32 nd Annual Conference of the International Association of Jewish Free Loans October 27, 2014
Why focus on Risk Management today? Free loans face low catastrophic risk, but are subject to a variety of risks **have large volunteer boards** **small nucleus staff ** ** efficiency and effectiveness challenges**
2 Well run non-profits are expected to establish strong governance practices and effective risk management oversight ** more effective and efficient** **face fewer negative surprises** **better able to successfully deliver on their strategic objectives**
Topics to be Covered A Word About Risk Institutionalizing Risk Management Building a Risk Plan
3 A Word about Risk Risk is the potential for something adverse to occur that will affect the achievement of objectives Measured by likelihood of occurrence and potential impact Impact in terms of operational capability, achieving strategic objectives, damaging reputation, financial losses
Can not operate with no risk Too expensive and limiting to eliminate all risk. There is a cost/benefit to risk management
4 What is Risk Management Risk management is about identifying, assessing and managing all types of risks that could negatively impact operational performance and achievement of strategic objectives
The benefits of effective risk management are Reducing surprises by identifying potential risks in advance Enabling determination if satisfactory controls are in place Mitigating impact and speeding recovery when risk materializes
5 Goal - Institutionalized Risk Management 6 How: an established risk management program Getting there: Create and follow a Risk Plan Risk Management Program Is an Ongoing Cycle 7 business activities strategic priorities planning To be effective: Ongoing process. Continuous cycle of review and change Reflect emerging experience, programs and environment Integral to managing operations, planning all decision making Part of organizations culture and fit its size and complexity Comprises policies and procedures well communicated and complied with clear accountabilities Risk Plan Is a Point in Time Look Risk Plan comprises: Outline of risks and their potential impact Outline of risk management practices (or risk controls) used to reduce likelihood and mitigate impact Details of strategies/actions to be executed to address priority risk management issues/gaps Details of accountabilities for implementation Details of responsibilities for monitoring implementation progress 8 Risk Plan . . . Institutionalizing Risk Management Creating a Risk Plan Codify key business activities, strategic priorities and stakeholders Perform a review of key risks and their potential impact, assess the effectiveness of risk controls and create a focused action plan to enhance controls on a prioritized basis May want to submit a summarized risk plan to key stakeholders
Establishing a Risk Management/Governance Program Codify policies and procedures to effectively identify, assess, manage and monitor risk, and govern JFLTs operations, on an ongoing basis Risk plan may set out phased implementation plan 9 How to Develop A Risk Plan Establish a group to focus on risk management/risk plan Periodic progress reports to Board and potentially other key stakeholders Codify key activities, strategic priorities, key stakeholders Identify and assess potential risks and impacts Survey, selected interviews, review of strategic plan, review of past experience Group discussion and consensus Review and assess risk controls and create action plan Review of policies and procedures to determine effectiveness ratings Group discuss of tolerances, control gaps and priority action plans in group Codify decisions in risk plan and assign accountabilities 10 A Risk Plan Illustration for a Jewish Free Loan Society 11 Codifying Key Business Activities Strategic Priorities Key Stakeholders Illustrative Key Business Activities Underwriting loans Servicing loans Managing problem loans Marketing services Securing funding Investing reserve funds Managing human resources and programs
12 Are there any activities that we could not live without? Over what time? Financial reporting Reporting to/liaising with key funding partners and donors Complying with laws, regulations and funder requirements Governing operations
Illustrative Strategic Priorities Enhance loan offerings and quality of client service Modernize and increase effectiveness of marketing Enhance governance practices
13 What could take any of these off the rails? Illustrative Key Stakeholders Major funding partners Members/donors Volunteers
14 What could seriously damage relations with any of these groups? Clients Employees Broad Jewish community
A Risk Plan Illustration for a Jewish Free Loan Society 15 Risk Plan Template Risk Register Risk Assessments Prioritized Action Plans Risk Plan Template 16 Risk Likelihood of Occurrence Key Existing Risk Controls Effectiveness of Controls Potential Impact W/I tolerance
Key Control Gaps Priority to Close Planned Actions Completion Date Person Resp.
