Risk management exists to help organisations achieve their objectives.
In the wake of the 2010 earthquake that hit the Caribbean nation of Haiti, $16bn was raised (including donations from half of all adult Americans) and yet the key objective of the relief work -rebuilding safer cities – was not achieved. On top of that, the relief operation actually added cholera to the catastrophe via UN Nepalese soldiers, and a further 10,000 died as a result of that. It is hard to believe that the various relief organisations were doing anything to identify and control risk.
Then, the sexual misconduct of Oxfam workers in Haiti was exposed and covered widely in the media. Oxfam’s £30m funding from the UK government is now at risk; a number of their high-profile goodwill ambassadors have quit in protest; and individual donations, and sales through their second-hand shops, are also at threat.
Recognising the high inherent (or gross) risks to reputation, Oxfam does have an employee code of conduct (dated October 2017 – possibly introduced because of what they knew was going on) which employees have to sign – it “seeks to ensure that employees avoid using possible unequal power relationships for their own benefit”. So a control of some sort does exist, but unless the control is monitored, they won’t know whether or not it is working, and they won’t be able to demonstrate to anyone else that they are now in control.
Story sources: Financial Times, The Economist, The Guardian, Oxfam website