Effective Risk Management for NPOs

Day 2, July 2023

Presented by Dr. Isabel SIM and Ms. GOH Puay Cheh 1
 Day 2 – Active Learning – Face to Face
9.30am to 10.30am 11. Internal Control and Internal Control Checklist (PC)

10.30am to 11am Morning tea break

11am to 11.30am Recap for Day 1
Review of key concepts on Risk Management
Instruction for Group Work for Day 2
11.30am to 1.30pm Consultation for Group Work ( 30 mins per team)
(Inclusive of Lunch break (1 hour))
1.30 pm to 2.30pm Group Work

2.30pm to 4.30pm Group Work (3 teams) Presentation, Role Play and Debrief
35 min per team ( 15 mins presentation, 10 mins Q&A, 10mins for
feedback)
Afternoon tea break inclusive (at 3.30pm)
4.30pm to 5pm Debrief and reflection

2
Divider for recap for day 1 (Find image) – Gabriel

3
Effective Risk Management for NPOs
Recap
Coverage
1. What are risks ?
2. Risk Categories
3. Risk Assessment and Evaluation
4. Risk Management Policy
5. How to manage risks? Risk Mitigation Techniques
6. Risk Maps
7. Risk Register and Risk Action Report
8. Continual Improvement
9. Internal Control
10. Internal Control Checklist
Recap
Risk Management is everyone’s responsibility

Risk management is essential because

it helps you:
 Comply with laws and regulations
 Make decisions with confidence
 Allocate resources efficiently
 Protect your people, property, and
reputation
 Focus on your organization’s mission
Recap

6
7
TOP RISKS BY NPO SECTOR 8
9
Recap

10
Recap

Risk Department

Operational Department

11
Recap
Risk Reporting

Risk Risk Risk Action

Register Incidents Report*

Highlight Review
changes in Risk trends Monitor
risk profiles Action
*Risk action report highlights additional actions to be taken to mitigate residual risks which are deemed
too high OR unacceptable.
12
DAY 1 ESSENTIAL READINGS ON RISK MANAGEMENT FOR NPOS

E-copy of the 3 booklets to be provided for participants

13
 DAY 2 ESSENTIAL READING AND WORKBOOK

E-copy of Reading to be provided Workbook will be printed and distributed on Day 2

14
Effective Risk Management for NPOs
Group Work For Day 2

15
Effective Risk Management for NPOs
Group Work For Day 2 - Instructions
Each group is to develop (1) Risk Register, (2) Risk Matrix and (3) Risk Action Report for the risks selected. They

will be given about 4 hours (inclusive of 30 minutes consultation time) to complete the assignments.

During the morning session, each group will be given 30 minutes consultation with the trainers on the risk

register, risk matrix and risk action reports for the selected NPO.

In the afternoon, each group will carry out a 15 minutes class presentation on (1) Risk Matrix and (2) Risk

Action Report for the risks selected. At the end of the each presentation, another group which is selected to

role play as the NPO’s Board, will to seek clarifications on the Risk Matrix and Risk Action Report presented, and

to decide whether or not to approve the proposal. Each presentation and role play will take about 30 minutes.

16
 Group Work
Detailed Instructions and Templates
Step 1 Risk Register (4 templates) to be completed in 60 mins
Step 2 Risk Matrix (1 template) to be completed in 15 mins
Step 3 Risk Action Plans (1 template) to be completed in 30 mins
Step 4 Preparation of Presentation of Risk Matrix and Risk Action Plan to be
completed in 30 mins
Step 5 Presentation (15 minutes) of Risk Matrix and Risk Action Plan
Step 6 Feedback by “NPO’s Board” (10 minutes)

17
 Step 1 : Risk Assessment/Evaluation
For your organization, please compile the risk register for the following areas.
(1) Strategic Risks,
(2) Financial Risks,
(3) Operational Risks and
(4) Compliance Risks

For each of the risk identified, please ascertain :

