A breakout session at The Trialogue Business in Society Conference 2019 explored the implementation of risk management processes in the context of social development. The importance of risk management had been emphasised by Louisa Zondo of Oxfam South Africa in a prior plenary session. Zondo had made the point that it “takes years to build a reputation, and only five minutes for it to be ruined,” referring to the 2018 Oxfam sexual exploitation scandal in Haiti. The scandal resulted in £16 million pounds of Oxfam’s donor funding being pulled overnight. Zondo added that, prior to the scandal, this type of risk was not even on their radar, and that “you cannot manage what you do not know”.
With this in mind, Nozuko Nkumanda and Megan Lawrence of Social Impact Partners provided attendees with a practical guide to implementing risk management.
What is meant by risk?
Risk combines the notion of uncertainty, likelihood and undesirable outcomes. According to the Business Dictionary, risk is “a probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities”.
Six types of risk were discussed. These included risks that are external to the organisation, such as environmental, economic, and geopolitical, and those that are internal: legal, programmatic and technological:
- Environmental, e.g. severe weather conditions
- Economic, e.g. exchange rate fluctuations
- Geopolitical, e.g. threats caused by events like terrorism, war, sanctions, unstable governments, etc.
- Legal/organisational, e.g. fraud and corruption
- Programmatic, e.g. running out of funding
- Technological, e.g. lack of data management and computer viruses
Risk management, therefore, refers to the creation of a formal framework that is implemented by an organisation to deal with the risks that it faces, by understanding and determining how to mitigate them. A typical risk management cycle would include identifying risks, plotting or ‘heat mapping’ the risks on a matrix with the x-axis for the impact of the risk, and the y-axis for the likelihood of the risk occurring. The risks should then be analysed and decisions should be made on the appropriate actions to deal with each risk.
Key actions for managing risk
Awareness of risks provide an organisation with the opportunity to decide on an appropriate course of action. There are four main actions when it comes to managing risk:
i. Avoiding, in other words, the organisation refuses to engage in activities carrying the identified risk. For instance, the example used in the session was of an international donor organisation who had provided support in the form of HIV test kits to Zambia. The test kits had been stolen. In order to avoid this type of risk, the donor organisation could have decided to forgo provision of support to Zambia, as they had identified a high risk of the HIV test kits being stolen.
ii. Mitigating risk is done to lessen any negative consequence or impact of the risk. Using the example above, a risk mitigation strategy would be to increase the level of security at the warehouse where the HIV test kits were stolen.
iii. Transferring the impact and management of the risk to someone else. For example, by insuring the HIV test kits, if the risk of theft materialised, the impact would be on the insurance company who would have to pay out for the stolen kits.
iv. Accepting the risk means that the organisation would take no action. The organisation accepts that it might happen and that they will deal with it if it does.
How CSI can support risk management in development
Companies should consider how they could de-risk social investments by:
• Requesting recipients of funding to demonstrate their awareness of external and internal risks.
• Developing their own risk register for the development projects that are being supported and sharing these findings with recipients in order to inform risk management strategies.
• Considering how they can support the co-development of risk management strategies with the recipients of their funding.
• Investigating different mechanisms of releasing funds or aggregated solutions across different programmes e.g. grouped risk financing (think of projects collectively vs individually).
IMAGE: Nozuko Nkumanda (Social Impact Partners)
Article written by Damian Watson
Photo taken by Cobus Oosthuizen