240219 045

Risk, risk management and control

Managing risk and providing control for your organisation are two vital components in developing good governance in sports.

Overview of risk

Risks represent some level of uncertainty for a sports organisation. It can be helpful to categorise types of risk so as to help understand the specific aspects of your operations that may be affected, as well as helping to identify how to manage these different forms of risk. For instance, you may think of the following categories of risk:

  • governance risks
  • operational risk (e.g. health and safety)
  • accidental loss or damage
  • finance risk
  • environmental and external risk
  • reputational risk
  • safeguarding risk
  • law and regulation compliance risk
  • staffing risks (e.g. inability to recruit)
  • terrorist activities or hoaxes

Risks arise for different reasons, some directly related to the primary purpose of an organisation, such as operational risks or safeguarding risks in sports. All risks should be understood in the context of the organisation and of the sector. In other words, while many of the risks above are common to many different organisations, you should understand the specific context in which your sport operates to fully understand the risks it faces and how to manage them.

One important factor that influences how risk is managed is your organisation’s ‘tolerance’ for risk.

Risk can never be fully eliminated and will be something all sports organisations have to deal with, but different sports organisations may have varying levels of tolerance for risk. Indeed, this is true for pretty much all organisations. The fewer resources or certainty you have, the more difficult it is to recover from poor decisions and therefore low-risk options are often favoured in most decision situations. Larger organisations or those in a strong financial or participation position may be able to ‘afford’ to take risks, as they have the resources or reserves required to recover from unsuccessful decisions. Other factors that may influence your organisation's risk tolerance include history and cultural appetite for risk, the background and experience of the board in evaluating alternatives and risk, as well as the current economic climate.

Boards should explicitly consider their collective tolerance for risk. Individual board members may have different levels of risk tolerance which will influence the board’s position. It is worth considering:

  • Is the organisational risk appetite defined, understood by board members and aligned appropriately to the strategy of the organisation?
  • Are the risk tolerance levels defined, understood by board members and aligned appropriately to the ongoing operational activities of the organisation?
  • Has the board considered both the individual risks and the cumulative risks of all activities and internal and external factors?
  • If risk appetite and/or risk tolerance has not appeared on your board agenda within the last six months, you should ensure it appears on the next agenda.

You may also consider trends in sports and how these manifest as specific risks to the organisation.

The most common risks facing sports organisations include:

  • Finance – loss of funding, such as that from sports council funding or from commercial partnerships, or due to diminishing income. Reliance on a single source of funds – or too few sources – can also be risky.
  • Health and safety – all sports carry a degree of physical risk. In the case of adventure sports such as parachuting or mountaineering, contact sports, or those which involve equipment or high speeds, these can be significant, requiring specialist knowledge and risk management procedures.
  • Safeguarding – the protection of children and vulnerable persons from physical and mental abuse has become an increasing concern in sport, with greater emphasis being placed on the responsibility of sports organisations to actively manage their systems and structures to prevent such abuses and to provide programmes that offer safe, transparent opportunities for sports participation. (For more on safeguarding, see our section of the knowledge base on this topic). 
  • Declining membership and participation – with so many alternative leisure activities and social interests available to people – especially young people – sports bodies now find themselves in a competitive marketplace, having to develop innovative ways to attract and retain participants.

Also of concern to sport organisations, are risks associated with:

  • Corruption – both management or governance corruption and athlete/participant corruption are significant risks to an organisation’s reputation, integrity, sustainability and role in society.
  • Doping – at all levels, sports organisations should be cognisant of the potential for performance-enhancing substance abuse, be it inadvertent or deliberate.

Strategic and operational risk

Risk can be strategic or operational. Strategic risks include external factors such as significant shifts in public policy on sports leading to changes in funding and access to public or National Lottery funds. The risks faced may well be determined by the strategies that your organisation pursues – for example, a national governing body (NGB) may choose to focus on grassroots development, reducing potential access to elite sport funding.

Operational risks arise through ineffective controls within the processes and systems of an organisation’s operations. One example is the risk of cybercrime. According to the Government’s Office of Cyber Security and Information Assurance, cybercrime costs UK businesses £21 billion a year. Sports organisations of all sizes are vulnerable to this type of crime. The introduction of the General Data Protection Regulation (GDPR) from May 2018 places clear and unequivocal responsibility on organisations for the protection of personal data.

