In the Non-Profit sector and specially in the emergency context, all NGOs work in an environment that includes different risk areas at once. These NGOs have to be agile and lean to understand, anticipate and response to those risks in timely manners to minimize these risks impact on their programs as well as strategic goals. Each NGO already has its own way to deal with risks and some of them don’t know that they are already mitigating risks and practicing risk management in one way or another. In this article I want to answer the question of: Shall NGOs have Risk Management Policy?
Before I answer this question, I would like to emphasize on a topic that I always advocate for which is embedding risk in different policies and procedures in other words Integrated Risk Management. This shall be combined with a strong risk culture that is conducive to effective risk management encourages open and upward communication, sharing of knowledge and best practices, continuous improvement and a strong commitment to ethical and responsible behavior.
In addition to the above and although I believe that risk officers in NGO’s shall not create any new documents, as they should instead integrate into the already available policies and procedures such as the security, programs, finance and other policies and SOPs. However, there is one exception which is the Risk Management policy and below I will illustrate my reasons behind this strong believe.
Firstly, Risk Management Policy help the NGs to achieve its strategic plan as leaders need to identify the overall business strategies and objectives and align the approach of risk management with them. By doing so, leadership can more accurately assess the risk appetite and culture of the organization in order to create a focused and integrated risk strategy. These risk appetite and tolerance levels can be documented in the risk policy and also could be referred to this policy by other policies to better synchronize the risk management processes intake.
In addition to that, risk culture of an organization is set at a strategic level but is the responsibility of leadership to communicate this to all individuals in the business. This ensures that the approach to risk is completely aligned at every level, and that risk management processes are appropriately delivered in accordance with overall NGO goals. The expected risk attitude can be added to the risk policy to set the expectation level of the NGO staff and third party contractors towards risk.
Finally, it’s a good document to share with internal such as the board, employees and volunteers and external stakeholders like donors, partners, beneficiaries, authorities, etc. to acknowledge the fact about how serious the NGO about the risk management. Here I would also recommend to share such policy in the NGO website to better communicate it to these mentioned stakeholders.
After I answered the question of why we as NGO’s shall have a risk Management policy, the question of what shall be included in the Risk Management Policy will automatically arise. To answer this, I have to make it clear that there is no one size fits all when it come to policy writing and managing procedures. I would recommend – at the minimum – that this policy should be high level statement and commitment to managing risk outlining the principles that the NGO follow when it comes to managing risks. Moreover, high level roles and responsibilities as well as the attitudes expected from the NGO staff towards dealing with risks is highly recommended to be added to the risk policy.
At the end of this article, I would totally recommend that NGO’s craft their own Risk Management policy and they shall tailor their policy with the organization vision, mission, goals, objective and size. This shall not omit the fact the organizations shall work towards including the risk aspect on their different policies and procedures while advocating and enhancing the risk culture within the organization staff and third-party stakeholders.