Draw up a simple grid -
High probability Low impact |
High Probability High Impact |
Low probability Low impact |
Low Probability High Impact |
The risks that you give highest priority to are the ones that fall into the top right corner of your grid. A more detailed approach can be followed by scoring or rating on a scale.
4. Evaluating risks
By working in a collaborative manner your organisation can review the output of your analysis and objectively assess the risks in turn.
This step involves determining whether the level of risk is acceptable or unacceptable. Refer back to your initial aims and objectives for guidance in ranking the risks.
The evaluation of risk will enable priorities to be established that equate to an appropriate level of risk. The next step involves determining what action is appropriate to treat each risk.
5. Treating risks
Treating risks involves making a decision about what will be done with the identified risks.
Treatment should be appropriate to the level of the identified risk and generally any cost of treatment commensurate with the potential benefits.
Options include:
- Accepting the risk
If the risk is minor or the cost to avoid beyond your capacity to pay, and the reason for the risk is core to your very existence, you may need to consider accepting the risk. Be mindful of the consequences and do not just ignore them in the hope that they will never happen. - Avoiding the risk
Decide whether or not to proceed with any unacceptable risk or choose an alternative with acceptable risks that still meets your aims. - Reducing the risk
Look at alternative solutions that reduce risk. Initially focus on "industrial" solutions such as improved lighting, safety barriers and resurfacing rather than those changes that require people to change their behaviour. Other solutions such as rules, policies or training can then be looked at to reduce risk. Other options such as protective equipment could also assist. - Transfering the risk
Risk transfer usually occurs through insurance; once you've paid your premium, the risk of funding the liability passes to the insurance company. Other alternatives such as contracts, use of sub-contractors, leases, personnel contracts, disclaimers and warning signs may also be used to transfer risk.
6. Communicate and consult
Start by communicating your committee or board's commitment to risk management to all staff, members, participants and stakeholders. Place it in the context of the process beginning and needing all of their support to make it a success.
Keep people up to date, through emails, notices on the noticeboard and verbal updates, every step of the way so they know that risk is being taken seriously and to encourage them to provide further input.
The communication and consultation phase does not have a beginning and end - you need to make sure you are continually reminding people what you're doing to minimise risk and what their obligations are.
7. Monitor And Review
It is recommended that you establish a regime of both monitoring (continual assessment of what has been implemented) and review (a periodic assessment of the effectiveness and environment). By having a process in place you will be better able to protect your organisation from uncertainty.