 What is the gross likelihood?
 What is the gross impact?
 What are the risk mitigating actions? Controls?
 What is the net likelihood?
 What is the net impact?
18
 Step 1.1 Risk Register (Strategic Risks)
Identify only 5 possibilities

Gross Risk Management Net

No Strategic Risks Likelihood Impact Actions/Control Likelihood Impact

19
 Step 1.1 Risk Register (Strategic Risks)
Gross Risk Management Net
No Strategic Risks Likelihood Impact Actions/Control Likelihood Impact
Board Secretary to implement
an annual planning process
and table the annual plan to
the Board for review and
1

E
1 Lack of proper annual plan Unlikely Major approval Rare Major

20
 Step 1.2 Risk Register (Financial Risks)
Identify only 5 possibilities

Gross Risk Management Net

No Financial Risks Likelihood Impact Actions/Control Likelihood Impact

21
 Step 1.2 Risk Register (Financial Risks)
Identify only 5 possibilities

Gross Risk Management Net

No Financial Risks Likelihood Impact Actions/Control Likelihood Impact
Initiate Finance Manual
Project and set deadline to
1 Lack of Finance Manual Possible Major complete in six months Unlikely Major

22
 Step 1.3 Risk Register (Operational Risks)
Identify only 5 possibilities

Gross Risk Management Net

No Operational Risks Likelihood Impact Actions/Control Likelihood Impact

23
 Step 1.3 Risk Register (Operational Risks)
Identify only 5 possibilities

Gross Risk Management Net

No Operational Risks Likelihood Impact Actions/Control Likelihood Impact
Assign Senior Officer Mr.
Lee to take charge of this
review and submit a
Lack of review of Education monthly report on the
1 Program 1. Likely Moderate results Rare Moderate

24
 Step 1.4 Risk Register (Compliance Risk)
Identify only 5 possibilities

Gross Risk Management Net

No Compliance Risks Likelihood Impact Actions/Control Likelihood Impact

25
Step 1.4 Risk Register (Compliance Risk)
Identify only 5 possibilities

Gross Risk Management Net

No Compliance Risks Likelihood Impact Actions/Control Likelihood Impact
Failure to disclose the
senior management Finance to ensure
compensation in bands of disclosure and CEO to
1 $50,000 Likely Major review for compliance Rare Moderate

26
 Step 2 : Develop Risk Matrix
Use 5x5 table for the Risk Matrix
For each of the risks identified in the risk register,
Score likelihood (1 to 5, 1 being rare and 5 being almost certain)
Score consequence (1 to 5, 1 being insignificant and 5 being critical)
 Fill up the Risk Matrix to determine the (1) extreme risks that are unacceptable,
(2) risks where reduction is desired and (3) risks that are acceptable

27
28
Step 2 : Develop Risk Matrix
Consequence
Almost Certain 1
Likely 4
Likelihood

Possible 3
Unlikely 2
Rare 1
Insignificant 1 Minor 2 Moderate 3 Major 4 Critical 5

29
 Step 2 : Develop Risk Matrix
Consequence
Almost
Certain 1
Likely 4
Possible 3
Unlikely 2 Incomplete
Likelihood

Finance
SOP

Rare 1 Lack of review of Lack of

education program, annual plan
Lack of disclosure
on mgmt
compensation
Insignificant Minor 2 Moderate 3 Major 4 Critical 5
1

30
Step 3: Risk Action Plans
• For Risk Action Plan, please extract “Risk Actions” from Risk
Register.
• The plan lists the risks which are currently not as well controlled
and where further actions could be implemented to better control
or manage the risks. These risks tend to be medium or high in
overall risk scores to merit further actions and costs.
• You may add actions deemed necessary for the risks you have
chosen.
• For this activity, you are only required to work out the action plan
for the unacceptable risks which are usually in the non-green
zone.
31
Step 3.1 : Risk Action Plan for Strategic Risk
(for only extreme risks identified)

Gross Risk Management Net Risk Action*

No Strategic Risk# Likelihood Impact Actions/Control Likelihood Impact
*further actions needed to better
manage the risks

