Charities are guardians of the public’s trust. They operate on a not-for-profit basis, perform activities that benefit the public and are established for charitable purposes only. Hence, it is essential that charities are protected from risks where the ethical and structural integrity of the organisation could be compromised. In order to prevent or overcome such liabilities, effective management of potential risks must be implemented.
In this respect, Singapore charities face a multitude of challenges in the various pillars within the corporate governance space. One of the key challenges is risk management – many charities do not have a defined policy or way to manage risk, or are unsure if such a policy exists.1
Regarding this area, the top three challenges they face are a lack of experience or expertise in risk management (79.3 per cent), human resources to carry out risk-management activities (70.3 per cent), and financial resources to put in place risk-management practices (59 per cent).2
This article seeks to discuss some of the key challenges charities encounter in Singapore, and how they can better position their organisation to weather these challenges.
Simply put, risk management is the capability to identify, evaluate and address possible scenarios where things can go wrong. The negative impact of these scenarios, or risks, must be minimised or controlled via risk mitigation strategies. As a starting point, charities can consider the following questions: “What are my organisation’s key risks?” and “What happens if these risks materialised within my organisation?” For example, risks related to the loss of funding from potential donors or funds mismanagement may arise. However, in today’s society, the impact arising from the miscalculation of public relation matters will result in reputational risk, which could prove detrimental.
Hence, risk management is an essential component for charity organisations to promote and enhance their corporate governance values. With a “pragmatic & sustainable” risk management framework, charities will be able to maximise the opportunities available to them and encourage the public’s trust.
TYPES OF RISKS
Although the existing risk landscape may differ and comes in diverse forms, in general, the table below typically describes key risks category that charities may encounter:
Formal risk management procedures must be implemented in order to mitigate risks effectively. To cite an example, one charity had discovered funds were missing from its accounts and with proper controls in place, the misconduct was detected, and the Board promptly responded to the issue. Fortunately, much of the funds could be recovered, and this lessened the negative impact on the organisation.
RISK MANAGEMENT STRATEGY: INTERNAL CONTROLS
In general, there are laws and guidelines for charities to abide by as part of regulatory measures and having risk management policies is one of the pillars governing charities.
Proper risk management strategies help charities identify potential risks and via a sound system of internal controls, the risks are mitigated and / or reduced. A well-functioning set of internal controls strengthens transparency and accountability – it also ensures that the financial reporting complies with the regulatory requirements.
The compliance landscape in Singapore is rapidly changing as announced by the Ministry of Culture, Community and Youth (“MCCY”). Charities could be graded by next year, as part of a new regulatory compliance indicator.
This new indicator will reveal whether a charity has met the minimum 80 per cent compliance prescribed in the Code of Governance for Charities and IPCS.3 Further, the audit opinion in the independent auditor’s report on the charity’s financial statements will be taken into account.4
At a glance, such information will help the public decide which charities to donate to. Therefore, the importance of sound risk management policies and internal controls cannot be understated.
INTERNAL AUDIT AS PART OF INTERNAL CONTROLS
It is common for charities to engage external auditors to conduct their annual statutory audit. However, the need for internal audits is not widely understood by many in the sector, which can present challenges for the function. Board members need to understand and examine the role of the Internal Audit (“IA”) function, which is to assess the internal controls system and also, to benchmark existing controls with “best practices”.
As an independent and objective pillar of the organisation, the IA function evaluates whether the charity’s set of internal controls are effective and efficient. By performing internal audits, it will raise awareness to the Board and senior management and more importantly, raise the “Corporate Governance bar”.
THREE LINES OF DEFENCE
The “three lines of defence” model below offers a holistic approach to link key risks with internal controls5:
The first and second lines of defence are critical in developing corresponding strategies that help to manage identified risks. The IA function, acting as the independent party, then reviews whether the internal controls designs are “functioning-as-per-designed”. With such an organisational structure, the charity is effectively positioned to uphold standards of governance and risk management.
At Mazars, we have worked with various organisations sharing the best practices from two widely recognised risk management frameworks:
the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) Enterprise Risk Management Integrated Framework, and
the International Organization for Standardization (“ISO”) Standard 31000: Risk Management Principle and Guidelines.
Both frameworks involve viewing risk holistically and horizontally across an organisation. This means there is a strong focus on the evaluation, treatment and monitoring of risks. In addition, their emphasis on assessing risk as threats constantly evolve, places these frameworks as the industry standard. Though many may find these processes complex, the adoption of COSO or ISO 31000 should be considered as the baseline.
Charities work to serve the public good and are thereby obligated to exhibit greater compliance, professionalism and governance. To achieve these, they will need robust risk management strategies and strong internal controls to mitigate key risks.
Growing charities might face challenges to develop, sustain and operationalise a robust ERM framework. This is due to the fact that risk management is a multi-faceted subject that requires careful consideration of all stakeholders involved. No matter the size of the charity, one can expect challenges to continuously emerge as the compliance landscape continues to evolve. Managing these will require the collective joint-efforts of the three lines of defence.
HOW WE CAN HELP
We provide world-class ERM solutions to organisations like yours. We work collaboratively with you to provide services in areas where you may lack resources and/or ‘know-hows”. We provide resources with the relevant skills and knowledge you require, or train your people to provide them with the competencies you need.
With our in-depth knowledge in this space, Mazars can assist you in effectively integrate your risk management with your internal controls and embed these controls into your daily processes. Do reach out to us for any clarification or request for a complimentary scan of your Corporate governance maturity through our business enquiry form.