Risks and Control
Session Layout:
-
Rationale for Risk management
-
Key concepts relating to risk
-
Risk Management Policy
-
Concept of Internal Controls
-
Areas for internal controls in an NGO
Why understand risk management
-
Risks discussed in NGO-funder relationship, idea is how to understand, capture and manage risks on part of NGOs
-
Good risk management is (a) basic to an effective organisation and (b) ensures better delivery of services to the community.
-
Understand risk appetite (willingness to take risk to achieve objectives) and risk tolerance (ability or boundary to take risk) in an organisation. Risk appetite is about “taking risk” and risk tolerance is about “controlling risk”. Risk appetite is at aggregate level while risk tolerance is at activity level.
-
Risk management is how to bridge the gap between risk appetite and tolerance
-
Understand acceptable internal controls
Key Concept:
-
Threat: A danger in the environment, a potential cause of harm. e.g. legislative changes, technology, competition, inflation, globalisation etc
-
Risk: The probability and potential impact on achievement of objectives when encountering a threat.
-
Internal risks: personnel issues, technology issues etc within the organisation.
-
External risks: economic, political, legal, act of God etc. in external environment
-
- Residual Risk: The risk which inevitably remains after all reasonable mitigation measures have been taken.
No organisation is completely free from risks. The environment will always contain risks.
Types of risks facing Organisations
-
Ethical risk: due to unethical behaviour
-
Operational risk: inability to achieve objectives, capacity/competence gaps, financial/funding constraints, access constraints
-
Financial risk: improper financial planning and management
-
Reputational risk: damage to image and reputation
-
Safety risk: accident/illness
-
Security risk: violence/crime
-
Fiduciary risk: corruption/fraud/theft/diversion
-
Legal/compliance risk: violating laws or regulations
-
Information risk: data breach/loss digital risk
-
Competition risk: competitor take your market for goods/services
Key Concepts
-
Risk management/mitigation: Organisational practices, procedures and policies (P&Ps) that reduce the probability of risks being realised and limit harmful consequences.
-
Enterprise/Integrated risk Management (ERM): An organisational management that considers, combines, and prioritises assessed risks in all risk areas (security, fiduciary, operational, informational, and reputational) in order to strategize and implement mitigation measures.
Risk mitigation is risk reduction - it cannot be made zero.
Risk Management Policy - Need
-
Need for a policy-based on donor audits/due diligence by prospective donors
-
Instil a sense of identifying, understanding and addressing risks in the organisation as it grows
-
Create awareness about risk mitigation strategies when faced with risks in our respective areas of work.
-
Staff embrace and own risk management process
-
Act as a tool for governance and control
Risk Management Process
-
Risk universe analysis
-
Risk identification
-
Risk assessment-risk assessment matrix based on likelihood and impact of identified risks
-
Prioritise risks to be taken up for mitigation
-
Risk Response-Risk Registers with Roles and responsibilities of staff
-
Monitoring
-
Reporting
|
Almost Certain |
(5) |
Low |
Medium |
High |
High |
High |
|
Likely |
(4) |
Low |
Low |
Medium |
High |
High |
|
Possible |
(3) |
Low |
Low |
Medium |
Medium |
High |
|
Unlikely |
(2) |
Low |
Low |
Low |
Low |
Medium |
|
Remote |
(1) |
Low |
Low |
Low |
Low |
Low |
|
⬆️ Probability ⬆️ |
(1) |
(2) |
(3) |
(4) |
(5) |
|
|
➡️ Consequence ➡️ |
Insignificant |
Minor |
Moderate |
Major |
Catastrophic |
|
[0-8 = Low; 9-14 = Medium; 15-25 = High]
Internal Controls
Business practices that serve as “checks and balances” on internal stakeholders (staff/key functionaries) and/or external stakeholders (vendors) in order to reduce the risk.
Internal controls are mechanisms or procedures or rules to mitigate or reduce the risks and loss to an acceptable level.
Internal Controls are of 3 types:
-
preventive controls: in place to prevent adverse events
-
detective controls: detect error/problem after it has occurred- internal audits, Reconciliations, physical inventorying
-
Corrective controls-based on error detected
Benefits and Limitations of Internal Controls
|
Benefits |
Limitations |
|
Early warning system |
Collision |
|
Prevents fraud |
Human error |
|
Avoids external audit findings |
Unforeseen circumstances |
|
Avoids statutory and regulatory penalties and actions |
— |
Key Areas of Internal Controls for Charitable Organisations
-
Legal compliance
-
Governance
-
Budget
-
Income
-
Expenditure
-
Purchase/Procurement
-
Human Resource Management
-
Assets/Inventory Management
-
Accounting
-
Cash and Bank
-
Donor Reporting
-
Program Implementation
1. Internal Controls around Legal compliance
Statutory and regulatory compliance-difference
-
All applicable statutory registrations are in order and valid (entity registration, 12AB, 80G, PAN, TAN, FCRA, NGO Darpan, MCA, EPF, ESIC, PT, Shops & Establishments Act etc).
-
All annual/periodic regulatory filings up to date (ITR, TDS, EPF, ESI, PT RoS/ROC etc).
-
Proactively check adverse proceedings/pending matters under various laws.
-
Aware that a statute or rule applies to NPOs.
-
Continued education/awareness/knowledge for changes happening in the statutory and regulatory landscape.
