Overview of Risks & Internal Controls for NGOs

Risks is a must discussion now in NGO-funder relationship, idea is how to understand, capture and manage risks by NGOS.

Good risk management is (a) basic to an effective organisation and (b) ensures better delivery of services to community.

Fundamental concepts in organisation risk management- risk appetite (willingness to take risk to achieve objectives) and risk tolerance (ability or boundary to take risk/acceptable deviation from risk appetite). Risk appetite is about "taking risk" and risk tolerance is about "controlling risk".

Risk appetite denoted risk profile at aggregate level while risk tolerance is at activity level i.e. on case by case basis.

Risk management is how to bridge the gap between risk appetite and tolerance.

Understand the need for internal controls commensurate with risks.

Threat: A danger in the environment, a potential cause of harm. e.g. legislative changes, technology, competition, inflation, globalisation etc.

Risk: The probability and potential impact on achievement of objectives while encountering a threat.

Internal risks: personnel issues, technology issues etc within the organization.

External risks: economic, political, legal, act of God etc. in external environment.

Residual risk: The risk which inevitably remains after all reasonable mitigation measures have been taken.

No organization is completely free from risks. The environment will always contain risks.

Risk management/mitigation: Organizational practices, procedures and policies (P&Ps) that reduce the probability of risks being realized and limit harmful consequences.

Enterprise/Integrated risk Management (ERM): An organizational management that considers, combines, and prioritizes assessed risks in all risk areas (security, fiduciary, operational, informational, and reputational) in order to strategize and implement mitigation measures.

Risk mitigation is risk reduction, it cannot be made zero.

Ethical risk: due to unethical behaviour

Operational risk: inability to achieve objectives, capacity/competence gaps, financial/funding constraints, access constraints

Safety risk: accident/illness

Financial risk: improper financial planning and management

Reputational risk: damage to image and reputation

Security risk: violence/crime

Fiduciary risk: breach of trust like corruption/fraud/theft/diversion

Legal/compliance risk: violating laws or regulations

Information risk: data breach/loss, digital risk, systems breach

Competition risk: competitor take your market for goods/services

Donor audits/due diligence by prospective donors

Need to instil a sense of identifying, understanding and addressing risks in the organisation as it grows

Create awareness about risk mitigation strategies when faced with risks in our respective areas of work.

Staff embrace and own risk management process

Act as a tool for governance and control

Prioritise risks to be taken up for mitigation

Risk Response-Risk Registers with Roles and responsibilities of staff

Monitoring

Reporting

Business practices that serve as "checks and balances" on internal stakeholders (staff/key functionaries) and/or external stakeholders (vendors) in order to reduce the risk.

Internal controls are mechanisms or procedures or rules to mitigate or reduce the risks and loss to an acceptable level.

Internal Controls are of 3 types-

a. preventive controls: in place to prevent adverse events

b. detective controls: detect error/problem after it has occurred-internal audits, Reconciliations, physical inventorying

c. Corrective controls-based on error detected

Early warning system

Prevents fraud

Avoids external audit findings

Avoids statutory and regulatory penalties and actions

Limitations

The below Internal Controls can be grouped into one of the following buckets:

(a) Financial Controls

(b) Operational Controls

(c) Compliance Controls

The below are illustrative but not exhaustive and discussed in following slides:

• Legal compliance

• Governance

• Budget

• Income

• Expenditure

• Purchase/Procurement

• Human Resource Management

• Assets/Inventory Management

• Accounting

• Cash and Bank

• Donor Reporting

• Program Implementation

Statutory and regulatory compliance-difference

All applicable statutory registrations are in order and valid (entity registration, 12AB, 80G, PAN, TAN, FCRA, NGO Darpan, MCA, EPF, ESIC, PT, Shops & Establishments Act etc).

All annual/periodic regulatory filings upto date (ITR, TDS, EPF, ESI, PT ROS/ROC etc).

Proactively check adverse proceedings/pending matters under various laws.

Aware that a statute or rule applies to NPOS.

Continued education/awareness/knowledge for changes happening in statutory and regulatory landscape.

Board has fiduciary (manage assets/resources for someone) duties/responsibilities.

Governance structure as per bye laws/rules.

Meetings as per bye laws, proceedings documented as minutes of meeting.

Changes notified & approvals obtained from statutory bodies.

Board to put in place risk management/mitigation system.

All statutory and other business as per timeline after proper scrutiny and review.

Legal action against/violations by board members.

Section 13 disallowances for transactions with board members.

Approval of P&Ps and sub committees.

What is a budget?