Control

Control is often thought of as a function of management and as being the formal mechanisms in structures, systems or policies which guide employee or volunteer behaviour. However, it is useful to think of control more holistically. Formal controls are only one way in which control can be exercised. There are four levels of control operating in all organisations:

  • Administrative: formal mechanisms, internal or external to the organisation.
    • Examples of administrative controls are policies, organisation structure, legislation and codes of conduct.
  • Social: social controls arise through social interaction, as employees and volunteers interact and negotiate the meaning and legitimacy of administrative controls in the organisation.
    • Examples of social controls include emotions, identification and social norms.
  • Self: self controls are individuals’ personal motivations underpinning their behaviours and attitude.
    • Examples of self-controls include similar mechanisms as social controls but focus more on individual behaviour rather than the dynamics and mechanisms at play in exchanges between people.
  • Ideological: Ideological controls are mechanisms that influence individuals unconsciously, without their immediate awareness or thought.
    • Examples of ideological control are social structures such as gender, cultural upbringing, class, race, or family history.

Control is a fascinating yet complex aspect of sports organisations. We will focus mainly on administrative and social mechanisms in this section but it is worth noting the other types of controls to illustrate the complexity and dynamic nature of governance generally and risk management more specifically. Understanding the dynamic elements of control also helps us understand why administrative mechanisms don’t always work as they are meant to – social, self and ideological controls can be more powerful than what is written on paper. This shouldn’t be seen as a negative thing, however, as they allow individuals to challenge existing practices, encourage diversity of opinion in discussions and ultimately, lead to better governance.

Risk Management

Risk management is a process whereby the risks are methodically examined and ‘managed’ (often through a variety of formal control mechanisms). Every sports organisation should develop its own risk strategy framework which includes:

  • risk identification
  • risk estimation (assessing likelihood and impact)
  • risk prioritisation
  • risk mitigation
  • risk monitoring
  • risk reporting

Most risk management activities should not be directly undertaken by the board. The CEO, individual line managers and specialist units or committees, such as compliance or internal audit, will often lead operational risk management. Sports bodies that do not have the capacity to establish separate risk and compliance teams should be clear about how accountability for risk management below the board is managed.

Risk management should not be a static process but a framework that constantly reviews risks, anticipating and responding to changes in social, environmental and legislative requirements. This ensures that risk management becomes part of the culture – individual and collective – and the structure of the organisation.

Risk management strategy is the responsibility of the board although, in practice, much of the risk management activity is delegated to the relevant staff. Nevertheless, the board should be aware of the major risks facing the organisation at any time and exercise effective oversight to ensure that an appropriate approach to risk management is being taken.

The role of the board

The Code for Sports Governance requires that:

The organisation shall maintain robust risk management and internal control systems. (Requirement 5.7)

and

The Board shall conduct an annual review of the effectiveness of the organisation’s risk management and internal control systems to ensure that they provide reasonable assurance. (Requirement 5.8)

In determining its policies with regard to internal control, the board’s deliberations should include consideration of:

  • the nature and extent of the risks facing the organisation;
  • the extent and categories of risk which it regards as acceptable for the organisation to bear;
  • the likelihood of the risks concerned materialising;
  • the organisation’s ability to reduce the incidence and impact of risks that do materialise; and
  • the costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.

The assessment of risks calls for procedures to assess the potential size of the risk. The expected losses that could occur from adverse events or developments could be financial, operational or reputational and depend on:

  • the probability that an adverse outcome will occur; and
  • the size of the loss in the event of an adverse outcome.

Where a risk is unlikely to materialise into an adverse outcome, and the loss would likely be small, management action might not be necessary.

Where the risk is higher, measures should be taken to protect the organisation so that the remaining exposure to risk is within tolerance levels and consistent with the organisation’s risk appetite. It is possible to apply a quantitative or Red/Amber/Green (RAG) rating to each risk in order to establish the necessary responses. A table like the one below is a commonly used tool to rate the likelihood and impact of a risk.

 

 

A

B

C

D

E

 

 

Negligible

Minor

Moderate

Significant

Severe

E

Highly likely

Low Med

Medium

Med Hi

High

High

D

Likely

Low

Low Med

Medium

Med Hi

High

C

Possible

Low

Low Med

Medium

Med Hi

Med Hi

B

Unlikely

Low

Low Med

Low Med

Medium

Med Hi

A

Very unlikely

Low

Low

Low Med

Medium

Medium

 

Let’s look in more detail at how you can decide which risks fall into which category in the table.

