Social Enterprise Learning Toolkit (Risk Management Module)
1. Risk Management
for Social Enterprise
An enp Strengthening Your Skills workshop
1
2. Workshop Objectives
At the end of this workshop, you will be able to:
2 Understand what constitutes a risk and/or an
opportunity.
3 Apply the process of managing risk.
4 Use the tools and techniques to support risk
management in your social enterprise.
2
3. Risk Management is an integral part of
managing a sustainable social enterprise
Social
Enterprise
Learning
Toolkit
Source: www.enterprisingnonprofits.ca/learning-toolkits
3
4. Where are you along the Social
Enterprise Development Path ?
Social Enterprise Development Path
Opportunity Business
Start-Up Strengthening
Identification Plan
Organizational Feasibility Launch
Evaluation
Readiness Study Preparation
Source: The Canadian Social Enterprise Guide (2nd edition)
4
5. What is a risk?
A risk is anything that might happen and that,
if it did happen, would have an impact (+/-)
on the ability of a social enterprise to
accomplish its mission.
5
6. What is Risk Management?
Risk Management is a process that enables a
social enterprise to cope with uncertainty by
taking proactive steps to protect its assets &
resources.
6
7. Why manage risk?
The benefits of Risk Management
• identifies risks and opportunities not already
considered
• effectively constrains risks to acceptable levels
• informs decisions about exploiting
opportunities
• increases stakeholder confidence in achieving
desired outcomes
7
8. How do you manage risk?
Identify
Risk
Review & Assess
Report Risk Risk
Manage
Risk
8
12. Property
• Partial or total loss of premises
• Theft of equipment, inventory, cash,
information
• Intellectual property compromised
• Brand & reputation damaged
12
13. Liability
• Injury to clients, general public
• Product liability
• Damage to property of others
• Breach of contract
• Professional liability
13
14. Income
• Loss of grant funding
• Revenue shortfalls
• Fire, floods, natural disasters
• Change in market conditions
14
15. Compliance
• Laws & regulations - knowing what
applies to your social enterprise
• Legal responsibilities of employers
• Workplace health & safety
• Human Rights
• Privacy
15
16. 5 Types of Risk Summary
People Property Liability Income Compliance
Workplace Partial or total Injury to clients, Loss of grant Laws &
injuries loss of premises general public funding regulations -
knowing what
applies to your
social enterprise
Death, Theft of Product liability Revenue Legal
disability, equipment, shortfalls responsibilities
retirement inventory, cash, of employers
information
Resignation Intellectual Damage to Fire, floods, Workplace
property property of natural health & safety
compromised others disasters
Disengagement Brand & Breach of Change in Human Rights
reputation contract market
damaged conditions
Professional Privacy
liability
16
18. 5 Types of Risk
• People
• Property
• Liability
• Income
• Compliance
18
19. Identifying Risk
• Types of exposures
• Get input from many stakeholders – board,
managers, staff, clients, partners and suppliers
• Use external facilitation/resources if possible
• Own the process
19
22. Assessing Risk
Probability 1 2 3
Extremely Likely Extremely
Impact unlikely likely
1 Not critical 1 2 3
1 Significant 2 4 6
1 Fundamental to
3 6 9
continuing operations
Priority
Impact x Probability = Risk score Low
Medium
High
22
23. Assessing Risk
Activity 2
Consider the risks that face your own social
enterprise, or one with which you are
familiar:
•Identify 3 risks that the organization faces
•Use the simple matrix on the next slide to
give them scores and determine the levels
of risk
23
24. Risk Assessment Matrix
Activity 2
Probability 1 2 3
Extremely Likely Extremely
Impact unlikely likely
1 Not critical 1 2 3
1 Significant 2 4 6
1 Fundamental to
3 6 9
continuing operations
Priority
Low
Impact x Probability = Risk score Medium
High
24
26. Managing Risk – 5 Strategies
The risk may be acceptable without any further action being taken.
The ability to do anything about some risks may be limited, or the
Accept cost of taking any action may be disproportionate to the potential
benefit gained.
