Risky Business

Risk Management 101

32
nd
Annual Conference of the International
Association of Jewish Free Loans
October 27, 2014

Why focus on Risk Management today?
Free loans face low catastrophic risk, but are subject to a
variety of risks
**have large volunteer boards**
**small nucleus staff **
** efficiency and effectiveness challenges**

2
Well run non-profits are expected to establish strong
governance practices and effective risk management oversight
** more effective and efficient**
**face fewer negative surprises**
**better able to successfully deliver on their strategic objectives**

Topics to be Covered
A Word About Risk
Institutionalizing Risk Management
Building a Risk Plan



3
A Word about Risk
Risk is the potential for something adverse to occur that will
affect the achievement of objectives
Measured by likelihood of occurrence and potential impact
Impact in terms of operational capability, achieving strategic
objectives, damaging reputation, financial losses

Can not operate with no risk
Too expensive and limiting to eliminate all risk. There is a
cost/benefit to risk management



4
What is Risk Management
Risk management is about identifying, assessing and
managing all types of risks that could negatively impact
operational performance and achievement of strategic objectives

The benefits of effective risk management are
Reducing surprises by identifying potential risks in advance
Enabling determination if satisfactory controls are in place
Mitigating impact and speeding recovery when risk materializes



5
Goal - Institutionalized Risk Management
6
How:
an established
risk management
program
Getting there:
Create and follow
a Risk Plan
Risk Management Program Is an Ongoing Cycle
7
business
activities
strategic
priorities
planning
To be effective:
Ongoing process. Continuous cycle of
review and change
Reflect emerging experience, programs
and environment
Integral to managing operations,
planning all decision making
Part of organizations culture and fit its
size and complexity
Comprises policies and procedures well
communicated and complied with clear
accountabilities
Risk Plan Is a Point in Time Look
Risk Plan comprises:
Outline of risks and their potential impact
Outline of risk management practices (or risk
controls) used to reduce likelihood and
mitigate impact
Details of strategies/actions to be executed to
address priority risk management issues/gaps
Details of accountabilities for implementation
Details of responsibilities for monitoring
implementation progress
8
Risk Plan
.
.
.
Institutionalizing Risk Management
Creating a Risk Plan
Codify key business activities, strategic priorities and stakeholders
Perform a review of key risks and their potential impact, assess the
effectiveness of risk controls and create a focused action plan to
enhance controls on a prioritized basis
May want to submit a summarized risk plan to key stakeholders

Establishing a Risk Management/Governance Program
Codify policies and procedures to effectively identify, assess, manage
and monitor risk, and govern JFLTs operations, on an ongoing basis
Risk plan may set out phased implementation plan
9
How to Develop A Risk Plan
Establish a group to focus on risk management/risk plan
Periodic progress reports to Board and potentially other key stakeholders
Codify key activities, strategic priorities, key stakeholders
Identify and assess potential risks and impacts
Survey, selected interviews, review of strategic plan, review of past experience
Group discussion and consensus
Review and assess risk controls and create action plan
Review of policies and procedures to determine effectiveness ratings
Group discuss of tolerances, control gaps and priority action plans in group
Codify decisions in risk plan and assign accountabilities
10
A Risk Plan Illustration for a Jewish Free Loan Society
11
Codifying
Key Business Activities
Strategic Priorities
Key Stakeholders
Illustrative Key Business Activities
Underwriting loans
Servicing loans
Managing problem loans
Marketing services
Securing funding
Investing reserve funds
Managing human resources
and programs








12
Are there any activities that we could not live without? Over what time?
Financial reporting
Reporting to/liaising with key
funding partners and donors
Complying with laws,
regulations and funder
requirements
Governing operations









Illustrative Strategic Priorities
Enhance loan offerings and quality of client service
Modernize and increase effectiveness of marketing
Enhance governance practices






13
What could take any of these off the rails?
Illustrative Key Stakeholders
Major funding partners
Members/donors
Volunteers





14
What could seriously damage relations with any of these groups?
Clients
Employees
Broad Jewish community





A Risk Plan Illustration for a Jewish Free Loan Society
15
Risk Plan Template
Risk Register
Risk Assessments
Prioritized Action Plans
Risk Plan Template
16
Risk Likelihood of
Occurrence
Key Existing
Risk Controls
Effectiveness
of Controls
Potential
Impact
W/I
tolerance

Key Control Gaps Priority to
Close
Planned
Actions
Completion
Date
Person
Resp.

Identified risks and potential impact, risk controls and
effectiveness, control gaps and action plans
Risk Plan Template (contd)
17
Risk Likelihood of
Occurrence
Key Existing
Risk Controls
Effectiveness
of Controls
Potential
Impact
W/I
tolerance

Very likely Likely to happen multiple times in a year
Likely Likely to happen once every year or two
Unlikely Could happen once every several years (i.e. 3-5 years)
Very unlikely Could happen once in 10+ years
Risk Plan Template (contd)
18
Risk Likelihood of
Occurrence
Key Existing
Risk Controls
Effectiveness
of Controls
Potential
Impact
W/I
tolerance

Avoid Avoid activity that creates risk
Reduce Put in place operational policies and procedures to reduce likelihood
or potential impact of risk
Transfer Contractual arrangements that move risk to external party
insurance, outsourcing with performance guarantees
Accept Accept potential impact as likelihood is remote and potential impact
not severe based on cost/benefit analysis
Risk Plan Template (contd)
19
Risk Likelihood of
Occurrence
Key Existing
Risk Controls
Effectiveness
of Controls
Potential
Impact
W/I
tolerance

