Human bones and skulls in tomb in Cambodia.
This post confronts one of the most persistent myths about nonprofit risk management – one that prevents many nonprofits from learning enough about risk management to use its tools to protect their organizations.
The issue? People fear risk management. They worry about it. They avert their eyes. They whistle in the dark. But is nonprofit risk management scary? Not one bit — especially compared to the alternatives. Here are eight reasons why:
(1) Risk management is simple
You may think that risk management requires complex financial modeling, expensive crystal balls, and significant time commitment from staff. That’s not true. If you have a regular, defined commitment to identify and address threats and opportunities throughout the organization as a regular part of business, you have a nonprofit risk management process. Some complex organizations may need sophisticated risk management techniques, but most nonprofits benefit from risk management simplicity, rather than complexity. In fact, in many ways, effective risk management mirrors Stephen Covey’s famous Seven Habits of Highly Effective People. It’s not rocket science. It’s simply part of the bedrock of sound organizational behavior.
(2) Risk management includes opportunities, as well as threats
Note another aspect of the definition above. What you think of when you think of risk? Some people imagine thunder and lightning in the distance – some looming, powerful force that could cause harm. But remember what it was like when you were learning to ride a bike. You faced risk, and that risk was exhilarating. Confronting that risk opened up new vistas. You were able to rocket around your neighborhood with your friends. You expanded the distance you could travel from home and get back safely before dinner.
Risk management is not all about things that could go wrong. Risk is not bad. It simply is. Risk is simply an acknowledgment that we don’t know for sure what will happen next. By not being afraid of risk, by sometimes even being willing to encourage risk, an organization can end up stronger.
When we train nonprofits to talk about risk, we call negative risks “threats.” We call positive risks “opportunities.” So risk management involves both threats and opportunities. In training organizations to consider both positive and negative risks, we are following the leading standards on risk management (ISO 31000), which emphasize that risk is simply “the effect of uncertainty on objectives,” and that risk can be positive or negative. (See page 13 of this guide for an explanation.)
(3) Risk management is incremental
A nonprofit does not have to invest a substantial amount of money to begin using risk management. A risk management process has three significant elements: a risk inventory, a risk register, and a risk cycle. A risk inventory is a process of identifying threats and opportunities. A risk register is a methodology for prioritizing those risks, assigning them to responsible parties, and following up. A risk cycle implements regular check-ins in order to drive home within your staff the fact that risk management is a regular part of business and generate ongoing identification of risks as they arise.
A logical, reasonable approach to risk management starts with a risk inventory, develops a risk register, then implements a regular risk cycle. A $3 million nonprofit could begin adopting a risk management process with an outlay of less than $20,000 — less than 2/3 of one percent of its total budget. Furthermore, it could begin this toe-in-the-water approach for free on its own. Later, it could engage the board in its vital, but limited risk management role. At each step, it could — indeed should — pause to identify what’s working and what’s not.
(4) Risk management reduces unproductive worry
Anxiety undermines our ability to make decisions, so substituting clarity for anxiety can reduce organizational stress. This doesn’t mean risk management eliminates worries; rather, it separates productive worries from unproductive ones.
What’s the difference? Let’s see how therapist Robert Leahy distinguishes them:
“A productive worry is a concern about something that is plausible-something that a reasonable person might think about. For example, if you were driving from New York City to Washington, DC; it would be productive to ask yourself ‘Do I have enough gas’ and ‘Do I have a map?’ Productive worry leads to a ‘to do’ list of actions that I can take. In contrast, unproductive or useless worries are about very unlikely events — things that a reasonable person would not worry about. A lot of times, these worries don’t lead to anything that you can do. Worries that are unproductive include, for example, ‘What if I get a flat and my car spins out of control?’ or ‘ What if my engine blows up?’ or ‘What if someone runs into me?’”
Robert Leahy, Cognitive Therapy Techniques at 116-117 (2003).
Risk management helps organizations identify, prioritize, and respond to the real risks they face. The risk inventory, risk register, and risk cycle tools internalize and routinize the process of finding out what’s really going on, considering what might happen in the future, and determining what you can do about it now. At bottom, even if the organization sees trouble ahead, knowing is better than not knowing.
(5) Risk management provides a foundation for nonprofit improvement
By identifying current threats and opportunities, risk management provides a solid basis for continuous improvement over time. Although risk management explores both external and internal risks, internal threats predominate in almost any organization. In fact, management guru Peter Drucker once observed that even the best organization wastes most of its efforts. By identifying and prioritizing the threats and opportunities we face, risk management provides a sound platform for focusing on improvement in high-leverage areas.
In fact, the risk cycle embodies improvement by emphasizing a circular sequence of events. You identify risks, prioritize them, and respond to them. Then you assess what you have done and improve, identify newer risks, prioritize them in light of what you know, and so on. 
(6) Risk management is the right thing for nonprofits to do
In light of the benefits of risk management, it’s unsurprising that nonprofit support organizations instruct nonprofits to adopt risk management programs. Independent Sector’s Principles for Good Governance and Ethical Practice state that “The board members of a charitable organization are responsible for understanding the major risks to which the organization is exposed, reviewing those risks on a periodic basis, and ensuring that systems have been established to manage them.” The Standards for Excellence (adopted in many jurisdictions) state that “[o]rganizations should make every effort to manage risk and periodically assess the need for insurance coverage in light of the organization’s activities and its financial capacity.” State nonprofit standards reflect the same requirement (e.g., Florida (look at p. 16 here), Iowa (part V(G), p. 19 here), and Illinois (section 6(e), p. 8, here)). (You can find more on nonprofit risk management standards here.)
(7) Failure to perform risk management causes errors and disputes
Perhaps because nonprofits tend to be very leanly staffed and underfunded, nonprofits are particularly susceptible to fraud. Nonprofits may submit to regular audits, but “[e]ven when an organization conducts an independent audit or review of its financial statements, the auditors do not guarantee that the organization is free from fraud.” Adopting a risk management process creates a tenor of compliance in the organization that can prevent fraud and abuse.
Furthermore, despite what you may have heard about “charitable immunity,” nonprofits get sued, and such lawsuits are on the rise. According to Nolo.com, the most common disputes involve contract claims, employment disputes, and personal injury. Many of these disputes could have been avoided if the nonprofit had identified threats and taken reasonable steps to avoid or mitigate them.
(8) Your nonprofit’s reputation is at stake
It takes decades to build a strong reputation. In today’s interconnected world, it takes mere minutes to lose one. Poor risk management can fatally undermine the trust upon which reputations are based. If you don’t know what potentially hazardous behavior your nonprofit is engaging in, you can’t be consistent or follow through effectively. You can’t communicate honestly because you don’t know what the “honest” facts are. With such organizational impediments, your nonprofit cannot act in a trustworthy manner even if it has the best of intentions. You risk fatal reputational error with every step you take.
* * *
So is risk management scary? No. Failing to do risk management is scary. Nonprofits already perform high-wire acts. They cannot afford to do that blindfolded.