June 2007 NEWSLETTER: Financial Literacy for Not-for-Profits
"Financial Literacy for Not-for-Profits"
This newsletter is a free service to the North American not-for-profit community from William Harper Associates. Its focus is on helping organizations that do good, do better ... by helping Not-for-Profit Boards and managers improve their understanding of financial management and reporting concepts, and implementing practical, effective financial controls and processes.
Thought for today
Have you got a good idea or a comment on this tip?
Share your thoughts with me and our community.
Is this useful?
Please, pay it forward, and forward to a friend in the sector.
Subscription Information
Manage your newsletter subscription preferences. If you are "just visiting" this newsletter (that is, sent by a friend) you are welcome to subscribe directly.
June 2007: Financial Literacy for Not-for-Profits
This month's Financial Literacy Newsletter addresses the subject of risk and risk management.
"Risk management" is one of those terms you may hear a Board member from a large corporation talk about, or you may read about. It often sounds pretty sophisticated, and you may wonder if it is something that you should know more about.
The bad news is, "yes", you should know about it! The good news is that you probably already do, and are just not using this term.
So, first off, just what is risk? Ordinarily, we think of risk as "the chance that something bad will happen". In its broadest sense, however, we could think of risk as "the chance that something will happen" - bad or good. But, it is our human nature to worry and think more about the bad than the good (except, perhaps, when we play the lottery!), and that is true in this context. We'll come back to the good side of risk later in the discussion.
Risk management, then, is the art or science of managing risks. Is that something your organization does? Of course! When people talk about risk management as a well-defined activity, however, usually they are referring to a more orderly framework for doing so.
Think about it - your organization manages all sorts of risks, every day. So if implementing risk management will give the organization an orderly framework for doing so, doesn't that sound like a good thing? Doesn't it sound like it might let your organization manage risks more easily, more effectively, more comfortably? Would that make your life harder, or just a bit easier? Read on if you're thinking there might be something good here!
The process of risk management is pretty simple: identify risks; quantify risks; deal with risks; repeat.
Identify risks: This is probably pretty easy. Just brainstorm a bit around the question "what could go wrong"? Or, look at each program or each line item on your financial statements and ask the same question. You'll be sure to come up with lots of risks! What if our Executive Director is hit by a bus? What if we lose that major source of funding? What if our offices and computer files are destroyed in a natural disaster? And so on. Just write them all down in a list.
But, before you get depressed at the thought of everything that could go wrong, recognize that you are already well on the way to better managing these risks, just by thinking through them in a comprehensive way before they happen!
Quantify risks: There are really only two aspects to risk - the likelihood of the risk happening, and the severity of the risk if it does happen. You don't need to get too sophisticated here - just put two columns beside your list of risks, and judge the likelihood and severity of each item as one of high, moderate or low.
Example: the risk of a natural disaster destroying our offices. Likelihood - might be judged as low. The severity - high.
Once you've assessed each risk, sort the list from higher to lower.
Deal with risks: Now, you need to deal with the identified risks, paying more attention to higher risks, and less to lower risks. And, there are really only a few ways of dealing with risks. You can
- avoid the risk, for example by not undertaking a risky activity (e.g. "let's not have a fundraising lottery because of the risk that we could actually lose money on it);
- transfer it, usually through insurance (though this generally cannot transfer all of the risk, it can serve to significantly reduce its severity). For example, we can choose to (or not) have collision insurance on our delivery van, in case our driver gets in an accident;
- reduce it, for example, by implementing good internal controls or proper planning and oversight (e.g. "we will reduce of risk of employee fraud by having two cheque signers and an independent bank reconciliation"); or,
- accept it, that is, conclude that the risk is acceptable and tolerable relative to any of the other choices (for example, accepting the risk that your onsite data files will be lost in a natural disaster and that your offsite backup in the bank vault will also be destroyed at the same time).
Repeat: Things change. So, you should periodically - regularly - revisit your identified risks, their likelihood and severity, and your approaches to dealing with them. It's wise to integrate risk management into your organization's culture and strategic management framework - make it an integral part of your strategic and operational planning and monitoring.
You'll likely discover that your organization is already doing most of the things it should for most of the risks identified. This framework highlights what you're not doing, however, and where you need to devote your efforts. Hopefully, it will let you sleep just a little better too!
A final note on "good" risks: Consider the benefits of using a similar risk management framework for assessing positive risks. In this case, you would look at the positive risks and figure out ways of increasing their impact on your organization. It's a useful concept for comparatively evaluating possible new programs activities and approaches to meeting your strategies and goals.
William Harper is a Chartered Accountant, and has broad experience in financial management, strategic management and risk management. Contact us for help.