Professional Documents
Culture Documents
Risk MGT - Day 2
Risk MGT - Day 2
2.30pm to 4.30pm Group Work (3 teams) Presentation, Role Play and Debrief
35 min per team ( 15 mins presentation, 10 mins Q&A, 10mins for
feedback)
Afternoon tea break inclusive (at 3.30pm)
4.30pm to 5pm Debrief and reflection
2
Divider for recap for day 1 (Find image) – Gabriel
3
Effective Risk Management for NPOs
Recap
Coverage
1. What are risks ?
2. Risk Categories
3. Risk Assessment and Evaluation
4. Risk Management Policy
5. How to manage risks? Risk Mitigation Techniques
6. Risk Maps
7. Risk Register and Risk Action Report
8. Continual Improvement
9. Internal Control
10. Internal Control Checklist
Recap
Risk Management is everyone’s responsibility
6
7
TOP RISKS BY NPO SECTOR 8
9
Recap
10
Recap
Risk Department
Operational Department
11
Recap
Risk Reporting
Highlight Review
changes in Risk trends Monitor
risk profiles Action
*Risk action report highlights additional actions to be taken to mitigate residual risks which are deemed
too high OR unacceptable.
12
DAY 1 ESSENTIAL READINGS ON RISK MANAGEMENT FOR NPOS
13
DAY 2 ESSENTIAL READING AND WORKBOOK
14
Effective Risk Management for NPOs
Group Work For Day 2
15
Effective Risk Management for NPOs
Group Work For Day 2 - Instructions
Each group is to develop (1) Risk Register, (2) Risk Matrix and (3) Risk Action Report for the risks selected. They
will be given about 4 hours (inclusive of 30 minutes consultation time) to complete the assignments.
During the morning session, each group will be given 30 minutes consultation with the trainers on the risk
register, risk matrix and risk action reports for the selected NPO.
In the afternoon, each group will carry out a 15 minutes class presentation on (1) Risk Matrix and (2) Risk
Action Report for the risks selected. At the end of the each presentation, another group which is selected to
role play as the NPO’s Board, will to seek clarifications on the Risk Matrix and Risk Action Report presented, and
to decide whether or not to approve the proposal. Each presentation and role play will take about 30 minutes.
16
Group Work
Detailed Instructions and Templates
Step 1 Risk Register (4 templates) to be completed in 60 mins
Step 2 Risk Matrix (1 template) to be completed in 15 mins
Step 3 Risk Action Plans (1 template) to be completed in 30 mins
Step 4 Preparation of Presentation of Risk Matrix and Risk Action Plan to be
completed in 30 mins
Step 5 Presentation (15 minutes) of Risk Matrix and Risk Action Plan
Step 6 Feedback by “NPO’s Board” (10 minutes)
17
Step 1 : Risk Assessment/Evaluation
For your organization, please compile the risk register for the following areas.
(1) Strategic Risks,
(2) Financial Risks,
(3) Operational Risks and
(4) Compliance Risks
19
Step 1.1 Risk Register (Strategic Risks)
Gross Risk Management Net
No Strategic Risks Likelihood Impact Actions/Control Likelihood Impact
Board Secretary to implement
an annual planning process
and table the annual plan to
the Board for review and
1
E
1 Lack of proper annual plan Unlikely Major approval Rare Major
20
Step 1.2 Risk Register (Financial Risks)
Identify only 5 possibilities
21
Step 1.2 Risk Register (Financial Risks)
Identify only 5 possibilities
22
Step 1.3 Risk Register (Operational Risks)
Identify only 5 possibilities
23
Step 1.3 Risk Register (Operational Risks)
Identify only 5 possibilities
24
Step 1.4 Risk Register (Compliance Risk)
Identify only 5 possibilities
25
Step 1.4 Risk Register (Compliance Risk)
Identify only 5 possibilities
26
Step 2 : Develop Risk Matrix
Use 5x5 table for the Risk Matrix
For each of the risks identified in the risk register,
Score likelihood (1 to 5, 1 being rare and 5 being almost certain)
Score consequence (1 to 5, 1 being insignificant and 5 being critical)
Fill up the Risk Matrix to determine the (1) extreme risks that are unacceptable,
(2) risks where reduction is desired and (3) risks that are acceptable
27
28
Step 2 : Develop Risk Matrix
Consequence
Almost Certain 1
Likely 4
Likelihood
Possible 3
Unlikely 2
Rare 1
Insignificant 1 Minor 2 Moderate 3 Major 4 Critical 5
29
Step 2 : Develop Risk Matrix
Consequence
Almost
Certain 1
Likely 4
Possible 3
Unlikely 2 Incomplete
Likelihood
Finance
SOP
30
Step 3: Risk Action Plans
• For Risk Action Plan, please extract “Risk Actions” from Risk
Register.
