Conducting a Financial Wrongdoing Risk Assessment
It is critical that specific guidelines or other materials are developed to help address prevention of financial wrongdoing in high risk areas. For example, operating in a region with mostly cash-based payments, operating in humanitarian emergency situations where critical infrastructure like banking systems have been damaged, operating in areas with recent terrorist activity.
When conducting an organisational financial wrongdoing risk assessment, it is valuable to include people from different sections across the organisation (including governing body members, volunteers, overseas staff) who will be able to help you identify the possible risks in the work that they do.
A risk log, similar to the following, can be used to document financial wrongdoing risks and mitigation strategies:
Tools4development have some templates suitable for smaller organisations that you can download.
You should define what High, Medium and Low Likelihood and High, Medium and Low Consequence mean for your organisation. For example, a financial loss of $50,000 may have low consequence for a large agency, but it may have high consequence for a small agency.
The questions that you can ask to identify risk in each section of your organisation are:
- Where funds flow into and out of your organisation and the opportunities for them to be misdirected (include consideration of physical cash and cheques as well as online funds): follow the flow of a dollar from donor, through your organisation, out to partners, suppliers, contractors, affiliates and to beneficiaries. At each step ask ‘how do we know that this dollar is being used as intended and in line with our objectives?’, and list specific evidence that would demonstrate that like screening checks, audits, etc
- Where confidential financial information (such as bank account details and credit card numbers) is obtained and held in your organisation
- Where donations are restricted and what sorts of restrictions are accepted
- Where funds are received (for example via third party fundraisers), processed (for example by payment gateway providers and financial institutions) or expended (for example affiliates in your international networks or implementing partners) via third parties
- The practical details of implementing your programs (for example do you provide a cash grants scheme, do you need to make large scale procurement in a small economy?)
- What financial wrongdoing incidents have we (or our affiliates or partners) experienced in the last five years that we can learn from and aim to prevent?
- What are the strategies that we already have in place to prevent financial wrongdoing? How do we test their effectiveness, and have we done this recently?
- What is the likelihood of something going wrong?
- What would be the consequence if something went wrong?
- What is our resulting risk rating?
- Your organisational culture
- Your internal control environment
- The nature of your activities
- The nature of funds movements into and out of and within your organisation
- Your work with partners
- Your work via affiliated organisations in your international networks
- Your recruitment processes for staff, volunteers and governing body members
- The status of policies and procedures in your organisation
- Your information technology systems and controls
- Your legal status in the countries in which you operate
High risk factors can include:
Working in regions that feature:
- A cash economy or unstable or sanctioned banking systems
- High ratings for corruption
- Recent terrorist activity / high proportion of sanctioned entities
- Humanitarian emergencies
- High inequality
- General disregard for the rule of law / ineffective judicial systems
- Small or closed economies
Working with people who:
- Have not been screened properly (eg through police checks, checking against proscribed entities lists, interviews and reference checks)
- Have not been trained in the prevention of financial wrongdoing
- Were recruited quickly for immediate deployment (eg humanitarian response)
- Are not supervised adequately / are placed in situations without adequate segregation of duties
- Have a history of committing financial wrongdoing
- Require handling large volumes of cash
- Require management of a high volume of donation activity in a short space of time (for example an end of tax year appeal or an humanitarian emergency appeal), especially when combined with fundraising staff that have performance targets relating to level of donations
- Require transacting with countries with poor formal financial systems controls
- Involve related parties
- Require remittance of large sums of funds in a short space of time, particularly when the remittance is in hard currency
- Involve allowing third parties to be involved in the process of managing or spending the organisation’s funds, whilst the organisation still maintains responsibility for those funds
- Is non-existent or sparse, so there is little oversight of the work of staff or volunteers processing and reporting on financial transactions
- Is cursory and does not thoroughly review transactions, documentation and reports
- Does not compensate for any shortcomings in segregation of duties
Organisational systems and processes where there is:
- No identified method to report financial wrongdoing
- No monitoring of the effectiveness of internal controls
- No management culture around compliance with laws, policies or processes
- Financial wrongdoing is not included in organisational risk registers
To manage these risks the organisation will need to:
- Identify ways of reducing these risks
- Have procedures in place that personnel and relevant stakeholders are aware of in order to reduce identified risks
- Have complaints handling procedures in place for when things go wrong
- Establish monitoring systems that monitor both the implementation of mitigation measures but also identify any new risks.
Financial wrongdoing risk management and monitoring should become an ongoing activity in the organisation, and be part of the planning, implementation and monitoring of all operations and programs.
The questions that should be asked are:
- Do the risks still exist?
- Have they been reduced, controlled and managed by the existing strategies?
- Are there any new risks?
- What strategies / resources are needed to reduce / remove/ control these emerging risks?
Take a look at this diagram to help generate some ideas of areas where you might be exposed to financial wrongdoing risks, including some possible mitigating controls.