An introduction to Risk Management
What is risk?
Risk is virtually anything that threatens or limits the ability of an organisation to achieve its mission.
It can be unexpected and unpredictable events such as destruction of a building, the wiping of all your computer files, loss of funds through theft or an injury to a member or visitor who trips on a slippery floor and decides to sue. Any of these or a million other things can happen, and if they do they have the potential to damage your organisation, cost you money, or in a worst case scenario, cause your organisation to close.
What is risk management?
Risk management is a process of thinking systematically about all possible risks, problems or disasters before they happen and setting up procedures that will avoid the risk, or minimise its impact, or cope with its impact. It is basically setting up a process where you can identify the risk and set up a strategy to control or deal with it.
It is also about making a realistic evaluation of the true level of risk. The chance of a tidal wave taking out your annual beach picnic is fairly slim. The chance of your group's bus being involved in a road accident is a bit more pressing.
Risk management begins with three basic questions:
What can go wrong?
What will we do to prevent it?
What will we do if it happens?
Why should we bother with risk management?
Risk management begins with three basic questions:
1. For your own safety
You want an atmosphere where everyone in your group feels safe and secure and knows their safety and security is one of the paramount considerations in every activity your group undertakes.
2. For the safety of others
The mission of most community groups is to help people, not harm them. If you are providing services for outside clients/groups the aim is to enhance their lives not do something that causes them pain, either physical or mental
3. The threat of possible litigation
In the current circumstances this is a very real threat. Litigation is increasing according to the Insurance Council of Australia as are the size of the payouts for people who successfully sue. Not every organisation has faced legal action and not everyone who gets hurt then sues over it but by setting up a risk management strategy you can reduce the chance of people taking costly legal action against that will financially hurt your organisation.
Risk management systems
Setting up risk management systems is about preparing some written procedures to be put in place to ensure you know what, how, and when action has been undertaken or is to be undertaken - and by whom.
While it is important that your risk management plan takes in as many possibilities as possible, it is also important that your system be easily understood by your management team.
To be effective, it has to be workable.
Step One: Make somebody responsible for risk management
If you're a very small organisation, appoint a risk manager. If you're slightly larger, set up a risk management committee with representatives from all the people involved - the board, staff, volunteers, clients - to review the risks you face.
Step Two: Review your group and identify the risks
Have the person or the committee review your premises, your financial procedures, your equipment, your human relations practices, and your client operations to identify any risks, risky behaviour or practices. Ask what could go wrong and what protections you have in place against them going wrong. It's important to get everyone involved to discuss any possible flaws in your practices and procedures.
Risks come in two kinds; risks that apply to every workplace or organisation, and risks that come from doing the particular work you do. In other words there are unique risks that are faced by a welfare agency with volunteers working at night in high-risk areas or a football club training on a poor surface that are not shared by a bridge club meeting in the home of a committee member.
Occupational health and safety risks Check:
Your physical surroundings (eg. dangerous machinery, kitchen, blind corners, electrical equipment, car parks, asbestos, passive smoking, playing surface, slippery floors, safety rails, working at heights etc)
Your work practices (eg. overwork, sexual harassment, termination procedures, nightwork, equal opportunity, )
Your hazard management training (Is it safe? Do you comply with the relevant legislation?)
Financial and administrative risks Check:
Your financial controls (eg. cheque handling, expenditure authorisation, financial reporting, insurance, petty cash box, bank accounts)
Your investment risks (eg. share loss, property market)
Your record maintenance (eg. computer backup, file integrity, privacy protection, meeting minutes, member database, accounts database.)
Your legal status (incorporation status, Corporate/Government returns etc)
What could go wrong? What do you utterly depend on working?
Get everyone together for a brainstorming session where you can go through a range of hypothetical possibilities or "what ifs" - what if all your records disappeared in a fire? What if a key staff member left suddenly? What if you were sued for ten million dollars? - and ask how well you'd function if that happened. And - importantly - what you can do to ensure it doesn't.
Step Three: Fix what you can fix.
Change your systems, your procedures, your physical plant, or your attitudes to address the hazards. Have the risk manager or the risk management committee, check that the changes have been made. Evaluate the effect of the changes. Review them regularly and modify them when needed.
You can't foresee all possible risks, and you're still going to be faced with the unexpected. Even so, it helps to have procedures. If you've planned for a flood, for example, and you get a fire, at least you have an evacuation plan in place. Remember, too, that your liability for whatever happens is going to be affected by whether or not people think that you've done all you reasonably could have to avoid it.
If someone's car is hit by a meteorite in the parking lot, people will cut you some slack for not putting up a sign warning of the possiblity. If the one hundred and forty- fifth person to trip over the rug breaks their leg, you can expect less indulgence. You had 144 chances to fix the problem and didn't.
Evaluating and prioritising risk
All of this involves quite a lot of estimation. The next step involves even more estimation. Don't be afraid of guessing; it's better than waiting till you know for sure, because then it's too late. Draw up a simple grid.
After you've done this look at the high end risks and see which ones you can avoid altogether or eliminate, which ones can't be eliminated but can be reduced or modified to bring the risk within acceptable limits, which ones you can share with or give away to someone else (for example, you can get outside contractors to carry out dangerous operations after making sure they have the requisite insurance) and which ones you can insure against. Come up with concrete plans for each of these.
You also have to look at:
the balance between risk and benefit - you may be able to avoid the risk of abuse, for example, by dropping your services dealing with children, but that might remove the purpose for your organisation existing in the first place. The implementation of requiring a police check for all staff or requiring and checking references may diminish risk substantially.
the balance between risk and cost or convenience - you may be able to reduce the risk of falling down stairs by moving to a new building, but that could divert all your funds to a secondary purpose. Putting up handrails, warning signs and non-slip strips may lessen the risk.
You will also need to have a strategy in place for what to do when the disaster happens - who is going to be assigned to deal with it, how you are going to handle the public relations, and how you are going to keep the loyalty of your clients. Remember, public relations is one area where insurance isn't going to help you at all. If you run a swimming program you may be fully covered for the financial impact of a child suffering a serious injury while under your care, but you may need to be able to manage media and public concern that everything that could have been done was done and that there is one person to act as a spokesperson.
Ensuring that any contractors that come onto your premises are covered by their own insurance policy (eg. the merry go round operator has public liability insurance and has provided you with proof of its validity) will also help you avoid risk.
One possible way of minimising the risk of litigation is by having your clients sign waivers before entering your service. It is important to realise that waivers do not constitute an excuse or protection for people or organisations that act in a negligent manner. And a waiver does not relieve the organisation from its duty of care to the person signing the waiver.
A waiver is valid only if all the possible foreseeable risks have been fully explained and that everything has been reasonably done to either eliminate or minimise or control the risk. A waiver works only to cover inherent risks, and does not cover negligence or excuse an organisation's failure to act when it could or should have. This area is a legal minefield in itself and waivers tend not to hold much credence in courts, however, they do tend to make people think twice about suing when they have signed something saying that they are aware that they are participating in an activity and have been made aware of all the possible risks that that activity could possibly entail.
Disclaimers - statements about what you're accepting responsibility for or not accepting responsibility for - also does not excuse you from your duty of care. Putting up a sign saying that you're not liable for people slipping on the rug is not a protection if you have acknowledged that the rug is dangerous, have had numerous complaints and still not done anything to remove the danger.
Insuring against risk
Insurance is not a substitute for risk management. Getting insurance only comes into the picture when you've done all you can to minimise risk. You can't foresee everything, though, and you can't avoid quite a lot of what you can foresee, and so you want to spread the risks across the sector; which means you need insurance.