Concerns about Risk Management
Isn’t risk bad?
No. Risk is simply uncertainty. It can be positive or negative. Here at Risk Alternatives, we call positive risks “opportunities” and negative risks “threats.” An opportunity is an uncertainty that has some upside. It might be a change in business practices, a new program or offering, or a new product. Other uncertainties have downsides. Those are threats — an economic downturn, increased competitionor a change in market conditions with respect to potential customers and clients that reduces the need for your organization’s goods and services.
Ultimately, we believe all uncertainties present both threats and opportunities. A change in business practices may lead to greater efficiency; at the same time, it may lead to employee unrest or turnover. A new product or service offering may increase revenues; it might also cannibalize existing product or service offerings. The important factor is that organizations need to think about those threats and opportunities, prepare for them, and set up the background processes to ensure resiliency and sustainability in the face of the unexpected.
Shouldn’t we want to avoid risk?
No. Life would be very boring that way, but it’s also simply impossible. Plus, we face upside risks as well as downside risks – opportunities as well as threats. We try to help our customers understand threats and opportunities they face, so that they can make better decisions.
Doesn’t risk management take a lot of time and money?
Isn’t it hard to start risk management from scratch?
Almost certainly, your organization is engaged in some form of risk management right now. You probably have to do lists, staff meetings, performance evaluations, insurance, and so forth. What you don’t have is a consistent, holistic approach to identifying and dealing with threats and opportunities. Risk Alternatives can provide that approach.
Why can’t we just do risk management on our own?
Yes, you can. Just as you can learn most topics on your own. Of course, it’s more difficult, slower, and more uncertain to learn things on your own. By receiving training and resources, you can dramatically speed up learning and implementation.
Also, think about it. How many items are on your organization’s “To Do Sometime” list? Risk management is mission-critical. If you fail to have effective risk management, your team is flying blind. It’s probably unwise to fly blind (just saying).
Ultimately, Risk Alternatives wants you to do risk management on your own. We want to serve as a catalyst and a safety net, not as a permanent part of your organization. Any risk manager worth hiring will tell you that. We actually mean it.
Isn’t risk management basically just learning to say no all the time?
No. (See what we did there?) Risk management isn’t about nay-saying. It is not a euphemism for worrying. Instead, risk management provides the basis for an informed “yes.” We want our clients to move forward with confidence: “Yes, we know the threats and opportunities. Yes, we believe the potential return is worth it. We are relying not on hopes or faith, but on data. Yes, we’re going forward.”
We have lots of other priorities. Why would be spend money on risk management?”
First, how did you determine your priorities? If you don’t have an established methodology for identifying threats and opportunities, gathering information about them, soliciting input from team members, and prioritizing those risks, your priorities may have nothing to do with the issues that pose the greatest danger or greatest upside potential for your organization.
Second, risk management facilitates every function of an organization. It can increase operational efficiency and effectiveness. It strengthens the financial function. It helps with human resources. It can enhance marketing (reputation management) and sales. It can lead to greater IT effectiveness. It strengthens compliance. In short, risk management is a force multiplier.
Third, in the face of competing priorities, you need clarity and peace of mind. If you are distracted by worries about what might occur, your ability to perform will be undermined.
Fourth, if you are a nonprofit, you have particular reasons to engage in risk management. You have more stakeholders with an interest in your operations than for-profit businesses do. Your board members put their own reputations on the line when they serve on your board, and they do so without compensation. You owe them the peace of mind that comes from an effective risk management program. Furthermore, understanding the threats and opportunities faced by a nonprofit can dramatically improve board engagement. Risk management is now a nonprofit best practice, just as it has been in larger for-profit organizations for many years.
Doesn’t change take time?
