BDO Insights - Risk management across the sports sector
In the first of a regular insights column, Gurpreet Dulay and Max Armstrong from BDO share their thoughts on risk and risk management in the sports sector, drawing on the work they routinely engage in with bodies, large and small.
Date: 27th Nov 2024
Author: Gurpreet Dulay & Max Armstrong, BDO
Our lives are a series of decisions.
To help navigate these decisions, our minds process the world’s fastest risk register each and every single moment. You may not realise, however, in each of those moments you are identifying the risk you face, thinking what happened last time and shifting through your past experiences (assurances), and then deciding what to do thinking about the cause and consequence – all within a matter of seconds.
Now imagine taking all of that information and dumping it onto a piece of paper. Now go further, by asking 12 other people (your Board) and a few others (your management) to do the same about the biggest risks your organisation faces! It soon gets quite complex and moreover, maintaining an up-to-date position on all of that starts to become an industry. This can lead to risk management stasis: where you either spend too little time discussing risk as the process becomes too complex and burdensome, or spend so much time talking about it that you lose sight of what your purpose is and whether you are achieving it. Risk management is difficult – but also vitally important to effectively run an organisation. At BDO, we have been out to many sports organisations and have been fortunate to speak to leaders of your organisations, Board members, review risk strategies and registers, and listen to your discussions about what keeps you up at night. It is this experience that we now share with you.
It's important to start with acknowledging that there are risks all around us, both strategic and operational, which impact how we meet our objectives.
The Government’s risk management guidance applies the “5 Ts Model” for responding to different types of risks.
Why do we need risk management?
In the sport and physical activity sector, we have a wide reach to a large audience, whether it be to clubs or members, participants, or interested observers. As a result, it often hits national news headlines or filters quickly through the sport when something goes wrong. These may be considered minor, such as membership systems failing to work properly, or major issues like safeguarding concerns which can have an enormous human impact on those affected and a reputational impact on our organisations. As Warren Buffet says:
“It takes 20 years to build a reputation and only five minutes to ruin it”.
Effective risk management is critical to benefiting from the upsides of risks and mitigating the downsides. While it is not a definite solution to prevent all risks from happening, it allows an organisation to identify what risks could occur and to promote a culture of communication on how it will manage these. This is fundamental to good governance.
What makes effective risk management?
There are many difference facets to risk management, however. In our experience, there are four key components that underpin its effectiveness:
Appetite | Defining and communicating the risk appetite of the organisation. |
Strategy | Establishing a clear and understandable strategy and framework for risk management that works across the whole organisation. |
Culture |
The ability to openly challenge the impact of decisions made at a Board/Committee, management and departmental level. |
Embeddedness | Ensuring that staff at all levels of the organisation live and breathe the values for risk management. |
Appetite
To truly enable an interconnected model of risk management across the organisation, there needs to be a unified understanding of what the appetite is for risk. This may not be the same for every type of risk but should be defined and documented.
For example, a national governing body (NGB) may have a zero-tolerance risk appetite for health and safety risks but may be less cautious over its cyber risks as it recognises the benefits that experimenting with technology could have. However, if these aren’t defined then there is no guarantee that staff will apply these appetites through their activities.
Strategy
A risk management strategy and framework support a consistent application of processes for identifying, mitigating and monitoring risks. This is a critical document to set the tone for risk management.
Culture
This is possibly the most important component. An environment where Board/Committee members feel emboldened to challenge what they are told, scrutinise what the impact of a decision may be, and ascertain why risks have been rated as they have.
Embeddedness
Too often we hear staff say the “risk management is the responsibility of the Audit and Risk Committee” or “the Governance team are responsible for managing risk registers”. The truth is that risk management is the responsibility of everyone. It is essential that the accountability for identifying risks and taking action to address or escalate risks is embedded throughout the organisation.
Risk registers are an effective tool to help identify and manage risks, but it is far more important to have the open conversations around key risks, joining up risks on operational risk registers to the strategic risk registers.
Common pitfalls
Through our experience we have seen both strong and weak risk management arrangements. It is sometimes helpful to know what to avoid, so we share some here with you now:
- If a Committee is spending more time talking about the risk register in terms of format, colours, and columns, than actually discussing the risk, assurances, and actions to be taken – then stop, reflect, and change the balance of focus. The priority should be on the quality of debate.