How budget helps organisation in planning and execution of grant projects.

What is Budgetary Controls-process, periodicity, ownership of program and finance teams.

Course correction/Budget revision to address deviation/variance (favorable or adverse).

Grant funds credited in designated Bank account.

Grant-proper safety and record keeping.

Treatment of interest.

Periodic grant Reconciliation.

Segregation of duties in Finance.

issuance of money Receipt and donation certificate to donor.

Timely reporting.

Proper receipt and recording of income other than grants which include rent, interest, incidental business activity etc.

Programme Expenditure or Administrative Expenditure

Revenue or Capital Expenditure

Head Office Expenditure or Field Level Expenditure

Expenditure plan aligned with field requirement and project plan.

Monitoring to prevent misappropriation/excessive spend/fraud.

Qualified Finance Staff to avoid inaccurate/delay in payments.

Proper recording of transactions, report and invoices.

Tracking over-utilisation and under-utilisation of expenses under budget head for donor budgets for reallocation/realignment.

Proper filing/documentation (bills, vouchers, invoices).

Procurement is act of buying or obtaining goods/services. It includes preparation and processing of a demand until the end receipt is obtained and payment is approved and released.

Procurement process cycle.

Initiate procurement after checking budget provision.

Identify vendors after proper assessment.

Vendor database.

Obtaining appropriate bids/tenders.

Competitive bids for price discovery.

Proper scrutiny of bids by the PC.

Terms and conditions in PO/contract.

Issue of Purchase Orders (PO) by authorized staff only.

Accurate and complete information in the PO.

Procurement tracker.

Management of people who work in an organization is HR Management.

Need to manage HR:

• For better management of an organization.

• For better performance and results.

• For better resource mobilization and funding for the organization.

HR Planning

Recruitment of staff as per JD

Proper orientation for new recruits

Avoid Nepotism

Identification of capacity building needs and training of HR

Objective performance appraisal

Proper handing over for exiting employee

Discontinue access to database for resigned employee

Maintaining Employee personal information

Salary structure

Grievance and complaints redressal mechanism

Compliance with social security laws for employees

FA is item of economic value which has a life of more than 1 year.

Inventory refers to items such as consumables, durables that are normally consumed within a year.

Asset & Inventory management section in finance policy.

Indent for assets and consumables based on need and budget.

Purchase approved by PC and as per grant budgets.

Specification of assets/inventory captured in PO.

Annual verification of fixed assets and consumables.

FA Register, Asset Identification No. marking on assets.

Assets which are disposed off are removed from FA Register.

Stock Register of consumables.

Sale of FC assets.

Disposal of building, land or higher value assets after Board approval and treatment of CG.

Accounting is the process of recording, summarizing, analyzing and reporting financial transactions.

Area of internal control in accounting-

• Compliance with new Rule regarding maintenance of books of accounts.

• Compliance with new Rule regarding maintenance of Other documents.

• Accounting Software Controls in accounting:

  • Accuracy

  • Standard formats for recording

  • Evidence and supportings

  • Complete and transparent

  • Audit

Cash is kept in cash box (fixed to wall).

Reduce cash transaction and practice online options/universal banking.

Cash vouchers numbered and Receipts duly signed by receiver and approved.

Dual signatory.

Monthly bank reconciliation.

Control on cash withdrawal transactions.

Signatories per delegation.

Update KYC of signatories.

Promote online banking.

Timely and accurate preparation of reports.

Activities are in line with activity schedule.

Data properly collected with reference to objectives of program.

Donor reporting guideline and formats are adhered to.

Project Implementation plan carried out as per proposal.

No/ minimal mismatch between LFA and budget.

Impact of adverse events are effectively monitored.

Program implementation is effectively monitored in audit.

Appropriate tools of assessment are used.

Data presentation is properly done.

Outcome of program is properly reported.

In non profits, efficiency refers to maximizing impact with available resources, while effectiveness assesses whether the NGO achieves its stated goals and outcomes.

Efficiency focuses on how resources are used while effectiveness focuses on the results achieved.

Efficiency measures the degree to which an organization can convert inputs (funds, time, manpower) into intended outputs (programs, services, people served).

It emphasizes minimizing waste and maximizing value for each unit of resource invested.

Effectiveness assesses whether an NGO is achieving its stated goals and objectives, and whether it's making a significant difference in its area of operation.

It assesses outcomes and impact, including whether lives are being improved and problems are being solved.

Examples: Tracking progress toward goals, measuring outcomes, and evaluating long-term impacts are ways to assess effectiveness.