Overview of Risks & Internal Controls for NGOs

Risks is a must discussion now in NGO-funder relationship, idea is how to understand, capture and manage risks by NGOS.

Good risk management is (a) basic to an effective organisation and (b) ensures better delivery of services to community.

Fundamental concepts in organisation risk management- risk appetite (willingness to take risk to achieve objectives) and risk tolerance (ability or boundary to take risk/acceptable deviation from risk appetite). Risk appetite is about "taking risk" and risk tolerance is about "controlling risk".

Risk appetite denoted risk profile at aggregate level while risk tolerance is at activity level i.e. on case by case basis.

Risk management is how to bridge the gap between risk appetite and tolerance.

Understand the need for internal controls commensurate with risks.

Financial stability

Operational Efficiency

Compliance Management

Disciplined Planning

Informed decision making

Reputation Management

Building Trust

Improved communication

Long term Impact and Sustainability

• Threat:Threat: A danger in the environment, a potential cause of harm. e.g. legislative changes, technology, competition, inflation, globalisation etc.

• Risk:Risk: LikelihoodThe probability and potential impact on achievement of objectives while encountering a threat occurring.

• Internal risks: Personnel or technology issues.threat.

• ExternalInternal risks:risks: Economic,personnel legal,issues, political,technology environmentalissues factors.etc within the organization.

External risks: economic, political, legal, act of God etc. in external environment.

Residual Risk:risk: RiskThe remainingrisk which inevitably remains after mitigation.all reasonable mitigation measures have been taken.

No organization is completely free from risks. The environment will always contain risks.

Risk management/mitigation: Organizational practices, procedures and policies (P&Ps) that reduce the probability of risks being realized and limit harmful consequences.

Enterprise/Integrated risk Management (ERM): An organizational management that considers, combines, and prioritizes assessed risks in all risk areas (security, fiduciary, operational, informational, and reputational) in order to strategize and implement mitigation measures.

Risk mitigation is risk reduction, it cannot be made zero.

• Ethical Riskrisk: due to unethical behaviour

• Operational Riskrisk: inability to achieve objectives, capacity/competence gaps, financial/funding constraints, access constraints

Safety risk: accident/illness

Financial risk: improper financial planning and management

Reputational Risk

Safetyimage Riskand reputation

Security Riskrisk: violence/crime

Fiduciary Riskrisk: breach of trust like corruption/fraud/theft/diversion

Legal/Compliancecompliance Riskrisk: violating laws or regulations

Information Riskrisk: data breach/loss, digital risk, systems breach

Competition risk: competitor take your market for goods/services

• Donor audits/due diligence by prospective donors

Need to instil a sense of identifying, understanding and addressing risks in the organisation as it grows

Create awareness about risk mitigation strategies when faced with risks in our respective areas of work.

Staff embrace and own risk management process

Act as a tool for governance and control

Risk universe analysis

Risk identification

Risk assessment-risk assessment matrix based on likelihood and impact of identified risks

Prioritise risks to be taken up for mitigation

Risk Response-Risk Registers with Roles and responsibilities of staff

Monitoring

Reporting

Business practices that serve as "checks and policiesbalances" thaton internal stakeholders (staff/key functionaries) and/or external stakeholders (vendors) in order to reduce the chance or effect of risk.

EnterpriseInternal Riskcontrols Management:are Integratedmechanisms approachor combiningprocedures allor typesrules ofto mitigate or reduce the risks (security,and fiduciary, etc.)loss to strategisean andacceptable implement mitigation.level.