• The plan lists the risks which are currently not as well controlled
and where further actions could be implemented to better control
or manage the risks. These risks tend to be medium or high in
overall risk scores to merit further actions and costs.
• You may add actions deemed necessary for the risks you have
chosen.
• For this activity, you are only required to work out the action plan
for the unacceptable risks which are usually in the non-green
zone.
31
Step 3.1 : Risk Action Plan for Strategic Risk
(for only extreme risks identified)
32
Step 3.2 : Risk Action Plan for Financial Risk
(for only extreme risks identified)
33
Step 3.3 : Risk Action Plan for Operational Risk
(for only extreme risks identified)
34
Step 3.4: Risk Action Plan for Compliance Risk
(for only extreme risks identified)
35
Review your organization’s risk register after group
work
36
SAMPLE RISK REGISTER & RISK ACTION PLAN:
STRATEGIC RISKS
Refere Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
nce Owner Risk Measures Risk
S1 Chairman Review of board tenure of Medium Board secretary to submit list of Low N/A
directors who may breach 10 tenure of all board members in
year rule. January each year for Chairman to
review.
S2 Chairman Succession planning for the High Board will review the proposed Medium HR Committee to set-up and
CEO and key managers plan for succession, talent quarterly review of these
grooming and career issues and action plans.
development programmes.
S3 CEO Inadequate assessment of High Annual Board/Management Medium Management to submit a
programmes and services to retreat to assess the existing paper on the results of
align with the changing social programmes with the population review at the annual retreat.
needs profiles and the government
statistics.
SAMPLE RISK REGISTER & RISK ACTION PLAN:
OPERATIONAL RISKS
Refere Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
nce Owner Risk Measures Risk
O1 Operations Insufficient service staff Medium Periodic recruitment drives at Medium Cross training and incentives
Director required for running the the career fairs and centre for skill trainings to improve
programmes. recruitment campaigns. efficiency.
Automate some areas of
services.
O2 Corporate Inadequate documentation of Medium Annual reviews of SOPs to Low N/A
Services revised workflows. ensure workflows are properly
updated
O3 Safety Insufficient communication of Medium Induction for new staff, regular Low N/A
Director the safety procedures to refresher for existing staff
prevent safety lapses.
SAMPLE RISK REGISTER & RISK ACTION PLAN:
FINANCIAL RISKS
Refe Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
renc Owner Risk Measures Risk
e
F1 CEO & Anticipated insufficient funds High Forecast of the required funds Medium Half yearly review of the
Fundraising due to requirement to expand and timing. funding campaigns
Director the services for silver people. Plan sources of funding from Pilot services on smaller
donors and the government scale
Launch funding campaigns Enlist volunteers to help.