Most risks will be addressed in this way. Actions are taken to
Treat mitigate the impact and/or probability of the risk to an acceptable
level.
For some risks the best response may be to transfer them for
Transfer example, by taking out insurance. Some risks are not (fully)
transferable – e.g. reputational risk.
Avoid Some risks will only be treatable eliminating the source of the risk.
This is not an alternative to those above but an option which
Take the
should be considered whenever accepting, transferring or treating
Opportunity a risk. Do circumstances arise which offer positive outcomes?
26
28. Reviewing and Reporting Risk
• Why review and report?
• Frequency of review
• Who “owns” the risk
28
29. Risk Register
Description of Risk
Probability (Low/Med/High)
Impact (Low/Med/High)
Rating (score)
Risk Owner
Strategy to deal with Risk –
(accept, treat, transfer,
avoid, take the opportunity)
Cost $
Cost Time
Frequency of Review
Re-assessor
29
30. Create a Risk Register
Activity 3
For each of the 3 risks that you identified in
Activity 2:
•Complete the table on the previous slide
(you can download the worksheet).
For your own organization you will need to
do this for each of the risks, producing a
risk register.
30
32. Tools and templates you can
download
• User Guide & Glossary
• Risk Types Chart
• Risk Management techniques chart
• Risk Assessment matrix
• Risk Register
32
33. Take action – your next steps!
• Use the risk management process to
produce a risk register for your
social enterprise.
• Download and use the tools and
templates provided.
• Review and update your risk register
regularly as part your ongoing
management practices!
33
Notes de l'éditeur
RM is an integral part of managing a sustainable SE It is part of and integrates with all of the other skills areas shown on the " Flower" There are specific techniques and tools that can be used to proactively manage risk
The Risk management techniques and tools that we are going to review today can and should be used at every stage of the development path. For this workshop we are going to focus on social enterprises that are IN LAUNCH PREPARATION or are already in operation
There are many sorts of risks that can affect social enterprise, from financial or legal, to environmental risks or the loss of staff. Different risks can affect your enterprise in different ways. Risks are threats, issues, events or opportunities, if it happened, could have a positive or negative effect on your enterprise. Risks may: cost you money cause your social enterprise to fail or be less successful damage your reputation Opportunities may positively impact your social enterprise
Challenge the participants...what is their definition of Risk Management ? Key word is proactive - identifying and actively managing risks and opportunities is better than being reactive Example – recovering from a major disaster – Haiti vs. New Zealand Managing risk is about identifying all the actions that your enterprise can carry out before anything actually happens to make sure that things go as smoothly as possible. It is also about making sure that even if a potential risk does become a reality, that your Social Enterprise can carry on operating.
Build exercise with work shop participants using flipchart/whiteboard Stakeholder buy in and support is very important to achieve a successful RM process. Your RM process should have demonstrable benefits. Adjust your outcomes based on risk management adjust business model or outcomes as per David's comments on Strategic plan Risk is uncertainty of outcome, and good risk management allows an organization to: have increased confidence in achieving its desired outcomes; effectively constrain threats to acceptable levels; and take informed decisions about exploiting opportunities. Good risk management also allows stakeholders to have increased confidence in the enterprise’s governance and ability to deliver against the stated aims and vision. Also, carrying out a risk management process might help your organisation to identify threats and also consider opportunities that you had not already considered. Every enterprise, no matter how big or small should understand the potential risks that face it and think about ways in which they can be managed
There are 4 key Risk Management Steps Risk management should be part of a cycle of continuous improvement since risk will never be totally eliminated.
1 st Step is Identify Risk Must know what risks & opportunities our social enterprise may have, in order to proactively manage them.
