Risky business: Operating overseas under the new external conduct standards
9 April 2019 at 8:00 am
The Australian Charities and Not-for-profits Commission’s new external conduct standards are coming. If your charity operates outside Australia, you need to start thinking about how you manage risk now, writes Oliver May.
Not so long ago, I was in Africa, investigating an allegation of terrorist diversion in an aid program. Funded by high-profile institutional donors, the multi-million dollar project had collaborated with local organisations and had a huge, positive impact – in a very high-risk operating environment indeed.
I sat with the project manager while a fan turned lazily and frankly ineffectively on the ceiling, and asked about whether there was a project risk assessment. He produced a document that was barely a page long. As I stared at it, I saw that in that fragile and dangerous place, much of which was controlled by a sophisticated terrorist organisation or its affiliates, the risk of diversion was graded as “low”.
Counter-terrorist financing is amongst the issues covered by the new External Conduct Standards for charities operating overseas. The four standards are due to activate in July 2019, and risk management is a key theme. To comply with the standard on anti-fraud and corruption, for example, many charities will need to show reasonable steps to minimise the risks of fraud, bribery, corruption and other financial impropriety.
These risks cannot be eliminated, and it is not the expectation that they are. The expectation is that in-scope charities identify and take reasonable steps to mitigate them. A fraud and corruption risk assessment could help to demonstrate this.
But there’s a problem. Risk assessment has a bad name for many in the charity sector. Too many unwieldy documents, over-complicated processes, or “tick-box” approaches have damaged how we think about risk.
This is understandable. After all, humans are not necessarily predisposed to evaluating complex risks in the first place. Perhaps this is an inheritance from our ancestors. They were probably most interested in risks that were either very small or very big – the likelihood that juicy berries were present and big, furry things with pointy teeth were not. Our minds have evolved accordingly – so anything between these extremes is difficult for us to get our heads around. And yet, now that we are running complicated charities in complicated circumstances, we cannot escape the need for nuance.
So what can we do?
Firstly, we need to change how we think about risk assessment. It should not be a bureaucratic, tick-box exercise, but an engaging and dynamic attempt to predict possible futures and outmanoeuvre unseen enemies. And secondly, we need to change how we do it. This is about using the right tools, of course – organisational, project and process level risk assessments require different approaches – but also about making the space and time available to collect and assess information from as many people and places as we can.
Do we look ahead, speak to other charities, and keep an eye on the news? Do we engage with our people? I have carried out fraud risk workshops worldwide, and “think thief” exercises – in which we encourage staff to consider ways that their organisation could be defrauded and how we can prevent it – are always popular, and a great way to show our people that their perspective is valued.
Thirdly, we can change how we see ourselves. We need to recognise our own blind spots – how do we make sure we have the right information about our operations overseas? Have we ensured that the people we trust to run them have the right skills to recognise and assess risk? And how do we manage our own cognitive errors and biases – the things that lead us to think in terms of juicy berries and furry animals with pointy teeth?
This is important. Risk is a state of mind. A document will be useful, not least because it will help to keep everybody – literally – on the same page. But for our charities to be truly safe, all managers must keep up-to-date mental pictures of their risks and how to deal with them. That requires ongoing attention. Risk management is part of running a successful organisation – it is not a one-off activity for overwhelmed legal, audit or compliance teams.
If your charity operates outside Australia and is in scope for the external conduct standards, now is a great time to start thinking about how you will be able to show that it identifies and responds to integrity risks. Doing so could put your charity one step ahead, and lower the chances that one day you may be sitting across the table from the forensic auditors, trying to explain what you have done – or indeed, have not.
About the author: Oliver May was previously the head of counter-fraud for Oxfam GB. He is now a director in Deloitte’s forensic practice, where he helps not for profit, corporate and government clients to manage integrity risks. He blogs at Second Marshmallow and his book, Fighting Fraud and Corruption in the Humanitarian and Global Development Sector (Routledge, 2016), is out now. A follow-up book for international NGOs on managing terrorist financing risk is out next year.