The public and those donating to non-profit organisations (NPOs) should have confidence that money donated is used for legitimate purposes and is reaching its intended beneficiaries.
Controllers of NPOs are legally responsible for ensuring that the NPO’s funds are properly used, adequately protected and not misused for financial crime, terrorist or other criminal purposes. Controllers are publicly accountable and have duties and responsibilities under the NPO Law to safeguard their NPO, its funds, property and beneficiaries. They may have employees, volunteers and agents to help, but controllers remain legally responsible.
The best way that controllers can ensure an NPO’s funds are not abused is by putting in place good governance and ensuring there is strong financial management, including robust internal and financial controls and risk management procedures. They should also promote the transparency and accountability of NPOs and ensure that the public can have trust and confidence in NPOs and their work.
How do controllers identify and assess risks?
Controllers need to be aware that the risks that an NPO faces depend very much on the size, nature and complexity of the activities it undertakes, and also on its finances.
Risks may take a number of forms, including for example:
- Operational
- Financial
- Reputational
- External
- Compliance with the law and regulations in the Cayman Islands and, if applicable, internationally
As a general rule, the larger and more complex or diverse an NPO’s activities are, the more challenging it will be for the NPO to identify the major risks that it faces and put proper systems in place to manage them. This means that formal risk management processes may be necessary to help controllers and that these will need to be tailored to fit the circumstances of the individual NPO, focusing on identifying the major risks. In most cases, controllers of large, complex NPOs will need to explore risk more fully than smaller NPOs and in greater detail. How controllers identify and assess risk and what tools they use to help them to do so is up to them.
NPOs are encouraged to identify and consider risk in the context of their day-to-day activities and incorporate it in their management processes and decision making.
Identifying and managing the possible and probable risks that an NPO may face is a key part of effective governance for NPOs of all sizes. Managing risk effectively is essential if NPO controllers are to achieve their key objectives and safeguard their NPO’s funds and other assets. NPO controllers need to identify risks that the NPO faces and decide whether the systems and procedures they have in place to address them are adequate, reasonable and proportionate.
General Registry Guidance
There are a number of models and frameworks which may be helpful, and the General Registry has prepared detailed guidance on risk management practices and effective internal controls: Risk Management for Non-Profit Organisations. NPOs are also encouraged to review the General Registry’s General Guidance and Best Practices for the Non-Profit Organisation Sector