One aspect of strategic financial management is assessing and managing the risks facing the organization.
If there are significant financial risks facing the organization that the trustees fail to address, it may threaten the organization’s financial sustainability.
Who should do a risk assessment?
The trustees have a responsibility to ensure that a risk assessment takes place. It is often best done by a group of people including some board and management, say once a year. Your auditors may also be able to help or advise.
The Four Stages in the Risk Assessment Process:
1. Identify the risks
One approach is to carry out a financial ‘SWOT’ analysis, where you identify financial strengths, weaknesses, opportunities and threats. Then, think of each of the threats as a potential risk. For example, a threat may be a volatile exchange rate. The related financial risk would be an exchange loss on a donor grant due to an adverse exchange rate.
List the risks identified into a risk register.
2. Assess the risks
Each risk is classified according to how serious it would be for the organization if it did happen (critical, major, or manageable). It is also classified according to the likelihood of occurrence (likely, possible or remote). The risks the trustees need to be most concerned about are those which would have a critical or major impact and are quite possible or likely to occur.
For example, if your office is situated on a flood plain and you do not have backups for your data, the risk of losing your financial data in a flood would both be critical and likely.
Just imagine… You assess a risk as having a critical impact and being likely to occur. Then you do nothing about it?
3. Take action on the most serious risks
For serious risks, actions should be taken to reduce the likelihood of the risk occurring, or the impact if it did occur. Eg Moving the office to higher ground reduces the likelihood of suffering a flooded office. Carrying out regular backups (and storing them offsite!) reduces the impact of losing your accounting data in the event of a flood.
Sometimes we cannot have any influence over the likelihood of something outside our control (eg a donor policy change or exchange rate drop), but we can take actions to reduce the impact (eg getting multiple donors, or holding funds in a stable foreign currency).
4. Continue to monitor progress
Risk assessment should not be a one-off event. The financial risks your organization faces will change over time. The decisions taken to reduce the risks may or may not be properly implemented. The actions taken may or may not be effective in reducing the risk. It is important to keep reviewing the situation. A practical way to do this is to maintain a risk register, regularly reviewed at Board meetings.