When customers begin a risk management program, they often find issues that bring an immediate return on the investment. Sometimes they become aware of a practice that their team engages in that could explode into a crisis at any moment if they continue along the same course. Sometimes they realize that team members are performing the “same” task very differently, making results inconsistent and leading to end-user dissatisfaction. Sometimes they find a huge opportunity when they begin asking team members to take ownership of what they do and suggest improvements. Addressing these sorts of risks can mean the difference between failing and thriving.
But the greatest dividends from risk management do take time. In fact, W. Edwards Deming, one of the godfathers of continuous process improvement, warned about the need for consistent effort over time:
“A typical path of frustration. A program of improvements sets off with enthusiasm, exhortations, revival meetings, posters, pledges. Quality becomes a religion. Quality is measured by results of inspection that final audit shows at first dramatic improvement, better and better by the month. Everyone expects the path of improvement to continue along the dotted line. Instead, success grinds to a halt. At best, the curve levels off. It may even turn upward. Despondence sets in. What has happened? The rapid and encouraging improvement seen it first came from removal of special causes [i.e., one-time problems that need attention] detected by horse sense. All this was fairly simple. But as obvious sources of improvement dried up, the curve of improvement leveled off and became stable at an unacceptable level.”
W. Edwards Deming, Out of the Crisis (1986), at 323-24.
As a result, we counsel our customers to expect results, but recognize that there will be bumps in the road. Again, we agree with Deming: “Long-term commitment to new learning and new philosophy is required of any management that seeks transformation. The timid or the fainthearted, and people that expect quick results, are doomed to disappointment.” W. Edwards Deming, Out of the Crisis (1986), at x. Or, as management guru Jim Collins explains, companies that excel relative to their peers understand “a simple truth: tremendous power exists in the fact of continued improvement in the delivery of results. Point to tangible accomplishments – however incremental at first – and show how these steps fit into the context of an overall concept that will work. When you do this in such a way that people see and feel the build up of momentum, they will line up with enthusiasm.” Jim Collins, Good to Great (2001), at p. 174-75.
Won’t risk management undermine our creativity?
No. We could go on for a long time about this one. We know some creative types say that they don’t like rules because rules constrain behavior. But we agree with those researchers who say that creativity is fostered by clarity, inquisitiveness, and constraints that guide behavior.
Why should we invest in risk management if we already have insurance?
Quite simply, insurance is not the whole of risk management. In fact, it’s not even the beginning of risk management. Insurance is a way to shift residual risks from an organization to a third party. Learn more about this important topic here.
Why should we have risk management if we already have an annual audit?
Audits can be an important part of risk management, but an audit is not a substitute for a risk management program. Audits are usually performed by accountants to permit an organization to certify to investors that its financial reports conform to generally accepted accounting principles. An audit doesn’t prevent fraud. Nor are auditors responsible for identifying risks, except generally to the extent those risks may impact the financial statements. Auditors don’t generally evaluate marketing, sales, talent management, reputation management, operations, or other important functions that underlie the financial function.
Why not just hire a lawyer?
Sometimes you do need to hire a lawyer. Lawyers are great at prosecuting and defending lawsuits. Some of them are excellent at drafting important documents. They can be crucial for identifying certain kinds of risk and counseling about the proper course of conduct. They are trained to think about rules and rule structures, so lawyers can often help develop policies and procedures. They are often steeped in the rules and regulations that govern how businesses and nonprofits are required to operate.
But the fact is not every issue requires a lawyer. Furthermore, there are many different kinds of lawyers. You don’t want to hire a transactional lawyer to represent you in court, and you don’t want a litigator writing your contracts.
If Risk Alternatives believes an issue requires a lawyer, or a lawyer might add real value, we can help you define the issue and find the right legal assistance.
Special Issues for Nonprofits
I’m a nonprofit board member. How do I know if my nonprofit needs a risk management program?
If you serve on a nonprofit board that does not have a risk management program, you are putting your reputation at risk. If the organization struggles, it will reflect on you. Why would you put yourself in that position? And if you believe in the organization’s mission, why would you put that mission at risk?
