Most Indigenous corporations undergo rigorous planning rituals.
They prepare strategic plans and many then operationalise them by preparing details business plans. Yet, one of the most important planning rituals for an Indigenous corporation is rarely executed - their Risk Management Plan.
Despite all the strategies and business plan action steps, the future is not predictable. Many unpredicted things can happen in just the year ahead, some bringing good fortune, others potential catastrophe. Indigenous organisations face the possibility of changes to funding models, changes in legislation, political pressure, community disasters, fire, cyclone damage and the volatility of the economy.
The task to all Indigenous organisations is to be prepared. In many instances that I know of, risk management planning is not implemented because the Board and management "don't know what to do." The tools to deal with disaster is not in their toolkit so it is easy to say "we'll deal with it if it happens."
However, if what might happen cannot be predicted, the fact that something will happen is undeniable. The challenge is to narrow down the risks in the external and internal environments, by putting strategies in place for many lesser risks, so that only a few remain that require contingency plans.
To do this, you must first recognise potential risks.
You can group them into categories: -
- Risks related to your immediate industry or service;
- Risks relating to your financial environment;
- Risks relating to your external environment; and
- Risks relating to your corporation.
Your immediate industry or service is the industry or service you are incorporated to service or provide. From time to time, different industries may face risky times. The cattle industry for example, if you own a cattle station, is open to risks associated with markets where Indonesia for one might cut access, or to risks associated with the debate on live export. If you are in the health industry, the implementation of NDIS may carry certain risks for you.
Your financial environment is where the money comes in and goes out. Risks include fraud, operational losses through the loss of demand or increasing competition, the change to funding models and grants like when the IAS was introduced, and losses through inefficiency and poor investment.
There are also risks in a global sense. The Global Financial Crisis affected many Indigenous organisations as industry working on their lands retracted and royalty streams dried out. Even tension in the Middle-East brings risks from the increased cost of fuel, and climate change can be catastrophic for many Indigenous organisations operating in regional areas in the drought.
Finally, don't forget the environment in your corporation. This, along with your financial environment, are potentially the most important to consider, and certainly the most within your control. However to control these risks you need to identify their possibility. These internal corporation risks include the capability of management, infrastructure or equipment failure community feuds and arguments, nepotism, Board dysfunction, among others.
In identifying potential risks, simply ask questions that start with "what if."
For example, focusing on your immediate industry or service: -
- What if the government took over the services we provide?
- What if a major competitor opens in our region?
- And so on.
In the category of the financial environment: -
- What if one of our staff commit fraud?
- What if the grant conditions were tightened?
- And so on.
In the external environment: -
- What if the country fell into recession?
- What if a bush fire devastates our community?
- And so on.
Finally, in the corporate environment: -
- What if our community splits?
- What if we lose internet connection?
- And so on.
The answers to these questions will point out the potential risks to your organisation so you then need to evaluate those risks in terms of likelihood and consequence.
Providing yourself with a scale, where 1 is least likely (or least frequency of happening) and 5 is most likely or will happen most frequently, score each risk with a score from 1 to 5 of likelihood or frequency.
Do the same with a score of 1 to 5 of the consequence or impact, financial or otherwise.
For example, the risk to a corporation that it might lose grant funding (in the post-IAS implementation era!) might be 3; and the consequence might be 5 since it has very little other income.
The severity of the risk is then calculated by multiplying the likelihood score and the consequence score.
In this example, 3x5 = 15.
Going through all the risks, a "league table" of critical to acceptable risks will appear. What is the cut-off score between acceptable and dangerous and then critical is a matter of judgement. In general, the scores can be evaluated as follows: -
- A score of 0 represents no risk - the cost of management of these risks is probably disproportionate to the effect of the risk;
- Scores of 1 to 3 represent a low risk - these can be fixed immediately if practical, otherwise build their solutions in future changes to that area of concern;
- Scores of 4 to 6 represent moderate risk - these may need corrective action through planning and resourcing;
- Scores of 8* to 12 represent high risk - and require immediate corrective action;
- Scores of 15 to 25 represent extreme risk - these need immediate corrective action while any processes involved in work in the area should be stopped until corrected.
*Due to the way the formula works, multiplying a number between 1 and 5 with another number between 1 and 5, the following scores will never be calculated - 7, 11, 13, 14, 17, 18, 19.
Having identified the necessity for action, you then need to manage the risk by assessing if you can: -
- Avoid the risk;
- Reducing either the likelihood or the consequence of the risk;
- Transferring the risk; or
- Accepting the risk.
Avoiding the risk can be done by stopping whatever process runs the risk of happening. For example, if the risk is a loss through potential theft from the cash held in the safe, you can stop the use of cash and make all transactions electronically.
Reducing the risk can be done by reducing the likelihood of the risk happening. For example, if the risk is a serious loss of computer data through the loss of power, you can install an uninterruptible power supply.
On the other hand, you can also reduce the risk by reducing the consequences of it happening. An example is the risk of closure due to the loss of program funds. You can proactively seek different funding sources before it happens or create social venture funding streams so all your eggs are not in one basket.
Transferring the risk is where you transfer the consequences to someone else. Insurance is a classic example of this strategy, as are product warranties.
Finally, accepting the risk is a possible strategy especially where the risk is nil or low, where the reason for the low risk is the rarity of it happening.
Risk management is not a difficult idea to manage. It may be strange and something your corporation has little experience over, but you do not need to be an expert in everything to design and implement strategies that can kick in for serious contingencies.
Risk management planning is a logical process that any management team can implement by following the simple steps above. The strategies are not hard to devise once you understand what the risks are made up of. So, you really have no excuse to avoid getting your risk management right. In fact, it is critical that you do.