Demystifying Audit: Risk management
Tuesday, 20 October 2020
Last month we discussed the implementation of the NCSS in overseas jurisdictions, including risk management processes associated with overseas ministries. This month we continue the theme of risk management and focus on Criterion 1.5 - The entity has risk management strategies focusing on preventing, identifying and mitigating risks to children.
This Criterion requires a church entity to consider the risks that their organisation is exposed to as part of its ministries and activities, and is closely linked to Standard 8 – Safe physical and online environments. In fact, during the audit, Criterion 1.5 and Standard 8 are generally assessed at the same time. The area of risk management is not meant to be simple. Often during an audit, we are presented with a wonderfully written risk management policy as evidence for Criterion 1.5. This document, whilst a start, needs to be accompanied by detailed risk assessment processes and regular review of risks by the safeguarding committee/leadership team. Let’s break this down further.
Criterion 1.5 focuses on a culture of risk management. This requires ensuring all personnel understand the nature of the activities and ministries that are performed, the level of safeguarding risk associated with these activities and the mitigation strategies required to address the risks. As an auditor, I am often amused when I ask personnel what risks they manage and am told “we don’t have any risks”! In audit language, if the area you are working in has no risks, then it is of little value to the organisation – after all, the purpose of any organisation should be to seek opportunities to grow, expand its works, fulfill its mission and open its heart and mind to others. This will ALWAYS involve a level of risk and to survive (and thrive!) will require a good understanding of risk and how to control it. Also, it is important to remember that risk is a two way street – a person could be a risk to others (this is generally the first thing that comes to mind when considering risk), but the environment, ministry or activity can also be a risk to the personnel within an organisation. The purpose of risk management is to provide dual protection to a church entity that 1) the people, ministries and activities that the organisation provides are safe; and 2) it’s people are safe from the ministries, activities and environment in which the organisation operates.
So what might risk management look like in practice?
For a Diocese, this would involve ensuring all parishes have conducted a risk assessment on their ministries and activities and that the parish priest, safeguarding committee, staff and key volunteers have had input into or have been provided the risk assessments and understand the strategies required to mitigate the risks. At the diocesan level, this would involve reviewing any diocesan led ministries or activities, including a consideration of organisation wide safeguarding risks such as inadequate recruitment checks for new personnel, inadequate controls over use of technology and social media, or mismanagement of complaints handling.
For a congregation, risk assessment involves considering the ministries for which the congregation has governance, as well as the ministries/activities conducted by each of the members, to determine those activities which pose significant safeguarding risks. This is in addition to considering any organisation wide safeguarding risks as mentioned above.
Finally, beautifully prepared risk assessments are, like the risk management policy, only a start. They are no good to anyone if put into a drawer and forgotten about. They need to be living documents, reviewed at least quarterly, to ensure they are still relevant and also to consider any new or emerging risks which may have crystallised. For a diocese, a mechanism needs to be in place whereby key parish safeguarding risks are notified to the diocesan safeguarding team to ensure there is visibility over any significant risks or “hot spots”, so that the diocese can provide assistance or support as required. For a congregation, this means both the leader and the safeguarding officer/committee keeping apprised of the key ministries and activities of their members, to identify activities with a higher safeguarding risk and to satisfy themselves that the member is receiving the appropriate education, training and support from the organisation they are working with, so that they are adequately informed and protected.
The purpose of risk management is sometime misconstrued as a barrier to getting things done. This is a fallacy – the purpose of risk management is to give people an informed choice when faced with a new activity or ministry, ie. to give a person the right tools, training and awareness to enter into an activity/ministry with an understanding of the opportunities and the risks and to leverage these to their advantage. As we say in the risk world “even a correct decision is wrong, if taken too late”!
For more information, refer also to the support materials for Criteria 1.5 on the Support Materials section of CPSL's website here.
To begin discussing a safeguarding audit with CPSL and to obtain a copy of the Schedule 2, please contact Tania Stegemann, Director of Compliance – email@example.com or call 1300 603 411.