F2 Finance Too many cash payments and Medium Policy to discourage use of cash Low N/A
Director receipts at branches. and notice at branches to accept
electronic payments only
F3 CEO and Inconsistent review of actual Medium Mandatory reports of reviews as Low N/A
Finance financial status against annual follows:
Director budget. 1. Actual v Budget
2. “Actual this year” v “Actual
last year”
SAMPLE RISK REGISTER & RISK ACTION PLAN:
COMPLIANCE RISKS
Refe Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
renc Owner Risk Measures Risk
e
C1 Board Governance Evaluation checklist High Completed checklist should be Medium Completed checklist should
Secretary inaccurately completed which reviewed at the management be tabled at the Board
and CEO may pose a risk to renew IPC meeting to ensure completeness meeting for discussion and
status and correctness. approval.
C2 Finance Late submission of annual Medium Timetable for completion of Low N/A
Director returns to Commissioner of accounts and returns, audit of
Charities financial statements, review of
audited accounts by the Board
before deadline for submission.
C3 Chief Data Data hacked or leaked leading to High Secure computer systems and Medium PDPA cases to be highlighted
Protection non-compliance with PDPA data handling procedures; and shared in Townhalls,
Officer and Regular communication and IT to look out for ways to
CEO reminder of data protection; enhance securing of data.
Sensitive data to be segregated Simulated ethical hacking to
and secured. learn the weaknesses and
rectify them.
SAMPLE RISK REGISTER & RISK ACTION PLAN:
RISK INCIDENT REPORTING
Report a serious incident on behalf of the trustee body
DETAILS REQUIRED FOR RISK INCIDENT REPORTING FORM:
1. Contact details the charity name and it’s registration number
5. What happened
7. What impact the incident has had on the charity’s beneficiaries, finances, staff, operations or reputation
8. Which of the charity’s policies or procedures relate to the incident, and whether they were followed
9. what steps the charity has taken to deal with the incident and to prevent similar incidents
SAMPLE RISK REGISTER & RISK ACTION PLAN:
RISK INCIDENT REPORTING (EXAMPLE)
https://register-of-
charities.charitycommission.gov.uk/
report-a-serious-incident
43
Consultation
Tell us about your organisation risk management framework:
1. People involved
2. Processes
3. Resources set aside
4. Is there a Risk Register?
5. Are there procedures for Incident reporting?
6. Are there internal control procedures?
44
45
DAY 1:
CLASS DISCUSSION 1
WHAT ARE YOUR ORGANIZATION'S RISKS
Each organization has their own risks.
Some risks may be common.
Some risks may be very specific.
Please share 2 examples of risk in your organization.
48
DAY 1:
BREAK OUT ROOM 2
QUESTIONS FOR GROUP WORK
49
DAY 1:
BREAK OUT ROOM 3
QUESTIONS FOR GROUP WORK
Please review the finance internal control checklist ( provided by NCSS earlier),
to identify the controls that are relevant and critical to your organization.
50
Video 1:
https://www.youtube.com/
watch?v=cbgrAioNU0s
Case study
Move to day 2 (towards
VIDEO on City
the end)
Harvest Church
Scandal
51
Case Study on City harvest scandal
Case study on City Harvest Scandal by Cassandra Ho
Source :
https://lkyspp.nus.edu.sg/docs/default-source/ips/cassandra_revisiting-the-issue-of-good-governance-in-the-city-harvest-_0109121.pdf
Across society, accountability that is based on a set of good corporate ethics is perhaps the only lingua franca
bridging any religious organisation and the state — whether the leaders are appointed by man or by God.
This is based on the understanding that religious leaders are not simply accountable to God, but must also be
transparent with their followers and the community. To this end, governance of religious organisations is
subjected to a common set of secular regulations and cannot merely be premised on leadership that relies
on personal charisma and faith. Insisting on a code of conduct may therefore lead to a paradox for some who
are personally convinced that their leaders have proven themselves worthy of trust. Here, the need to adopt
measures of accountability and transparency stipulated by the state as demonstrable of ‘good leadership’
seems at odds when a leader has in fact been nominated because he and she is seen as intrinsically upright.