- Get the Chair to ask all Board members what the top three risks to the organisation are, what assurances are in place, and what are the actions in place. If there are very different responses, the organisation may not have a collective view which could impact the debate and discussion. It’s good to have differences in view, but if it’s significant, it may be an issue.
- If a risk rolls forward meeting after meeting, or even year after year, unchanged, then it’s likely a sign that it is not understood. Use deep dives into risks on a rolling basis, involving management attendees at Committees to support dialogue.
- Risks should be worded as risks! A risk which is one word, i.e. workforce, does not split out the risk, cause, and consequence sufficiently to support healthy discussion.
- Assurances should not be a list of everything an organisation does to mitigate a risk but a focused list of the material steps taken that help validate the risk score given. These need to be specific and not generic, i.e. ‘budget management’.
There are many more common pitfalls – contact us and we’d be happy to have a discussion.
Themes from across the sports sector
At the SGA’s Advantage Governance Conference on 13 November 2024, we asked the sector:
- What is the top current risk facing your organisation?
- How much time does your organisation’s Board dedicate to risk management?
- What emerging risks will most impact your organisation over the next five years?
Overwhelmingly, funding is cited as a key risk. However, a number of respondents identified safeguarding as the main risk currently facing their organisation, which is unsurprising considering all sports will involve direct interaction between coaches and young people or vulnerable adults, with high emotion and competitiveness to be successful. We have seen high profile safeguarding concerns raised in sport nationally and internationally over recent years, with significant impacts on athletes and individuals, therefore, this is recognised as a main concern for sports bodies.
Other current risks identified were:
- Delivering events
- International politics
- Membership
- Financial sustainability (funding and growing costs)
- GDPR and other digital or data matters
- Succession of staff
- Recruiting new staff
Interestingly, when considering the emerging risks, far and away the most significant concern was the lack of funding for sports, both from public funds and commercial revenue streams. Despite the Government’s Autumn Budget announcement of a commitment to a multi-year investment of £344 million over the next four-year cycle in the UK’s Olympic and Paralympic sports, there remain concerns over the sustainability of funding in a competitive environment.
At a grassroots level, there was a commitment to investing in multi-use facilities across the UK, but it remains to be seen on how this will be funded with NGBs, clubs and charities in the sport sector. Others identified the risk around ‘donor fatigue’, limiting funds for organisations that are reliant on one or few individuals or bodies for its revenue.
Other emerging risks identified, excluding the continuation of the current risks, included:
- Climate change and the impact it may have on sporting events
- Artificial intelligence
- Cyber security
- Availability of volunteers
- Facilities
- Competing with other sports for participants
- Shifting demographics on participation in certain sports
Keeping the conversation going
It was pleasing to see that 55% of respondents confirmed that their Board discusses risk and risk management at each meeting, with a further 33% stating that it is discussed quarterly by the Board. However, there remained 2% of respondents whose Board never discussed risk and risk management. While risks may naturally be discussed throughout the agenda, dedicated slots for risk management in Board meetings can be critical to enabling a strong culture for scrutiny and embedding this across the organisation.
We recognise that this is a journey and, for some organisations, you may be at the start of this journey and need that steer to get yourselves going. So, our challenge to the sport sector in the short term would be to think of three practical actions that you can take forward over the next 6 to 12 months to embrace and embed risk management. These could be:
- Move risk management up higher on your Board’s agenda to increase its focus and importance.
- Develop a risk appetite statement at a Board level and communicate this across the organisation.
- Hold a risk management workshop to think about the wording of the risks on your corporate or strategic risk register. Make sure these are specific to what the actual risk is, that the mitigating controls are prioritised to show what will have the most impact in reducing the risk, and that these are followed up on periodically with effective scrutiny over how the controls are mitigating the risk.
We are also happy to discuss your risk management arrangements. If you are interested in speaking then please contact us.
Gurpreet is a partner in BDO's public sector internal audit practice, leading on corporate governance and risk management solutions to a range of public sector clients. Max is a Manager based in BDO’s Birmingham office, managing engagements across the public sector and the Non-Governmental Departmental Bodies (NGDB) sector. They can be contacted as follows:
Gurpreet Dulay – BDO Partner – Gurpreet.Dulay@bdo.co.uk
Max Armstrong – BDO Manager – Max.Armstrong@bdo.co.uk