Risk identification

Identification of risk involves not only looking at what can go wrong but also when an event occurs that is beneficial (e.g. a sudden increase in membership numbers). It should not be forgotten that the flipside of ‘risk’ is ‘opportunity’. Consideration must be given to potential positive impacts of a risk; any change can destabilise an organisation and even something good can pose a risk.

A newly established sports organisation will have a heightened risk profile since controls and procedures may not have been in place for the full financial period, and there may be immature or nascent governance structures. Certain matters may also heighten the risk profile in an established sports organisation, such as:

  • culture (attitude and values) within the organisation
  • excessive use of administrative or social controls, lacking balance
  • a change in key positions such as CEO, chief financial officer or significant changes in the board’s composition
  • a sudden change in the complexity of the organisation
  • changes to the scheme of delegation or major accounting systems

Risk estimation

Risks should be analysed according to the expected potential change as well as the likelihood of the risk occurring. They can then be prioritised with those judged to present the greatest probability of occurring as well as the greatest potential loss being highest and thus prioritised in terms of management. This could be scored on a scale of 1–5:

  • Likelihood
    1. extremely unlikely; rare occurrence
    2. unlikely
    3. moderately unlikely
    4. very likely
    5. extremely likely; frequent occurrence
  • Impact
    1. minor impact in limited areas
    2. minor impact in many areas
    3. significant impact; would not affect continued operations in the short-term but might in the long-term
    4. significant impact; in medium-term; relates to substantial operational areas
    5. fundamental to continuing operations.

The scores for likelihood and impact are then multiplied to produce a total score.

Risk prioritisation

Risks can then be ranked by numerical value so that they can be prioritised accordingly. A risk register should be used to record all risk information. The board should establish what level of risk is tolerable and then can organise a risk register using colour-coding – it is standard practice to ‘RAG-rate’ risk registers. Items coloured green are kept under review; consideration should be given to action on those coloured amber; any items coloured red should be subject to immediate action.

Risk mitigation

The board is under a particular obligation to manage any significant risk – any risk that may threaten the survival of the organisation or seriously weaken it.

A common risk management approach is to follow the mnemonic SARA:

  • Share risk – outsource the activity or transfer the risk through insurance.
  • Avoid risk – change the plan or the activity so that the problem is not encountered.
  • Reduce risk – make changes that mitigate or control the risk.
  • Accept risk – note the risk and take the chance that it, or part of it, might arise.

Each risk should be considered in turn and then SARA applied; the most appropriate risk management approach should be selected. If the risk can be ‘avoided’ or ‘reduced’, an action plan should be developed. If it is not possible to mitigate the risk, it should be either ‘shared’ by taking out insurance or setting up outsourcing arrangements or should be ‘accepted’ and the risk to the organisation formally noted.

It is highly recommended that a lead individual is identified and noted on the risk register. They will be responsible for making sure that the action plan is carried out or that insurance or outsourcing arrangements are implemented. The board is responsible for the strategic approach to risk management and should specifically approve any risks that are accepted without treatment.

Your organisation should consider ‘gross’ and ‘net’ risk in the register. The gross risk value will initially be recorded; however, mitigating action may be taken which will reduce the overall risk score to the net risk value. The impact of the mitigating actions can be quantified and an assessment made as to their cost-effectiveness.

As mentioned, the risk management process should be a continuous, cyclical process of review and management. Risks should be constantly monitored to ascertain whether the likelihood or impact has changed, for example:

  • the nature of the risk is changing or has changed;
  • existing controls are inadequate or not functioning; and
  • new mitigating measures are put in place.

Part of managing risk well is assessing your risk management processes and their effectiveness through an internal audit (although some organisations may be required or choose to undergo external audits as well).

Internal audit

While the risk register will be used by the senior leadership team as a live document for monitoring purposes, regular monitoring reports or an updated register must be put before the board – often at each meeting. Typically, an audit committee will review the risk register as well as any risk reduction plan and guidance contained in the internal audit monitoring report.

More on audit committees is covered in this section of the SGA knowledge base.