Things can go wrong in many of the most well run organisations. As humans this shows our imperfections and limitations.
In modern times and especially in the West as management sciences developed, “how to manage risks” became one of the main tools for planning and good governance in organisations. This is why some of the best governed organisations have the best “risk management” in place.
One thing is clear taking risk is not an issue, many successful businesses, organisations and people took risks that brought them success they then enjoyed. Its how this risk was managed helped to keep their heads above the water and avoid the real and present circling sharks.
Another important aspect of risk management is that all risks cannot necessarily be managed to a point where they cant materialise. Even when they are best managed, they can still occur. Only difference being that good management of them means, the organisation is better placed to weather the storm when it comes. This may not be the case without managing them.
Trained in Big 4 accountancy firms in risk management, I had the opportunity to audit risk management in local government, housing associations, central government agencies and education sector. After leaving the Big 4, I moved to a FTSE giant where as a senior Internal auditor, I reviewed risk registers of EMEA region countries and led risk workshops of complex large businesses, such as the North Sea business. As I now work in the charity sector, strengthening good governance in organisations, disseminating my professional learning, I am pleased to see many INGOs recognising the need to manage risks. Be it very much behind the government and corporate sector for various reasons, they try to punch above their weight. In dealing with risk management in the charity sector, especially the INGO sector, I have the following observations:
Where do risks come from
I too often see a misunderstanding of “relevant” risks. Organisations too often led by academics and theory or with the desire of simply copying “others” often fall in this trap.
Identifying risk becomes, a tick box exercise and most of the time risks end up outwardly looking, ignoring the internal and external needs of organisations.
Risks become very much focused on weaknesses and threats, ignoring strengths and opportunities. As I mentioned above sometimes organisations need to be bold to succeed. This may require taking risks.
Every organisation like humans can be different from each other. How the organisation was formed, the recruitment, HR practices, type of CEO and trustees, ethos, stakeholders, business relationships, contracts and brands, can make organisations unique. The associated risks should reflect this. The controlling of risks
In risk registers, I see listing of controls against risks and then a sense of content from organisations that the box is ticked and risk is managed. This is not risk management instead this can turn into a false sense of security. The process of matching risks with controls requires a robust assessment of the controls. This should lead to identifying gaps with meaningful action plans.
An effective risk management process leads to more work, more strengthening, more investment, more focus and more hunger to succeed. This cannot be just a tick box. The INGO sector has a long way to go. Being able to manage risks, can mean a difference of life and death, a full belly or an empty belly for the beneficiaries of INGOs.
The funds raised can travel further in meeting objectives that the most vulnerable depend on. In all this, my work with INGOs continues. Nasir Rafiq is a financial governance expert and the founding director of Dua Governance Chartered Accountants, specialising in the charity sector and internal audit.