Strong Strong controls in place and fully complied with
Average Some key controls in place, some known gaps in compliance or controls
Weak Limited or no key controls in place, or complied with
Risk Plan Template (contd)
20
Risk Likelihood of
Occurrence
Key Existing
Risk Controls
Effectiveness
of Controls
Potential
Impact
W/I
tolerance

Financial Access to short term liquidity, long term funding
Operational Ability to carry out business activities in short/med term
Reputation Reputation and relationship with key stakeholders
Strategic Ability to effectively execute on strategic priorities
High Significant damage to reputation, severe impact on cash-flow, material drop in
long term funding commitments, inability to operate for extended time period
Moderate Strained relationship with major funder or majority of donors moderate decline
in cash-flow or funding commitments, inability to operate for shorter periods
Low Limited impact in all areas
Risk Plan Template (contd)
21
Key Control Gaps Priority to
Close
Planned Actions Completion
Date
Person
Resp.

High Must have; to be addressed quickly
Medium Should have; can be addressed with lower priority
Low Nice to have; not a priority
An Example Entry
22
Risk Likelihood of
Occurrence
Key Existing
Risk Controls
Effectiveness
of Controls
Potential
Impact
W/I
tolerance
Key
person
risk
Likely President as backup
Documentation of some
procedures
Weak High
(operational)
No
Key Control Gaps Priority to
Close
Planned Actions Completion
Date
Person
Resp.
Procedures not codified
No cross training of staff
High
High
Create complete operations manual
Implement employee cross-training
Jan 2015
Jan 2015
AB
CD
Key person risk risk of losing key executive or admin staff
Risk Register Financial Risks
23
Risk Description Some things to think about
Short term
reserves/liquidity
Insufficient cash-flow to cover operational
expenses and loan demands
What could cause a material cashflow shortage? Does
the agency frequently run at a deficit?
Long Term
funding
Reduction or funding from key partners, loss
of key funding partner, loss of donor base or
dollars
What could cause a loss of funding from key partner?
How long could the agency run with less? How would
program offerings be impacted?
Capital security
invest. Return
Market value losses in reserve funds, or
reduced investment income
Does the agency have an appropriate investment
policy?
Is their appropriate oversight of investments?
Loan Losses High losses on loans due to defaults Does the agency have loan loss experience by type of
loan, period of underwriting, Other key criteria?
Is the agencys underwriting policy sufficient and are
procedures followed; for applicants and guarantors
Does the agency have a clear process for managing
loans in arrears and is it followed?
Risk Register Strategic Risks
24
Risk Description Some things to think about
Demand for
services offered
Reduced client demand for loans
Material reduction in client base

Is there a size when the agency becomes to little
for major funders to bother with?
Awareness of
agency
Lack of client and referring group awareness of
agency services
Is the agency effectively marketing our services
to the right groups?
Do the clients referred to the agency and seeking
loans meet key basic criteria?
Risk Register Operational Risks
25
Risk Description Some things to think about
Human
Resources
Adequacy and expertise of staff and Board
Key person risk Executive Director, President,
Chair, Admin staff
What is at risk if an individual wins the lottery?
Are policies and procedures documented?
Are staff cross-trained? Are volunteers
appropriately trained?
Is there a code of business conduct and ethics
that is signed off on by staff/volunteers?
Regulatory and
other
compliance
Compliance with laws and regulations pertaining
to charitable organizations, terms of funding
arrangements, internal policies and procedures,
Board governing documents
Is there an inventory of all requirements and a
mechanism to ensure all complied with?
Is there a process to keep abreast of any
regulatory/legal changes?
Business
disruption
Severe weather
Damage to premises
Bomb or other threats
If the office is unavailable or systems are down,
can you conduct essential business activities?
Is there a set plan to deal with crisis events?
Data security Breach of confidentiality of client data
Loss of critical client, financial or other data
Is there adequate security?
Is there appropriate off-site data backup?
Is there a response plan should event occur?
Risk Register Operational Risks (contd)
26
Risk Description Some things to think about
Employee and
volunteer safety
Physical harm from threats or
security breach
Are employees/volunteers trained for emergency situations?
If agency is small, are employees/volunteers meeting alone with
potential clients which may be unstable?
Outsourcing
Performance
Non-performance of outsourcing
partners
What critical functions have been outsourced?
Are there performance guarantees, and is performance monitored?
What would happen if outsourcing partners not able to operate?
Has a risk assessment of outsourcing partners been done?
Fraud and theft Staff or volunteer theft,
Client fraud
What controls are in place to minimize this risk?
What can be done to minimize impact in the event of fraud?
Relationship with
key partners
Breakdown in communications,
non-delivery of requirements,
reputational damage
How does the agency ensure these remain strong?
Have there been any issues in past?
Do staff/volunteers know who can speak for the agency?
Governance Ineffective oversight by Board/
Executive Committee
Does the Board feel they have enough knowledge and information
to effectively oversee operations and strategic priorities?
Is there an effective mechanism for making key decisions?
Concluding Messages
27
Well run non-profits are expected to have strong governance
practices and effective risk management oversight

Jewish Free Loans may want to institutionalize risk management
policies and procedures and prepare a risk plan as a first step the
journey will be as important as the destination

You will become more effective and efficient, face fewer negative
surprises and be better positioned to successfully deliver on your
strategic objectives

Questions and Answers
Thank You