32
Step 3.2 : Risk Action Plan for Financial Risk
(for only extreme risks identified)

Gross Risk Management Net Risk Action*

No Financial Risk# Likelihood Impact Actions/Control Likelihood Impact
*further actions needed to better
manage the risks

33
Step 3.3 : Risk Action Plan for Operational Risk
(for only extreme risks identified)

Gross Risk Management Net Risk Action*

No Operational Risk# Likelihood Impact Actions/Control Likelihood Impact
*further actions needed to better
manage the risks

34
Step 3.4: Risk Action Plan for Compliance Risk
(for only extreme risks identified)

Gross Risk Management Net Risk Action*

No Compliance Risk# Likelihood Impact Actions/Control Likelihood Impact
*further actions needed to better
manage the risks

35
Review your organization’s risk register after group
work

Step 4 Preparation of Presentation of Risk Matrix and Risk Action Plan

to be completed in 30 mins
Step 5 Presentation (15 minutes) of Risk Matrix and Risk Action Plan
Step 6 Feedback by “NPO’s Board” (10 minutes)

36
SAMPLE RISK REGISTER & RISK ACTION PLAN:
STRATEGIC RISKS
Refere Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
nce Owner Risk Measures Risk

S1 Chairman Review of board tenure of Medium Board secretary to submit list of Low N/A
directors who may breach 10 tenure of all board members in
year rule. January each year for Chairman to
review.

S2 Chairman Succession planning for the
CEO and key managers
S3 CEO Inadequate assessment of
programmes and services to
align with the changing social
needs
High Board will review the proposed
plan for succession, talent
grooming and career
development programmes.
High Annual Board/Management
retreat to assess the existing
programmes with the population
profiles and the government
statistics.
Medium HR Committee to set-up and
quarterly review of these
issues and action plans.
Medium Management to submit a
paper on the results of
review at the annual retreat.
SAMPLE RISK REGISTER & RISK ACTION PLAN:
OPERATIONAL RISKS
Refere Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
nce Owner Risk Measures Risk

O1 Operations Insufficient service staff Medium Periodic recruitment drives at Medium Cross training and incentives
Director required for running the the career fairs and centre for skill trainings to improve
programmes. recruitment campaigns. efficiency.
Automate some areas of
services.
O2 Corporate Inadequate documentation of Medium Annual reviews of SOPs to Low N/A
Services revised workflows. ensure workflows are properly
updated

O3 Safety Insufficient communication of Medium Induction for new staff, regular Low N/A
Director the safety procedures to refresher for existing staff
prevent safety lapses.
 SAMPLE RISK REGISTER & RISK ACTION PLAN:
FINANCIAL RISKS
Refe Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
renc Owner Risk Measures Risk
e

F1 CEO & Anticipated insufficient funds High Forecast of the required funds Medium Half yearly review of the
Fundraising due to requirement to expand and timing. funding campaigns
Director the services for silver people. Plan sources of funding from Pilot services on smaller
donors and the government scale
Launch funding campaigns Enlist volunteers to help.
F2 Finance Too many cash payments and Medium Policy to discourage use of cash Low N/A
Director receipts at branches. and notice at branches to accept
electronic payments only

F3 CEO and Inconsistent review of actual Medium Mandatory reports of reviews as Low N/A
Finance financial status against annual follows:
Director budget. 1. Actual v Budget
2. “Actual this year” v “Actual
last year”
SAMPLE RISK REGISTER & RISK ACTION PLAN:
COMPLIANCE RISKS
Refe Risk Risk Statement Gross Controls / Mitigating Net Risk Action Plan
renc Owner Risk Measures Risk
e
C1 Board Governance Evaluation checklist High Completed checklist should be Medium Completed checklist should
Secretary inaccurately completed which reviewed at the management be tabled at the Board
and CEO may pose a risk to renew IPC meeting to ensure completeness meeting for discussion and
status and correctness. approval.

