By Sarah Ahmed, CPA, CMA
Why Create a Risk Register?
Creating a Risk Register in a small or mid-sized association may seem like a daunting task which will provide little or no value to internal and external stakeholders. Staff are usually so busy keeping up with their day-to-day activities that there is no time to create a document likely to gather dust on a shelf or sit in a network drive. One could argue that all major risks common to associations are mitigated anyway by the purchase of general liability, property, crime, and directors and officers insurance. The risk of injury to employees is mitigated by Workers’ Compensation insurance. The risk of wrongful dismissal of employees is mitigated by human resources policies which require formal, annual performance reviews, documentation of employee conduct and written plans to assist them in improving their performance. So the question is, why bother investing time and resources to create a separate document which simply lists the risks and describes what we are doing about them?
By involving managers and staff at all levels in identifying, assessing and mitigating the risks which are relevant to your association, you will raise the consciousness of not only the gaps in the treatment of risks, but where you are already employing best practices to mitigate risks. By assigning roles and responsibilities from the Register to specific individuals, you will increase their engagement and sense of accountability.
The creation of a Risk Register is also an opportunity to show the association’s governing board, external partners and auditors that management and staff are proactively managing risks instead of reacting to them “on the fly” as they occur. The exercise may reveal that the association is too risk averse and is missing opportunities for growth, or that it takes unnecessary risks by not following best practices. It could also be a validation that overall, your association is in a low risk and very well managed organization.
How to Create a Risk Register
• Present the concept of the Register to a Risk Management Committee and/or the governing board to ensure they understand its value to the association and to obtain their support for the project.
• Ensure that the Risk Register management/staff team are aware of the association’s current strategic mission, vision and goals. This are critical in determining the relevant risks so time is not wasted on any other risks. For example, if part of your strategic mission is to protect the public by regulating professionals, then a relevant risk in the area of registration would be, “the failure to register competent professionals.”
• Obtain input from all managers and staff who can identify the risks in their own areas first and then come to the table as a group to discuss them. You and your staff can conduct environmental scans or survey other similar organizations in the sector to obtain relevant risks and mitigation strategies.
• After identifying risks in all areas of the organization, managers and staff can determine their likelihood, impact and tolerance. The risks for which there is moderate, low or zero tolerance are the ones which require mitigation practices and resources. There are a number of resources on the internet which provide useful templates of risk tolerance grids.
• Assign roles and responsibilities to one or more groups of managers and employees for addressing each risk to ensure there is accountability in the process.
• Ensure that the Chief Staff Officer (CSO) reviews the entire Register on a global basis to ensure all key risk areas are identified and addressed.
• Present the completed Risk Register to the Risk Management Committee and/or the governing board to obtain their approval to adopt it.
Examples of Risk Categories:
All associations are unique, but some of the potential categories of risk which could be examined are:
• Legal/Regulatory: i.e. non-compliance with federal or provincial legislation and regulations
• Financial: i.e. asset losses due to misappropriation of funds, fraud and non-compliance with budget restrictions
• Core Business Processes: i.e. lack of relevant policies in registration, member services or communications
• Human Resources: i.e. non-compliance with federal or provincial labour laws, incomplete personnel policies or poorly written employment contracts
• Technological: i.e. lack of identification of long-term IT needs, inadequate security for data, etc.
• Strategic: i.e. failure to capitalize on opportunities or respond to threats in a timely manner
We can use a few examples to illustrate how the Register can actually be created. In the “Legal/Regulatory” category, the association could address:
Risk: Not complying with federal or provincial legislation and regulations.
Description of Risk Event: An association could lose its not-for-profit status if the Canada Revenue Agency deems that the entity is operating for a profit and is accumulating funds without a specific purpose.
Risk Rating for Likelihood of Occurrence (where 1 = Rare, 2 = Unlikely, 3 = Moderate, 4 = Likely, 5 = Almost certain): 1. Assume that it would be a rare event that membership fees are so high that large surpluses are generated for a few successive years.
Risk Rating for Impact of Occurrence (where 1 = Insignificant, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Catastrophic): 4. Assume that if the NPO status is revoked, the impact on the association would be major because it would become a taxable entity.
Risk Tolerance (where tolerance for the risk can be classified as High, Moderate, Low or Zero): Low; assume that there is low tolerance for this type of risk for the association due to the impact described above.
Current Treatment and Mitigation: Review the association’s history of accumulating surpluses and the uses of those surpluses. Generally speaking, net income or operating surpluses are used to ensure sufficient reserves are in place to meet strategic goals. A typical amount retained in reserves is 4-6 months of operating expenses. Any excess reserves beyond that should be designated for a specific purpose. At no time should surpluses be used to enrich the membership. This review exercise should be done each year to ensure the association is not at risk of losing its NPO status.
Responsible Group: CSO and Controller.
In the “Financial” category, the association could address:
Risk: Lack of sound financial management and risk of loss due to weak internal controls.
Description of Risk Event: An association could suffer losses as a result of fraud or misappropriation of funds by the Controller and the override of controls by the CSO.
Risk Rating for Likelihood of Occurrence (where 1 = Rare, 2 = Unlikely, 3 = Moderate, 4 = Likely, 5 = Almost certain): 1. Assume that it would be a rare event that the Controller would steal funds from the association’s bank account or that the CSO would override controls to benefit him/herself.
Risk Rating for Impact of Occurrence (where 1 = Insignificant, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Catastrophic): 4. Assume that if the Controller and/or CSO were to steal funds, the impact on the association would be major as the public, members, governing Board, external partners and other staff would lose confidence in the association until they are replaced.
Risk Tolerance (where tolerance for the risk can be classified as High, Moderate, Low or Zero): Zero; assume that there is no tolerance for this type of risk for the association due to the impact described above.
Current Treatment and Mitigation: Describe the existing segregation of duties within the association; i.e. does the CSO review and sign bank statements prior to the Controller seeing them to ensure that all cash transactions are reasonable? Does the Board President sign all cheques pertaining to the CSO’s expenses? Is there an annual financial audit which includes a review of all internal controls?
Responsible Group: Governing Board, CSO and Controller.
Vision for the Risk Register Moving Forward
• Ensure that the Register is reviewed by managers and staff on a regular basis to determine the likelihood and impact of the existing risks, and if there are new risks based on changes in the environment.
• Present the Register to the Risk Management Committee and/or governing Board annually to provide them with assurance that the risks and mitigation strategies are being reviewed. This is important because they cannot be present at the association on a daily basis.
• Use the Register as an education tool for the governing Board, managers and staff to review best practices in all areas and to reinforce the fact that it is a risk-aware association.
• Employ the current treatment, mitigation tactics and additional treatments in upcoming work plans for managers and staff.
• Convey to managers and staff that documentation in the Register itself and ongoing updates will ensure that the association continually strives to mitigate risk; even with staff turnover the Register will ensure that best practices continue and that roles and responsibilities are assigned.
Sarah Ahmed, CPA, CMA. Sarah Ahmed is the Controller at the College of Dietitians of Ontario (CDO). Since 1993, CDO has regulated the profession of dietetics in Ontario in order to protect the public. It meets this mandate by regulating and supporting over 3,800 Registered Dietitians (RDs) for the enhancement of safe, ethical and competent nutrition services in diverse practice environments. It recently developed a Risk Register which will be used proactively by all of its staff.