Charity Insurance
-
Upload
the-oval-group -
Category
Documents
-
view
223 -
download
0
description
Transcript of Charity Insurance
Like all organisations charities and not for profit organisations handle risk daily whether it is organisational planning to meet objectives, operational matters such as running shops, online activities and the like, safeguarding the charity and its beneficiaries from harm, or organising and running fundraising events.
The Charity Commission requires charities to include a risk management statement in Trustees’ Annual Reports which means that charities need to consider risk and its management in a more structured way if a positive statement is to be made in the Annual Report.
Furthermore, the Charity Commission states that “no matter what size they are, charities should take a systematic approach to the consideration and management of risk”.
http://www.charity-commission.gov.uk/Charity_requirements_guidance/Charity_governance/Managing_risk/default.aspx
What is ‘risk’ and risk management?
There are many definitions of ‘risk’ available and they revolve around an occurrence which impacts on the delivery of an objective. Risk management therefore looks at how risks can be eliminated, avoided, reduced, transferred or accepted by an organisation.
At a more strategic level the Board and Senior Management Team can view risk management as how you:
• Identify and anticipate problems that will stop you achieving your objectives
• Manage the risks your organisation presents to the public, your employees and volunteers, and your trustees
• Maintain the trust and confidence of internal and external stakeholders by running a successful and ethical organisation
• Work within existing budgets to meet your objectives and create financial stability and viability
• Demonstrate that you are a competent organisation in terms of management, trust management and financial management amongst other areas
How do you start to consider risk management?
The International Organisation for Standardisation (ISO) standard 31000 sets out a recommended route that starts with a mandate and commitment from the Board for risk management to be embedded across an organisation. Then a framework for risk management is designed and implemented, followed by the implementation of risk management itself. Finally, the usual continuous improvement processes are embedded to ensure that the approach is maintained and updated regularly.
Whilst this is undoubtedly an excellent way to proceed it may seem elaborate for some organisations and it may put others off moving risk management forward for fear of the time and commitment involved.
March 2013
Introducing Strategic Risk Management
Oval Charities
Mandate and Commitment
Design of Framework• Organisationandcontext• RiskManagementpolicy• Embeddingriskmanagement
Implementation• Implementframework• Implementrisk management process
Monitor and Review
Improve
An alternative route could be to jump into identifying, evaluating and treating risk to provide your organisation with an idea of what risks you face. Whilst not ideal it can be potentially an easier way into the process and provide you with ammunition to take to your Board should you need something more evidence-based and specific to your organisation.
The image opposite sets out this process.
Whether you want to follow the ISO 31000 approach or jump straight into risk assessment, Oval Charities can help you. Our practical and experience led approach will provide you with the confidence and expertise to tackle this complicated issue.
As an example of our more practical approach, the table below expands and explains the graphic above:
Co
mm
un
icat
e an
d C
on
sult
EstablishContext
Mo
nito
r and
Review
Risk
Risk Analysis
RiskEvaluation
Risk Assessment
Risk Treatment
Content
EstablishContext
Risk Assessment
Risk Identification
Risk Analysis
RiskEvaluation
Risk Treatment
Communicate and Consult
Monitor and Review
Identify what area of the organisation in which you want to identify and evaluate risks. This could be the organisation as a whole, a particular project or operational area.
The process to be used to determine the risks and how great they are to the organisation.
Identify the risks that will impact on the context selected. It is useful to think of these under headings such as financial risk, operational risk, external risk, internal risk, legislative risk and regulatory compliance, as well as if relevant, major projects.
Method used to determine the importance of a risk. It is important to understand an organisation’s financial capacity to bear risk (often called risk tolerance) and its willingness (often called appetite) to take on risk.
See examples below of how to consider risk likelihood and impact, as well as a sample risk matrix.
Although some risks are significant, some can be successfully managed to bring them down to a lower impact level. It is important to evaluate how/to what extent existing controls are reducing the risk item.
Consider whether there are additional actions and controls that can be taken to further reduce the risk for the organisation.
Communication about risk management activities, issues and actions should be made regularly to stakeholders.
Continuous process needs to be adopted to make sure that the risks remain relevant and significant enough to the organisational context to warrant actions being taken. New risks should be added and controlled risks that are reduced to a low risk status, should be removed.
Organisation strategy, aims, and objectives may be the best place to start.
None.
Brainstorming and questionnaires about key risks are commonly used to assist with risk identification, as well as looking at historical problems and considering future strategic and operational changes.
Usually divided between frequency/likelihood of risk occurring and severity/impact if the event does occur on the context reviewed.
