We have now lived in COVID world for over two years and it is situation normal. But can your organisation survive another similar hit?
All organisations need to have a Risk Management Framework that includes your Risk Management Plan in place. Without one, your Board is not doing enough to be diligent in their work, and as management, you are frankly, slack in living up to your obligations to the organisation.
That is a bold statement, but first, let's ensure we all understand what is Risk Management Planning.
Risk Management Planning is the process of:
- Identifying the risks that your organisation faces,
- Analysing and assessing those risks,
- And then developing strategies to manage those risks.
While the risks can vary from organisation to organisation and even within organisations from activity to activity, the process of preparing a Risk Management Plan is a common, logical step-by-step process that anyone can follow.
There are six steps in the Risk Management Planning Process.
They are: -
Step 1: Identify the risks
Step 2: Assess the risks
Step 3: Map the risks on a Risk Matrix
Step 4: Create strategies to manage the risks
Step 5: Manage the Risk Management Plan's implementation
Step 6: Monitor, test, and evaluate
So, why is it important to have a Risk Management Plan?
Despite all the strategic plans and business plans that a typical Indigenous organisation prepare, the future is not predictable.
Many unpredicted things can happen in just the one year ahead, never mind any longer-term, some bringing good fortune, others potential catastrophe. Indigenous organisations face the possibility of changes to funding models, changes in legislation, political pressure, community disasters, fire, cyclone damage and the volatility of the economy.
The task of all Indigenous organisations is to be prepared.
If what might happen cannot be predicted, the fact that something will happen is undeniable. The challenge is to narrow down the risks in the external and internal environments, by putting strategies in place for many lesser risks, so that only a few remain that require contingency plans.
This is your Risk Framework.
It is incumbent on management and Directors to be aware of potential risks and to have prepared plans to deal with them if they happen.
How do you prepare your Risk Management Plan?
I know of many instances where Indigenous groups do not have Risk Management Plan even when the most obvious risks are staring them in the face. The reason is usually that their toolkit does not include the knowledge to identify and analyse skills, but this is not an excuse - there are established processes that you can follow.
You must first recognise potential risks.
You can group them into categories: -
- Risks related to your immediate industry or service;
- Risks relating to your financial environment;
- Risks relating to your external environment; and
- Risks relating to your corporation.
Risks related to your immediate industry or service: from time to time, different industries may face risky times. The cattle industry, for example, is open to risks associated with markets that might suddenly cut access, or to risks associated with the debate on live export. If you are in the health industry, the implementation of NDIS may carry certain risks for you.
Your financial environment is where the money comes in and goes out. Risks include fraud, operational losses through the loss of demand or increasing competition, the change to funding models and grants, and losses through inefficiency and poor investment.
There are also risks in the external global sense. The Global Financial Crisis affected many Indigenous organisations as industry working on their lands retracted and royalty streams dried out. Even tension with China brings risks from the reduction of demand for our goods and services, and climate change can be catastrophic for many Indigenous organisations operating in regional areas in the drought.
Finally, don't forget the environment within your corporation. This, along with your financial environment, are potentially the most important to consider, and certainly the most within your control. However to control these risks you need to identify their possibility. These internal corporation risks include the capability of management, infrastructure or equipment failure community feuds and arguments, nepotism, Board dysfunction, among others.
In identifying potential risks, simply ask questions that start with "what if."
For example, focusing on your immediate industry or service: -
- What if the government took over the services we provide?
- What if a major competitor opens in our region?
- And so on.
In the category of the financial environment: -
- What if one of our staff commit fraud?
- What if the grant conditions were tightened?
- And so on.
In the external environment: -
- What if the country fell into recession?
- What if a bush fire devastates our community?
- And so on.
Finally, in the corporate environment: -
- What if our community splits into factions?
- What if we lose internet connection?
- And so on.
The answers to these questions will point out the potential risks to your organisation so you then need to evaluate those risks in terms of likelihood and consequence.
How do you evaluate the risks you identify?
Using a scale, where 1 is least likely (or least frequency of happening) and 5 is most likely or will happen most frequently, score each risk with a score from 1 to 5 of likelihood or frequency. Something that could happen once in 100 years might be a "1" whereas a risk that could happen at least every year might be a "5".
Do the same with a score of 1 to 5 of the consequence or impact of that risk happening, whether the impact is financial or otherwise. If the financial or other impacts of a risk happening are minimal, then it might score a "1". On the other hand, if the impact meant a total loss of credibility and reputation, or that it could cost you several hundred of thousands of dollars, you would score it a "5".
For example, the risk to a corporation that it might lose grant funding (in the post-IAS implementation era!) might be 3; and the consequence might be 5 since it has very little other income.
You can then place the risk on a matrix such as this one:
This Risk Matrix prioritises your risk on a simple-to-understand graphic.
Any risks paced in the squares that are in the upper right quarter are critical. Those placed in the lower left quarter are low risk, and those risks in between are either high or moderate risks, depending on where they are placed.
The Risk Matrix helps you to quickly identify which risks are critical, high, moderate and low risks. In this way, you can prioritise your valuable time and plan the order in which you will deal with the risks.
Having identified the necessity for action, you then need to manage the risk by assessing if you can: -
- Avoid the risk;
- Reducing either the likelihood or the consequence of the risk;
- Transferring the risk; or
- Accepting the risk.
Avoiding the risk can be done by stopping whatever process runs the risk of happening. For example, if the risk is a loss through potential theft from the cash held in the safe, you can stop the use of cash and make all transactions electronically.
Reducing the risk can be done by reducing the likelihood of the risk happening. For example, if the risk is a serious loss of computer data through the loss of power, you can install an uninterruptible power supply.
On the other hand, you can also reduce the risk by reducing the consequences of it happening. An example is the risk of closure due to the loss of program funds. You can proactively seek different funding sources before it happens or create social venture funding streams so all your eggs are not in one basket.
Transferring the risk is where you transfer the consequences to someone else. Insurance is a classic example of this strategy, as are product warranties.
Finally, accepting the risk is a possible strategy especially where the risk is nil or low, where the reason for the low risk is the rarity of it happening.
Having decided how best to mitigate the risk, you can then provide strategies to implement these risk mitigation strategies, make sure that you manage the implementation of the plan so that it is affected, and then prepare a schedule of robust testing and evaluation, including scenario analysis and rehearsals.
Risk management is not a difficult idea to manage. It may be strange and something your corporation has little experience over, but you do not need to be an expert in everything to design and implement strategies that can kick in for serious contingencies.
Risk management planning is a logical process that any management team can implement by following the simple steps above. The strategies are not hard to devise once you understand what the risks are made up of. So, you really have no excuse to avoid getting your risk management right. In fact, it is critical that you do.
If you need to review or even prepare your first Risk Management Plan, you can use our video-guided program to help you step-by-step. Through a series of guided, video sessions accompanied by downloaded reading and template forms and worksheets, the program guides you through each step and process of the Risk Management Plan, including administrative management and subsequent review and improvements.
Of course, if you prefer a hands-on approach, please contact us by emailing or call us on 08 9242 2085.