Identified risks and potential impact, risk controls and effectiveness, control gaps and action plans Risk Plan Template (contd) 17 Risk Likelihood of Occurrence Key Existing Risk Controls Effectiveness of Controls Potential Impact W/I tolerance
Very likely Likely to happen multiple times in a year Likely Likely to happen once every year or two Unlikely Could happen once every several years (i.e. 3-5 years) Very unlikely Could happen once in 10+ years Risk Plan Template (contd) 18 Risk Likelihood of Occurrence Key Existing Risk Controls Effectiveness of Controls Potential Impact W/I tolerance
Avoid Avoid activity that creates risk Reduce Put in place operational policies and procedures to reduce likelihood or potential impact of risk Transfer Contractual arrangements that move risk to external party insurance, outsourcing with performance guarantees Accept Accept potential impact as likelihood is remote and potential impact not severe based on cost/benefit analysis Risk Plan Template (contd) 19 Risk Likelihood of Occurrence Key Existing Risk Controls Effectiveness of Controls Potential Impact W/I tolerance
Strong Strong controls in place and fully complied with Average Some key controls in place, some known gaps in compliance or controls Weak Limited or no key controls in place, or complied with Risk Plan Template (contd) 20 Risk Likelihood of Occurrence Key Existing Risk Controls Effectiveness of Controls Potential Impact W/I tolerance
Financial Access to short term liquidity, long term funding Operational Ability to carry out business activities in short/med term Reputation Reputation and relationship with key stakeholders Strategic Ability to effectively execute on strategic priorities High Significant damage to reputation, severe impact on cash-flow, material drop in long term funding commitments, inability to operate for extended time period Moderate Strained relationship with major funder or majority of donors moderate decline in cash-flow or funding commitments, inability to operate for shorter periods Low Limited impact in all areas Risk Plan Template (contd) 21 Key Control Gaps Priority to Close Planned Actions Completion Date Person Resp.
High Must have; to be addressed quickly Medium Should have; can be addressed with lower priority Low Nice to have; not a priority An Example Entry 22 Risk Likelihood of Occurrence Key Existing Risk Controls Effectiveness of Controls Potential Impact W/I tolerance Key person risk Likely President as backup Documentation of some procedures Weak High (operational) No Key Control Gaps Priority to Close Planned Actions Completion Date Person Resp. Procedures not codified No cross training of staff High High Create complete operations manual Implement employee cross-training Jan 2015 Jan 2015 AB CD Key person risk risk of losing key executive or admin staff Risk Register Financial Risks 23 Risk Description Some things to think about Short term reserves/liquidity Insufficient cash-flow to cover operational expenses and loan demands What could cause a material cashflow shortage? Does the agency frequently run at a deficit? Long Term funding Reduction or funding from key partners, loss of key funding partner, loss of donor base or dollars What could cause a loss of funding from key partner? How long could the agency run with less? How would program offerings be impacted? Capital security invest. Return Market value losses in reserve funds, or reduced investment income Does the agency have an appropriate investment policy? Is their appropriate oversight of investments? Loan Losses High losses on loans due to defaults Does the agency have loan loss experience by type of loan, period of underwriting, Other key criteria? Is the agencys underwriting policy sufficient and are procedures followed; for applicants and guarantors Does the agency have a clear process for managing loans in arrears and is it followed? Risk Register Strategic Risks 24 Risk Description Some things to think about Demand for services offered Reduced client demand for loans Material reduction in client base
Is there a size when the agency becomes to little for major funders to bother with? Awareness of agency Lack of client and referring group awareness of agency services Is the agency effectively marketing our services to the right groups? Do the clients referred to the agency and seeking loans meet key basic criteria? Risk Register Operational Risks 25 Risk Description Some things to think about Human Resources Adequacy and expertise of staff and Board Key person risk Executive Director, President, Chair, Admin staff What is at risk if an individual wins the lottery? Are policies and procedures documented? Are staff cross-trained? Are volunteers appropriately trained? Is there a code of business conduct and ethics that is signed off on by staff/volunteers? Regulatory and other compliance Compliance with laws and regulations pertaining to charitable organizations, terms of funding arrangements, internal policies and procedures, Board governing documents Is there an inventory of all requirements and a mechanism to ensure all complied with? Is there a process to keep abreast of any regulatory/legal changes? Business disruption Severe weather Damage to premises Bomb or other threats If the office is unavailable or systems are down, can you conduct essential business activities? Is there a set plan to deal with crisis events? Data security Breach of confidentiality of client data Loss of critical client, financial or other data Is there adequate security? Is there appropriate off-site data backup? Is there a response plan should event occur? Risk Register Operational Risks (contd) 26 Risk Description Some things to think about Employee and volunteer safety Physical harm from threats or security breach Are employees/volunteers trained for emergency situations? If agency is small, are employees/volunteers meeting alone with potential clients which may be unstable? Outsourcing Performance Non-performance of outsourcing partners What critical functions have been outsourced? Are there performance guarantees, and is performance monitored? What would happen if outsourcing partners not able to operate? Has a risk assessment of outsourcing partners been done? Fraud and theft Staff or volunteer theft, Client fraud What controls are in place to minimize this risk? What can be done to minimize impact in the event of fraud? Relationship with key partners Breakdown in communications, non-delivery of requirements, reputational damage How does the agency ensure these remain strong? Have there been any issues in past? Do staff/volunteers know who can speak for the agency? Governance Ineffective oversight by Board/ Executive Committee Does the Board feel they have enough knowledge and information to effectively oversee operations and strategic priorities? Is there an effective mechanism for making key decisions? Concluding Messages 27 Well run non-profits are expected to have strong governance practices and effective risk management oversight
Jewish Free Loans may want to institutionalize risk management policies and procedures and prepare a risk plan as a first step the journey will be as important as the destination
You will become more effective and efficient, face fewer negative surprises and be better positioned to successfully deliver on your strategic objectives