Commonly used processes involve risk matrices that divide these two areas into scoring mechanisms e.g. High/Medium/Low and 1-5 after which each risk is plotted on a matrix.
Often the initial risk analysis is reduced by the effect of existing control of the risk in a designated column.
An additional ‘controls’ column can be added to note actions. Such actions should be allocated to a senior person and deadlines for implementation shown.
Initially a briefing document explaining why risk management is important and what the organisation is doing should be issued, followed by regular updates highlighting issues and actions.
An agreement should be reached for different people within the organisation to review their risks on a regular/agreed basis and report to the Risk Committee, who should ensure that the risk matrix is maintained and up to date.
Explanation Practical Advice
ExampleofStrategicRiskRegister–ImpactAnalysis
ExampleofStrategicRiskRegister–LikelihoodAnalysis
Score 1
Highly Unlikely
Previous experience at this and other similar organisations makes this outcome highly unlikely to occur. There are effective, tested and verifiable controls in place that prevent occurrences of this risk.
Score 3 Possible
The charity has in past experienced problems in this area but not in the last three years. Some controls are in place and generally work but there have been occasions when they have failed and problems have arisen.
Previous experience discounts this risk as being likely to occur but other organisations have experienced problems in this area. There are controls in place that whilst not tested appear to be effective.
Score 2 Unlikely
The charity has experienced problems in this area in the last three years. Controls may be in place but are generally ignored or ineffective.
Score 4 Very Likely
The charity trust is experiencing problems in this area or expects to in the next 12 months. No controls in place.
Score 5 Definite
Score 1
Negligible
Little or no financial impact (less than £5,000). Trust Services are not disrupted. No impact on the delivery of the corporate objectives.
No loss of confidence and trust in the charity.
Score 3 Medium
The financial impact would result in losses or a loss income of no greater than £100,000. Regular disruption to the activities for one or more service. A number of corporate objectives would be delayed or not delivered.
A general loss of confidence in the organisation within the local community.
The financial impact would be losses or a loss income of no greater than £25,000. Some temporary disruption to the activities of one service but not beyond this. It may cost more, or there may be a delay in delivering one of the organisation’s corporate objectives.
Some loss of confidence in the organisation felt by a certain group or within a small geographical area.
Score 2 Low
The financial impact would result in losses or a loss income of no greater than £500,000. Severe service disruption on a departmental level or regular disruption affecting more than one department. Many corporate objectives delayed or not delivered.
A major loss of confidence in the organisation within the local community.
Score 4 High
The financial impact would be greater than £500,000. Severe disruption to the activities of all departments. Unable to deliver most objectives.
A disastrous loss of confidence in the organisation both locally and nationally.
Score 5 Very High
Our ideas around how likelihood and impact can be approached are included here.
Would you like to talk?If you have any questions or would like to explore how you can make your insurance work harder for your organisation, we’re here to help.
Please speak to your usual Oval contact or alternatively call Alyson Pepperill, Head of Oval Charities on:
07824 492665
Or drop her an email at: [email protected]
Oval Insurance Broking LimitedRegistered Office: 9 South Parade, Wakefield, WF1 1LRRegisteredinEnglandNo:01195184Authorised and regulated by the Financial Services Authority
www.theovalgroup.com
Sample Risk Matrix on a 1-5 scoring basis
Finally once the process has been applied you will be able to formulate your organisational risk map. The sample below provides you with an idea of how this might reflect your risks.
This matrix enables an organisation to see at a glance which risks may be catastrophic to an organisation and which require action to reduce, transfer or retain such risks as a matter of urgency.
Most recently the so-called ‘Black Swan’ or ‘out of the blue’ risks have been much discussed within the risk fraternity. These would generally sit on most risk registers under likelihood 1 but impact 5 and as such recorded as only ‘Possible Action’ on the above. In the light of the numerous recent issues with such risks many organisations now colour 5 impact and 1 and 2 likelihood boxes ‘red’ or add an additional multiplication factor to take this into account which moves the usual 5/1 risk up to 5/3 so that it is addressed.
5
4
3
2
1
Possible Action 5
Action 10 Unacceptable Action Now 15
Unacceptable Action Now 20
Unacceptable Action Now 25
Unacceptable Action Now 20
Unacceptable Action Now 15
Action 10
Possible Action 5
Unacceptable Action Now 16
Action 12
Action 8
Possible Action 4
Action 12
Action 9
Possible Action 6
Possible Action 3
Action 8
Action 6
Action 4
Action 2
Possible Action 4
Possible Action 3
Possible Action 2
Possible Action 1
1 2 3 4 5
Impact
Like
liho
od