RiskInternal canControls beare reducedof but3 nottypes-

a. preventive controls: in place to prevent adverse events

b. detective controls: detect error/problem after it has occurred-internal audits, Reconciliations, physical inventorying

c. Corrective controls-based on error detected

• Early warning system

• PreventPrevents fraud

• ReduceAvoids external audit findings

Avoids statutory and regulatory penalties and actions

Limitations

Limitations:

• 1. CollusionCollision

  2. Human error

  3. UnexpectedUnforeseen eventscircumstances

The below Internal Controls can be grouped into one of the following buckets:

(a) Financial Controls

(b) Operational Controls

(c) Compliance Controls

The below are illustrative but not exhaustive and discussed in following slides:

• Legal Compliancecompliance

• Governance

• Budget and Budgetary Controls

• Income

• Expenditure

• Purchase/Procurement

• HRHuman Resource Management

• AssetAssets/Inventory & InventoryManagement

• Accounting

• Cash &and Bank

• Donor Reporting

• Program Implementation

• Statutory and regulatory compliance-difference

All applicable statutory registrations are in order and valid (entity registration, 12AB, 80G, PAN, TAN, FCRA, etc.)NGO Darpan, MCA, EPF, ESIC, PT, Shops & Establishments Act etc).

All annual/periodic regulatory filings upto date (ITR, TDS, EPF, ESI, PT ROS/ROC etc).

Proactively check adverse proceedings/pending matters under various laws.

Aware that a statute or rule applies to NPOS.

Continued education/awareness/knowledge for changes happening in statutory and regulatory landscape.

Board has fiduciary (manage assets/resources for someone) duties/responsibilities.

Governance structure as per bye laws/rules.

Meetings as per bye laws, proceedings documented as minutes of meeting.

Changes notified & approvals obtained from statutory bodies.

Board to put in place risk management/mitigation system.

All statutory and other business as per timeline after proper scrutiny and review.

Legal action against/violations by board members.

Section 13 disallowances for transactions with board members.

Approval of P&Ps and sub committees.

What is a budget?

How budget helps organisation in planning and execution of grant projects.

What is Budgetary Controls-process, periodicity, ownership of program and finance teams.

Course correction/Budget revision to address deviation/variance (favorable or adverse).

Grant funds credited in designated Bank account.

Grant-proper safety and record keeping.

Treatment of interest.

Periodic grant Reconciliation.

Segregation of duties in Finance.

issuance of money Receipt and donation certificate to donor.

Timely filings (ITR, TDS, EPF, etc.)reporting.

MonitorProper legalreceipt proceedingsand recording of income other than grants which include rent, interest, incidental business activity etc.

Programme Expenditure or Administrative Expenditure

StayRevenue updatedor onCapital lawExpenditure

Head Office Expenditure or Field Level Expenditure

Expenditure plan aligned with field requirement and project plan.

Monitoring to prevent misappropriation/excessive spend/fraud.

Qualified Finance Staff to avoid inaccurate/delay in payments.

Proper recording of transactions, report and invoices.

Tracking over-utilisation and under-utilisation of expenses under budget head for donor budgets for reallocation/realignment.

Proper filing/documentation (bills, vouchers, invoices).

Procurement is act of buying or obtaining goods/services. It includes preparation and processing of a demand until the end receipt is obtained and payment is approved and released.

Procurement process cycle.

Initiate procurement after checking budget provision.

Identify vendors after proper assessment.

Vendor database.

Obtaining appropriate bids/tenders.

Competitive bids for price discovery.

Proper scrutiny of bids by the PC.

Terms and conditions in PO/contract.

Issue of Purchase Orders (PO) by authorized staff only.

Accurate and complete information in the PO.

Procurement tracker.

Management of people who work in an organization is HR Management.

Need to manage HR:

• AsFor perbetter bylawsmanagement of an organization.

• DocumentedFor meetingsbetter performance and results.

• NotifyFor changesbetter toresource authoritiesmobilization and funding for the organization.

