In addition to the risks emerging from the financial and economic crises, philanthropic organisations also need to deal with arising risks. Therefore, the Jacobs Foundation has complemented its internal control system with a comprehensive risk management framework, allowing for an elaborated controlling of relevant risks.
As an entrepreneurial organisation, the Jacobs Foundation has much experience in dealing with risks. This formally began in 2008 when the foundation established an Internal Control System (ICS). Ever since, the Jacobs Foundation has been running a far-reaching internal control system based on detailed, documented standard operating policies and procedures and control lists.
In the aftermath of the game-changing developments of the financial and economic crises, the foundation’s Board of Trustees, in coordination with the Federal Supervisory Board for Foundations, decided to go a step further and develop and expand its risk management framework and incorporate its risk assessment and treatment into its established internal control system. Risk management is therefore firmly embedded in the foundation’s culture, processes and structure. The system categorises risks in strategic, financial and operational risks. At the same time, the risks are qualified with regard to influenceability, likelihood and size of risks.
Before going into more details on the risk management framework, it is necessary to define the term “risk” as the Jacobs Foundation understands it: Risk is an uncertain event or condition that, if it occurs, has an effect on at least one relevant project or objective.
Therefore, like the internal control system, the risk management framework helps the foundation to organise its activities in accordance with its legal obligations on the one side, and with best management practices on the other. The foundation has clear and formally defined authorisation procedures, which is the primary instrument that governs and manages the decision-making process within the foundation. It also ensures that a system of internal control and checks and balances is incorporated therein. Although the ICS is the major tool to cope with most strategic, financial and operational risks occurring in practice, the risk management framework describes the different types of risks from a wider perspective and includes hard and soft factors in the potential exposures of a non-profit institution like the Jacobs Foundation. The risk management framework, therefore, does not try to be comprehensive but intends to give a clustered overview of major risks. Since many risks might only occur in case of deviation from given rules and norms, a good risk assessment has to anticipate the likeliness of deviation in principle.
In essence, the Jacobs Foundation strives with its system to identify potential risks in advance, to analyse them and to take precautionary steps to reduce those risks. To minimise and control the exposure of strategic, financial and operational risks, the senior management (Managing Director and Head of Operations) in collaboration with the Audit Committee of the foundation execute risk management.
The risk framework of the Jacobs Foundation at a glance
The risk framework consists of three pillars.
- The Risk Assessment: The relevant risks for the Jacobs Foundation are categorised into the three mentioned categories of strategic, financial and operational risks. They include, inter alia, the following risks:
- Strategic Risks: Endangering status as a non-profit institution, staff competence and fluctuation, implementation capacity of Jacobs Foundation
- Financial Risks: Shortfall of income, shortfall in liquidity, maintenance risks
- Operational Risks: Unauthorised grant allocations, fraud in grant management, stability in data management
- The Risk Treatment: For each of the risks, the risk factors are explained; measures already taken and to be taken listed; clear responsibilities within the Board of Trustees and the Senior Management applied; as well as deadlines determined.
- The Composite Risk Index (CRI): Depicts the size of risk for the Jacobs Foundation.
So far the foundation has not quantified the risks in monetary terms. However, the Head of Operations reviews risks on an annual basis as to whether these need to be taken into account when it comes to the decision to accrue for certain risks in the annual accounts.
The entire Risk Management framework is reviewed at least annually on Management level and Board level. The Audit Committee also ensures that it remains adequate and effective. In addition, the Managing Director and the Head of Operations bring key risks to the attention of the Audit Committee for consideration. The committee then assesses the risks and summarises the deliberations in the minutes of their meetings. The Board of Trustees, as a consequence, defines the necessary steps to sort out the respective identified risks.