Background and Rationale
Risk management has always been a key priority in Trócaire with a focus on security risk in the challenging countries where Trócaire operates. In recent years safeguarding, information security and other risks have escalated for INGOs. In 2017, the Board commissioned an external review of Board Effectiveness, which stated the following:
“While Trócaire’s risk framework is embedded in the culture of the organisation, and the board committees are attuned to the risks in their areas of responsibility, the board as a whole needs to step up its oversight and co-ordination of risk management, focusing in particular on strategic and reputational risks.”
The recommendations were;
- Reporting on risk needs to move on from risk registers to more board-friendly reporting.
- Board agendas need to table risk as an agenda item on a regular basis.
- The committee chairs should liaise with each on risk matters on a regular basis.
- The board needs to approve a risk appetite statement.
These recommendations were implemented in the period from January 2018 to June 2019. In implementing them, the challenge was to re-energise risk management, moving it from a compliance driven process to one which could be used for strategic advantage and assurance purposes at Board level. At the same time, we had to make risk management relate to staff throughout the organisation.
Summary of Achievements in Risk Management
From | To |
Risk Appetite Statement not developed | Risk Appetite Statement in place and communicated internally and externally |
Annual Report: top strategic risks are described | Annual Report: detailed disclosures on top strategic risks, including fraud, security and safeguarding incidents |
No Risk Maturity Assessment | Risk Maturity Assessment carried out leading to Action Plan |
Risk discussed at Board & Committee level. | Deep-dives on risk at Committee level, with onward reporting to Board. |
Detailed risk registers presented to Board and Committees | Executive summaries including heat maps and charts presented to Board |
Approach and Solution
Expert advice was given by one member of the Audit & Risk Committee (ARC), Karen Dillon. Karen lectures on Risk Management with the Institute of Chartered Accountants and has been chief risk officer at a series of banks. Chris Queenan, the Chair of ARC directed the work. He gathered journal articles on Risk Appetite Statements and instructed the Director of Corporate Services, Michael Wickham Moriarty. Michael and the Internal Audit team worked on the risk issues. They looked at best practice in other NGOs globally. At each stage they reported back to the ARC, the CEO and the Board.
Improvements in risk reporting was the first step. While detailed risk registers were maintained, these were no longer provided to Board or Committees. Executive Risk Reports were prepared using Heat Maps, and charts showing movement and trends in strategic risks. These included summaries on key issues such as emerging risks, significant changes and red-flag issues. These reports allowed the Board and ARC to get regular overviews and assurances on the management of Strategic Risks, without dominating the time available for risk discussions.
Through this more efficient reporting, the Board and its Committees had more time available for “deep-dive” discussions on specific strategic risks. These “deep-dives” ensured the Board had more familiarity with strategic risks and could direct appropriate responses.
Committee Chairs liaised on the strategic risks that they were responsible for at Board meetings and between meetings. This liaison enabled Committee Chairs to agree on moving specific strategic risks between committees. For example, Institutional Funding Risk moved from the Funding & Public Engagement Committee to the International Programmes Advisory Committee. Safeguarding Risk moved from the International Programmes Advisory Committee to the Organisation & Human Resources Committee.
Each Committee considered its strategic risks and determined;
-how familiar they and the Board were with the risk (whether a further “deep-dive” was required),
-what their tolerances and “no-go” areas concerning that risk were.
This Committee work provided the material for the development of a Risk Appetite Statement. The first Risk Appetite Statement was approved by the Board in June 2019 and elements of it were published in the 2018/2019 Annual Report.
How this has Improved Governance
One major outcome of this work has been increased transparency to stakeholders on risk management. The 2017/2018 Annual Report had detailed disclosures on the top strategic risks, including quantitative disclosures on fraud and security incidents. The 2018 /2019 Annual Report went further disclosing the investigation of safeguarding allegations and complaints handling.
The “deep-dives” on risk have enabled the Board to direct the Executive Team and allocate resources based on the risks. For example, Board decisions on investment in door-to-door fundraising and HR Systems development followed separate discussions on public income security and IT systems risks. Following a “deep-dive” at ARC on Information Security risk, this was escalated to the Board and directed as a major priority for the Executive in 2019.
The Internal Audit plan is fully aligned to the strategic risk register, meaning that the Board also receives independent assurances on the management of strategic risks.
The Risk Appetite Statement enables the Executive to communicate to staff throughout Trócaire the Board approved risk approach. We made sure that the statement was framed in a clear, understandable way, so that staff at all levels could see the Board’s expectations of how risk should be managed.
A risk maturity assessment carried in May 2019 directs the focus for future risk management work.