C2 Finance Late submission of annual Medium Timetable for completion of Low N/A
Director returns to Commissioner of accounts and returns, audit of
Charities financial statements, review of
audited accounts by the Board
before deadline for submission.
C3 Chief Data Data hacked or leaked leading to High Secure computer systems and Medium PDPA cases to be highlighted
Protection non-compliance with PDPA data handling procedures; and shared in Townhalls,
Officer and Regular communication and IT to look out for ways to
CEO reminder of data protection; enhance securing of data.
Sensitive data to be segregated Simulated ethical hacking to
and secured. learn the weaknesses and
rectify them.
SAMPLE RISK REGISTER & RISK ACTION PLAN:
RISK INCIDENT REPORTING
Report a serious incident on behalf of the trustee body
DETAILS REQUIRED FOR RISK INCIDENT REPORTING FORM:
1. Contact details the charity name and it’s registration number

2. Reference numbers and contact details https://register-of-

charities.charitycommission.gov.uk/
3. Names and registration numbers of other charities involved in the incident (if relevant) report-a-serious-incident

4. Date of the incident and its discovery

5. What happened

6. Whether trustees are aware of the incident

7. What impact the incident has had on the charity’s beneficiaries, finances, staff, operations or reputation

8. Which of the charity’s policies or procedures relate to the incident, and whether they were followed

9. what steps the charity has taken to deal with the incident and to prevent similar incidents
SAMPLE RISK REGISTER & RISK ACTION PLAN:
RISK INCIDENT REPORTING (EXAMPLE)
https://register-of-
charities.charitycommission.gov.uk/
report-a-serious-incident
 43

Consultation
Tell us about your organisation risk management framework:
1. People involved
2. Processes
3. Resources set aside
4. Is there a Risk Register?
5. Are there procedures for Incident reporting?
6. Are there internal control procedures?

Any questions on Risk Register and Risk Maps?

Group work
in progress

44
45
 DAY 1:
CLASS DISCUSSION 1
WHAT ARE YOUR ORGANIZATION'S RISKS
Each organization has their own risks.
Some risks may be common.
Some risks may be very specific.
Please share 2 examples of risk in your organization.

1 representative per organization

The Risk Register is unique to each NPO,

and it changes over time.
46
 DAY 1:
CLASS DISCUSSION 2
W H AT A R E T H E C H A L L E N G E S T H AT Y O U FA C E IN
M A N A G IN G Y O U R O R G A N IZ AT IO N ' S R IS K S
Examples :
• Organization culture/ mindset,
• Stringent compliance requirements that are difficult to
fulfill
• Lack of resources,
• No buy-in from Board and senior management,
• Lack of Personnel,
• Insufficient training for staff

Please share with the class. 1 representative per

organization
47
DAY 1:
BREAK OUT ROOM 1
QUESTIONS FOR GROUP WORK

Question 1 Risk Management Policy for your NPO

a) What are the objectives of risk management (RM) in your organization ?
b) Who is involved in the risk management function? Explain the roles and responsibilities of
Board, senior management and operational staff.

Question 2 Review of Risks in your NPO

c) Who should initiate the review of risks in your NPO?
d) Share how your organization’s risk review process. What are the key steps?
e) When should the risk review take place ? How long will it take ? Who should be involved ?
d) Who should approve the results of review?

48
DAY 1:
BREAK OUT ROOM 2
QUESTIONS FOR GROUP WORK

Question 1 Identify the Risks in your organisation

What are the strategic, financial, operational and compliance risks? Give 1 example for each
category. Total 4 examples that are specific to your organization.

Question 2 Risk Mitigation

How will you treat each of these 4 risks ?
What are the internal controls to mitigate these risks?
What are the actions needed to mitigate these risk ?

This exercise serves as a warm up for Day 2’s Workshop

49
DAY 1:
BREAK OUT ROOM 3
QUESTIONS FOR GROUP WORK

Finance Internal Control Checklist

Please review the finance internal control checklist ( provided by NCSS earlier),
to identify the controls that are relevant and critical to your organization.