HR Planning

RiskRecruitment systemsof instaff placeas per JD

Proper orientation for new recruits

Avoid conflicts of interest

Budget Controls

Understand budgeting purpose and processNepotism

MonitorIdentification variancesof capacity building needs and training of HR

AllowObjective forperformance course correction

Grants and Income Controls

Designated bank account

Grant reconciliation

Maintain donation records

Accurate reporting

Expenditure Controls

Match spending to project plans

Qualified finance team

Track utilisation

Maintain bills/vouchers

Procurement Controls

Procurement Steps:

Define specifications

Budget allocation

Appoint purchase team

Research suppliers

Solicit bids

Evaluate bids

Issue purchase orders

Receive and inspect goods

Approve invoice and pay

Controls:

Check budget

Vendor vetting

Maintain vendor database

Transparent bidding

Accurate POs

Use procurement tracker

HR Management Controls

HR planning

JD-based hiringappraisal

Proper inductionhanding over for exiting employee

AvoidDiscontinue nepotismaccess to database for resigned employee

CapacityMaintaining buildingEmployee personal information

PerformanceSalary appraisalsstructure

Exit procedures

Social security compliance

Fixed Asset & Inventory Controls

Policies for asset/inventory

Annual verification

Maintain registersGrievance and IDcomplaints marks

Remove disposed assets from records

Accounting Controls

Accurate book-keeping

Use of accounting softwaremechanism

Compliance with rulessocial security laws for employees

FA is item of economic value which has a life of more than 1 year.

EnsureInventory transparencyrefers andto audititems readinesssuch as consumables, durables that are normally consumed within a year.

Asset & Inventory management section in finance policy.

Indent for assets and consumables based on need and budget.

Purchase approved by PC and as per grant budgets.

Specification of assets/inventory captured in PO.

Annual verification of fixed assets and consumables.

FA Register, Asset Identification No. marking on assets.

Assets which are disposed off are removed from FA Register.

Stock Register of consumables.

Sale of FC assets.

Disposal of building, land or higher value assets after Board approval and treatment of CG.

Accounting is the process of recording, summarizing, analyzing and reporting financial transactions.

Area of internal control in accounting-

• SecureCompliance storagewith new Rule regarding maintenance of books of accounts.

• MinimiseCompliance cashwith usenew Rule regarding maintenance of Other documents.

• ProperAccounting voucherSoftware systemControls in accounting:

• Accuracy

Standard formats for recording

Evidence and supportings

Complete and transparent

Audit

Cash is kept in cash box (fixed to wall).

Reduce cash transaction and practice online options/universal banking.

Cash vouchers numbered and Receipts duly signed by receiver and approved.

Dual signatory.

Monthly bank reconciliationreconciliation.

KYCControl andon signatorycash updates

Donor Compliance Controls

Timely, accurate reportstransactions.

AdhereSignatories toper donordelegation.

Update KYC of signatories.

Promote online banking.

Timely and accurate preparation of reports.

Activities are in line with activity schedule.

Data linkedproperly collected with reference to programobjectives goals

Program Implementation Controls

As per proposal and LFAprogram.

TrackDonor events'reporting impactguideline and formats are adhered to.

Project Implementation plan carried out as per proposal.

MonitorNo/ withminimal auditsmismatch between LFA and budget.

ProperImpact assessmentsof adverse events are effectively monitored.

Program implementation is effectively monitored in audit.

Appropriate tools of assessment are used.

Data presentation is properly done.

Outcome reportingof program is properly reported.

In non profits, efficiency refers to maximizing impact with available resources, while effectiveness assesses whether the NGO achieves its stated goals and outcomes.

Efficiency focuses on how resources are used while effectiveness focuses on the results achieved.

Efficiency measures the degree to which an organization can convert inputs (funds, time, manpower) into intended outputs (programs, services, people served).

It emphasizes minimizing waste and maximizing value for each unit of resource invested.

Effectiveness assesses whether an NGO is achieving its stated goals and objectives, and whether it's making a significant difference in its area of operation.

It assesses outcomes and impact, including whether lives are being improved and problems are being solved.

Examples: Tracking progress toward goals, measuring outcomes, and evaluating long-term impacts are ways to assess effectiveness.