2. Internal Controls around Governance
-
Governance structure as per bye laws/rules
-
Meetings as per bye laws, proceedings documented as minutes of meeting
-
Changes notified & approvals obtained from statutory bodies
-
Board to put in place risk management/mitigation system
-
All statutory and other business as per timeline after proper scrutiny and review
-
Legal action against/violations by board members
-
Section 13 disallowances for transactions with board members
-
Approval of P&Ps and sub committees
3. Internal controls around Budgeting & Budgetary Controls
-
What is a budget?
-
How budget helps organisation in planning and execution of grant projects
-
What is Budgetary Controls-process, periodicity, ownership of program and finance teams
-
Course correction/Budget revision to address deviation/variance (favourable or adverse)
(Note: Participants, we have studied this in detail in the session on Principles of Grant Accounting and Management)
4. Internal controls around Grants and other Incomes
- Grant funds credited in designated Bank account Grant-proper safety and record keeping Treatment of interest
- Periodic grant Reconciliation
- Segregation of duties in Finance
- issuance of money Receipt and donation certificate to donor Timely reporting
- Proper receipt and recording of income other than grants which include rent, interest, incidental business activity etc.
5. Expenditure
Types of Expenditure:
-
Programme Expenditure or Administrative Expenditure
-
Revenue or Capital Expenditure
-
Head Office Expenditure or Field Level Expenditure
Internal Controls around Expenditure:
Expenditure plan aligned with field requirement and project plan Monitoring to prevent misappropriation/excessive spend/fraud Qualified Finance Staff to avoid inaccurate/delay in payments Proper recording of transactions, report and invoices.
6. Internal Controls around Purchase/Procurement
-
Procurement is the act of buying or obtaining goods/services. It includes preparation and processing of a demand until the end receipt is obtained and payment is approved and released.
-
Procurement process cycle.
Illustrated:
- Specify technical specs
- Budget for Purchase
- Appoint Purchase Team
- Research potential suppliers
- Solicit Bids
- Bid evaluation & vendor selection
- Issue Purchase Order
- Receipt Inspection of purchase
- Invoice approval & payment
Internal Controls around Purchase/Procurement
-
Initiate procurement after checking budget provision
-
Identify vendors after proper assessment.
-
Vendor database
-
Obtaining appropriate bids/tenders
-
Competitive bids for price discovery
-
Proper scrutiny of bids by the PC
-
Terms and conditions in PO/contract
-
Issue of Purchase Orders (PO) by authorised staff only
-
Accurate and complete information in the PO
-
Procurement tracker
7. Human Resource (HR) Management
-
Management of people who work in an organisation is HR Management
-
Need to manage HR
-
For better management of an organisation
-
For better performance and results
-
For better resource mobilisation and funding for the organisation
Controls around HR Management
-
HR Planning
-
Recruitment of staff as per JD
-
Proper orientation for new recruits
-
Avoid Nepotism
-
Identification of capacity building needs and training of HR
-
Objective performance appraisal
-
Proper handing over for exiting employee
-
Discontinue access to database for resigned employee
-
Maintaining Employee personal information
-
Salary structure
-
Grievance and complaints redressal mechanism
-
Compliance with social security laws for employees
8. Fixed Assets & Inventory Management
-
FA is an item of economic value which has a life of more than 1 year.
-
Inventory refers to items such as consumables, durables that are normally consumed within a year.
Controls around Fixed Assets & Inventory
-
Asset & Inventory management section in finance policy
-
Indent for assets and consumables based on need and budget
-
Purchase approved by PC and as per grant budgets
-
Specification of assets/inventory captured in PO
-
FA Register, Asset Identification No. marking on assets
-
Stock Register of consumables
-
Annual verification of fixed assets and consumables
-
Assets which are disposed off are removed from FA Register
-
Sale of FC assets
-
Disposal of building, land or higher value assets after Board approval and treatment of CG
9. Internal Controls around Accounting
Accounting is the process of recording, summarising, analysing and reporting financial transactions
Area of internal control in accounting:
-
Compliance with new Rule regarding maintenance of books of accounts
-
Compliance with new Rule regarding maintenance of Other documents
Accounting Software
Controls in accounting:
-
Accuracy
-
Standard formats for recording
-
Evidence and supportings
-
Complete and transparent
-
Audit
10. Controls around Cash and Bank transactions
- Cash is kept in cash box (fixed to wall)
- Reduce cash transaction with online options/universal banking
- Cash Receipts duly signed by receiver and approved
- Cash vouchers are numbered
- Monthly bank reconciliation
- Control on cash withdrawal transactions
- Bank accounts in name of organisation
- Signatories per delegation
- Update KYC of signatories
- Promote online banking
11. Controls around Donor compliances
- Timely and accurate preparation of reports.
- Activities are in line with the activity schedule.
- Data properly collected with reference to objectives of the program.
- Donor reporting guidelines and formats are adhered to.
(Note: Participants refer to the session on Grant Accounting and Management for this area of control)
12. Controls around Program Implementation
- Project Implementation plan carried out as per proposal
- No/ minimal mismatch between LFA and budget
- Impact of adverse events are effectively monitored
- Program implementation is effectively monitored in audit
- Appropriate tools of assessment are used
- Data presentation is properly done
- Outcome of program is properly reported