50
Video 1:
https://www.youtube.com/
watch?v=cbgrAioNU0s
Case study
Move to day 2 (towards
VIDEO on City
the end)

Harvest Church
Scandal
51
 Case Study on City harvest scandal
Case study on City Harvest Scandal by Cassandra Ho
Source :
https://lkyspp.nus.edu.sg/docs/default-source/ips/cassandra_revisiting-the-issue-of-good-governance-in-the-city-harvest-_0109121.pdf

Across society, accountability that is based on a set of good corporate ethics is perhaps the only lingua franca
bridging any religious organisation and the state — whether the leaders are appointed by man or by God.
This is based on the understanding that religious leaders are not simply accountable to God, but must also be
transparent with their followers and the community. To this end, governance of religious organisations is
subjected to a common set of secular regulations and cannot merely be premised on leadership that relies
on personal charisma and faith. Insisting on a code of conduct may therefore lead to a paradox for some who
are personally convinced that their leaders have proven themselves worthy of trust. Here, the need to adopt
measures of accountability and transparency stipulated by the state as demonstrable of ‘good leadership’
seems at odds when a leader has in fact been nominated because he and she is seen as intrinsically upright.
It is to admit that despite the acknowledgement of the leader’s integrity and capabilities, he or she is
ultimately fallible and has to abide by a certain code of conduct to ensure that personal interests or gains do
not collide with leadership. Good governance on the other hand however, is important in charities because it
is premised on the adoption of a code of conduct that in turn helps charities to be more effective,
transparent and accountable to their stakeholders.
In conclusion, The City Harvest Scandal has highlighted the importance of proper risk
management in charities to prevent individuals in positions of power from abusing it.
https://www.theguardian.com/world/2015/oct/21/singapore-
mega-church-founder-guilty-fraud-35m
https://www.theguardian.com/world/2015/oct/21/singapore-mega-church-founder-guilty-fraud-35m
City Harvest case: Is this the end of the saga?
Here's all you need to know
https://www.straitstimes.com/singapore/courts-crime/city-harvest-case-recap-of-a-saga-that-dragged-on-for-7-
years

1. Who is involved?
The six are CHC founder and senior pastor Kong Hee, 53; deputy senior pastor Tan Ye Peng, 45; former finance
managers Serina Wee, 41, and Sharon Tan, 42; former fund manager Chew Eng Han, 57, and former finance
committee member John Lam, 50.

2. What are their current jail terms?

Kong is currently serving 3½ years' jail, the longest sentence of the six. Tan Ye Peng got three years and two
months; Wee, 2½ years; and Lam, 1½ years.
They began serving their sentences on April 21 last year.
Chew faces a jail term of three years and four months. His sentence will begin on Feb 22. Sharon Tan has
completed her seven-month jail term.
City Harvest case: Is this the end of the saga?
Here's all you need to know
https://www.straitstimes.com/singapore/courts-crime/city-harvest-case-recap-of-a-saga-that-dragged-on-for-7-
years

5. Was there an appeal, and what was the outcome?

The six appealed against their convictions and sentences, while the prosecution appealed for harsher sentences.
The prosecution had appealed for sentences ranging from five to 12 years for the six.
Deciding on the appeals last April, the High Court, in a split 2-1 decision, cleared the six of CBT as agents and
found them guilty of plain CBT under Section 406 of the Penal Code.
As a result, their jail terms were cut to between seven months and 3½ years.

6. What happened after the appeal?

The prosecution then applied for a rarely invoked criminal reference, to seek a definitive ruling from the Court
of Appeal as well as to reinstate the original convictions.
The prosecution was led by Deputy Attorney-General Hri Kumar Nair in the hearing in August last year. The
Court of Appeal had reserved judgment.
City Harvest case: Is this the end of the saga?
Here's all you need to know
https://www.straitstimes.com/singapore/courts-crime/city-harvest-case-recap-of-a-saga-that-dragged-on-for-7-
years

3. What did the six do?

They misappropriated $24 million in CHC's building funds through sham bond investments in music production
firm Xtron and glass maker Firna.
They then misused a further $26 million to cover up the initial crime.These bonds were used to fund the
Crossover Project, a church mission to spread the Gospel through the secular music career of Kong's wife, pop
singer Ho Yeow Sun.