There are 5 broad buckets or types of risks found in most social enterprises. People, Property, Liability, Income, Compliance Review types of risks and... Challenge workshop participants to come up with examples of each type of risk from their own social enterprises
GROUP EXERCISE – ask participants to work at their tables If group is larger or in pairs if smaller group. Do Good Landscaping #1 Cool Threads Thrift Store #2 Events can trigger multiple exposures. Give the participants the scenarios and ask them to identify the risk (opportunity) exposures. Do Good Landscaping Company ( pure risk) Risk Exposures: People – driver is injured, cannot work for several weeks. Cost to replace him/her Property – truck is badly damaged and must be repaired/replaced. Costs include temporary replacement, insurance deductibles etc. Liability – injured pedestrian, damage to storefront. Costs could include insurance deductibles, defence costs if sued by either 3 rd party. Income – loss of truck, cost of insurance deductibles, potential loss of revenue due to damage to reputation. Cool Threads Thrift Store ( speculative risk) Opportunity & Risk Exposures: Opportunity – large supply of new clothing that can be sold in store, generating significant revenue People – stress to current workforce of additional hours for receiving/managing inventory Property – Additional inventory. Costs include renting and insuring storage, loss prevention? Income – additional staffing costs ( unloading/storage), temporary storage of products, how to deal with goods that not be suitable for sale in your market
Leave this slide on screen for audience reference for Activity 1
In order to manage risk, an organization needs to know what risks it faces, and to evaluate them. Identifying risks is the first step in building the organization’s risk profile. Ideally this first step should be done with support from an external facilitator
risk information should be drawn from a variety of sources Some information and tools can be obtained from suppliers e.g. risk surveys and questionnaires from insurance brokers, consultants
Assessment needs to be done by evaluating both the likelihood of the risk being realised, and of the impact if the risk is real Once you have considered your risks, then each needs to be assessed as to their potential negative impact – potential risk- to your organization. This activity is a typical process of risk analysis and a useful way to weigh each resource. Probability For each of the risks that you have identified, assess the likelihood of them occurring on the following scale: extremely unlikely likely extremely likely Impact Then consider, if the risk did happen how it would impact on your organisation: Not critical significant impact; would not affect continued operations in the short term but might in the long term fundamental to continuing operations Take each risk you have identified, question each item as to probability and its impact and then find its place on the matrix. You will know from this exercise what the core of risk is which will be associated with the risk. The next step is to construct a table with each resource scored for risk. The scores are derived by multiplying the number from the Probability axis with the number from the Impact axis. Once risks have been assessed, the risk priorities for the organisation will emerge. The less acceptable the effect of a risk, the higher the priority. The highest priority risks (the key risks) should be given regular attention at the highest level of the enterprise, and should consequently be considered regularly by management. The specific risk priorities will change over time as specific risks are addressed and prioritisation will need to change to reflect this.
Think about your enterprise and identify 3 risks that face it at the moment / imagine 3 risks for a fictitious Social Enterprise. Enter these risks into the Risk Register Hand-out. For each of the risks that you have identified, asses the likelihood / impact of their occurrence on the following scale: Likelihood extremely unlikely likely extremely likely; frequent occurrence Impact Not critical significant impact; would not affect continued operations in the short term but might in the long term fundamental to continuing operations Risks that are low probability and low impact should not be cause for concern unless it scores higher next time you review it (score 1 / 2) Risks that get a rating of 3 or 4 - identify the actions that your enterprise can undertake to reduce the likelihood of the risk happening and the impact that it will have. Consider what will happen if the risk does materialise High rated risks (6 – 9) – identify the actions that your enterprise can undertake to reduce the likelihood of the risk happening and the impact that it will have and implement these actions. The higher the priority of the risk, the sooner you should manage it.
Leave on screen during Activity 2 for reference
Traditionally, there are 5 basic risk management strategies that can be used to decrease the probability or the impact of an identified risk. The purpose of addressing risks is to turn uncertainty to the enterprise’s benefit by constraining threats and taking advantage of opportunities Challenge the participants to think of some examples from their own social enterprises
The management of risk has to be reviewed and reported on for two reasons: - To monitor whether or not the risk profile is changing; - To gain assurance that risk management is effective, and to identify when further action is necessary.
Relate the RM 4 steps to the Plan, Do, Study, Act cycle