It is to admit that despite the acknowledgement of the leader’s integrity and capabilities, he or she is
ultimately fallible and has to abide by a certain code of conduct to ensure that personal interests or gains do
not collide with leadership. Good governance on the other hand however, is important in charities because it
is premised on the adoption of a code of conduct that in turn helps charities to be more effective,
transparent and accountable to their stakeholders.
In conclusion, The City Harvest Scandal has highlighted the importance of proper risk
management in charities to prevent individuals in positions of power from abusing it.
https://www.theguardian.com/world/2015/oct/21/singapore-
mega-church-founder-guilty-fraud-35m
https://www.theguardian.com/world/2015/oct/21/singapore-mega-church-founder-guilty-fraud-35m
City Harvest case: Is this the end of the saga?
Here's all you need to know
https://www.straitstimes.com/singapore/courts-crime/city-harvest-case-recap-of-a-saga-that-dragged-on-for-7-
years
1. Who is involved?
The six are CHC founder and senior pastor Kong Hee, 53; deputy senior pastor Tan Ye Peng, 45; former finance
managers Serina Wee, 41, and Sharon Tan, 42; former fund manager Chew Eng Han, 57, and former finance
committee member John Lam, 50.
60
Reflections
Day 2 Effective Risk Management for NPOS
61
Presentation
of certificates
63
ANNEX: RISK GLOSSARY
64
Risk Glossary ANNEX
• Risks are anything that will obstruct or prevent achievement of the organisation’s goals or objectives. It arises from
uncertainties that may or may not be foreseen. Example is a change in weather that could result in stoppages in a project.
• Operational risks might arise from problematic processes, policies, systems or events that disrupt the organisation’s
operations. Example is obsolete systems that cannot cope with the new operations.
• Financial risks refer to dangers that cause money losses in capital, investments or other financial assets. Example is a
failed programme that led to financial losses.
• Compliance risks arise from potential exposure to legal penalties and sanctions in failing to meet laws and regulations,
internal policies or prescribed best practices. Example is non-compliance with the governance code set by Charity
Commission.
• Risk assessment/evaluation is a systematic process in identifying, analyzing and controlling risks. It is normally performed
by a person with good understanding of the risks impacting on the organisation. A risk assessment is critical to ensure that
the organisation is aware of the risks confronting them and their existing actions in mitigating these risks. It also provides
potential solutions in managing new risks.
• Risk map (risk heat map) is a pictorial way of presenting risks an organization faces. It is usually shown in two dimension
of likelihood and impact. Traffic lights colours are used with red being high risks and green being low risks. These maps
can be 3x3, 3x4, … with the complex ones drawn with 5x5.
65
Risk Glossary ANNEX
• Likelihood means the possibility of a potential risk occurring. It can be assessed through judgment or
using past statistics. Generally, categories such as low, medium, or high are used in risk assessments. A
high likelihood means that the risk may occur often whilst a low likelihood may mean a risk that rarely
happens.
• Impact is an estimate of the potential losses associated with an identified risk. It is normally associated
with a dollar value and classified similarly to likelihood.
• Top risks refer to the most severe risks that will harm the organisation and may lead to going concern
issues. Example is loss of license to operate as an organisation pollutes the local environment and lead
to loss of lives.
• Risk mitigation refers to planning for risks including disasters and controls to reduce the negative
impacts. Although an organisation should mitigate all potential risks, a cost benefit analysis is usually
undertaken to prepare for major risks first.
• Risk register is a list for documenting risks, their gross and net likelihoods and impacts and the
associated mitigating actions to manage each risk.
• Risk action report is a document to indicate which risks would require additional actions and controls to
manage the risks better. Actions could be through reviews and approvals in these areas.
• Risk governance comprises the actions, processes, policies and structures to ensure that risks are
owned, managed properly and reported to the Board for effective governance.
66
ANNEX
Risk Glossary
67
ANNEX
Risk Glossary
68
ANNEX
Risk Glossary
69