One aspect of strategic financial management is assessing and managing the risks facing the organisation.
If there are significant financial risks facing the organisation that the trustees fail to address, it may threaten the organisation’s financial sustainability.
Who should do a risk assessment?
The trustees have a responsibility to ensure that a risk assessment takes place. It is often best done by a group of people including some board and management, say once a year. Your auditors may also be able to help or advise.
Four stages in the risk assessment process:
One approach is to carry out a financial ‘SWOT’ analysis, where you identify financial strengths, weaknesses, opportunities and threats. Then, think of each of the threats as a potential risk. For example, a threat may be a volatile exchange rate. The related financial risk would be an exchange loss on a donor grant due to an adverse exchange rate.
List the risks identified into a risk register.
Each risk is classified according to how serious it would be for the organisation if it did happen (critical, major, or manageable). It is also classified according to the likelihood of occurrence (likely, possible or remote). The risks the trustees need to be most concerned about are those which would have a critical or major impact and are quite possible or likely to occur.
For example, if your office is situated on a flood plain and you do not have backups for your data, the risk of losing your financial data in a flood would both be critical and likely.
Just imagine... You assess a risk as having a critical impact and being likely to occur. Then you do nothing about it?
For serious risks, actions should be taken to reduce the likelihood of the risk occurring, or the impact if it did occur. Eg Moving the office to higher ground reduces the likelihood of suffering a flooded office. Carrying out regular backups (and storing them offsite!) reduces the impact of losing your accounting data in the event of a flood.
Sometimes we cannot have any influence over the likelihood of something outside our control (eg a donor policy change or exchange rate drop), but we can take actions to reduce the impact (eg getting multiple donors, or holding funds in a stable foreign currency).
Risk assessment should not be a one off event. The financial risks your organisation faces will change over time. The decisions taken to reduce the risks may or may not be properly implemented. The actions taken may or may not be effective in reducing the risk. It is important to keep reviewing the situation. A practical way to do this is to maintain a risk register, regularly reviewed at Board meetings.