4. What were their original convictions and sentences?

The six were originally charged and convicted of CBT as agents, under Section 409 of the Penal Code.
They were handed jail terms ranging from 21 months to eight years in November 2015.
5. Was there an appeal, and what was the outcome?
 Day 2: Group Work
Detailed Instructions and Templates
Step 1 Risk Register (4 templates) to be completed in 60 mins
Step 2 Risk Matrix (1 template) to be completed in 15 mins
Step 3 Risk Action Plans (1 template) to be completed in 30 mins
Step 4 Preparation of Presentation of Risk Matrix and Risk Action Plan to be
completed in 30 mins
Step 5 Presentation (15 minutes) of Risk Matrix and Risk Action Plan
Step 6 Feedback by “NPO’s Board” (10 minutes)

60
Reflections
Day 2 Effective Risk Management for NPOS

1. Summarize your personal

take away from today’s
session.

2. What are some of your

follow up action items?

61
Presentation
of certificates

63
ANNEX: RISK GLOSSARY
64
Risk Glossary ANNEX

• Risks are anything that will obstruct or prevent achievement of the organisation’s goals or objectives. It arises from
uncertainties that may or may not be foreseen. Example is a change in weather that could result in stoppages in a project.
• Operational risks might arise from problematic processes, policies, systems or events that disrupt the organisation’s
operations. Example is obsolete systems that cannot cope with the new operations.
• Financial risks refer to dangers that cause money losses in capital, investments or other financial assets. Example is a
failed programme that led to financial losses.
• Compliance risks arise from potential exposure to legal penalties and sanctions in failing to meet laws and regulations,
internal policies or prescribed best practices. Example is non-compliance with the governance code set by Charity
Commission.
• Risk assessment/evaluation is a systematic process in identifying, analyzing and controlling risks. It is normally performed
by a person with good understanding of the risks impacting on the organisation. A risk assessment is critical to ensure that
the organisation is aware of the risks confronting them and their existing actions in mitigating these risks. It also provides
potential solutions in managing new risks.
• Risk map (risk heat map) is a pictorial way of presenting risks an organization faces. It is usually shown in two dimension
of likelihood and impact. Traffic lights colours are used with red being high risks and green being low risks. These maps
can be 3x3, 3x4, … with the complex ones drawn with 5x5.

65
Risk Glossary ANNEX

• Likelihood means the possibility of a potential risk occurring. It can be assessed through judgment or
using past statistics. Generally, categories such as low, medium, or high are used in risk assessments. A
high likelihood means that the risk may occur often whilst a low likelihood may mean a risk that rarely
happens.
• Impact is an estimate of the potential losses associated with an identified risk. It is normally associated
with a dollar value and classified similarly to likelihood.
• Top risks refer to the most severe risks that will harm the organisation and may lead to going concern
issues. Example is loss of license to operate as an organisation pollutes the local environment and lead
to loss of lives.
• Risk mitigation refers to planning for risks including disasters and controls to reduce the negative
impacts. Although an organisation should mitigate all potential risks, a cost benefit analysis is usually
undertaken to prepare for major risks first.
• Risk register is a list for documenting risks, their gross and net likelihoods and impacts and the
associated mitigating actions to manage each risk.
• Risk action report is a document to indicate which risks would require additional actions and controls to
manage the risks better. Actions could be through reviews and approvals in these areas.
• Risk governance comprises the actions, processes, policies and structures to ensure that risks are
owned, managed properly and reported to the Board for effective governance.
66
 ANNEX
Risk Glossary

67
 ANNEX

Risk Glossary

68
 ANNEX

Risk Glossary

69