Do any particular issues signal a potential need for risk management at a nonprofit?
In our experience, certain issues deserve a second look:
- Has a single executive director functioned in that role for an extended period of time? There is nothing necessarily wrong with a long-serving chief executive. The organization gains the benefit of long-standing knowledge and awareness of how the organization operates. However, nonprofits can fall into ruts, and leaders with extended tenures may not recognize the trench because it has become so familiar. Long-standing chief executives may also come to identify themselves with the organization, so that the line blurs between the personal and professional.
- Is the founder of the organization serving as its chief executive? If so, the organization may be suffering from founders syndrome, in which nonprofit growth is inhibited by the close public and internal identification of the founder and the organization. Starting a risk management program can increase donor and stakeholder confidence that the organization is responsive to emerging issues and has the resilience and sustainability to function long after the founder has left.
- Is the organization undergoing a change in executive control? When the chief executive officer of a nonprofit leaves, that may be a good time to begin a risk management program.
- Does the organization need to find new ways of doing things? Perhaps the organization is struggling to engage donors, or perhaps the nature of the client population is shifting or may shift over time.
- Has the organization faced issues from regulators? It’s often the case that the “presentation issue”(the apparent problem) is a symptom of a more systemic challenge.
- Does your board appear unengaged? If board meetings seem to do little more than rubber stamp staff recommendations, and if board members are not energized to advocate on behalf of the organization, that may signal that the board does not understand and appreciate the threats and opportunities facing the nonprofit.
- Have revenues plateaued or even begun to falter? Nonprofits lose revenue sources when they lose the confidence of existing donors and cannot find new ones that believe the organization can meet an important societal need. Revenues falter as well when the organization cannot protect and defend its reputation. They falter when an organization cannot meet operational objectives. All of those issues can be addressed through effective risk management.
Special Issues for Start Ups and Small Businesses
We have great products or services. Why should we care about risk management?
The best thing about entrepreneurs is that they take risks. The worst thing is that they sometimes take risks blindly. Just because you make good widgets doesn’t mean that you have a solid business. Until entrepreneurs hit their first major hiccup, they tend to think they are invulnerable. The fact is, they’re not. Entrepreneurs need to build resilient, sustainable, sound business models. They need to be aware of the threats and opportunities they face, and they need the humility to be able to ask for and take advice from many different quarters.
All too often, a startup cruises along or even enters a huge growth period. Everything looks wonderful. But the growth is unsustainable because leadership has not put basic business processes in place to create resiliency. Because the business is actually fragile, when it hits that first hiccup – a bad employee departure, a regulatory snag, a recurrent vendor conflict, the departure of a key person who has too much in her head that was never put on paper – what might have been a minor challenge may instead create a death spiral. Equally sad, the business might overcome the challenge, but because of the experience, leadership may afterwards take a much more risk-averse path. As a result, the business may never achieve its full potential.
When does risk management become especially critical for a smaller for-profit business?
Here are some key factors:
- Do you want to seek financing from a bank within the next five years? A financial institution will want to see an organization that is professional.
- Do you want to sell your business? Your business will be worth dramatically more if you have built a team and processes that can function without you and that not only appear professional, but perform professionally when you are no longer there.
- Do you want to pass your business along to a new generation? If you aren’t going to be around, you need to document your systems, controls, and processes.
- Do you want to ever do something else with your life? As long as you are a key factor in the success of your business, you will be tied to the business.
Special Issues for Angel Investors, VCs, and Nonprofit Funders
I invest in startups or fund nonprofits. Why should I consider Risk Alternatives?”
Due diligence too often focuses mostly on financials. Do your investment targets have a way to identify threats and opportunities? Can they avoid the blinders that undermine so many startups and small nonprofits? Are there operational warts that financial due diligence might miss, but which a risk assessment might catch?
The organization I invested in seems to be struggling. Can you help?
Maybe. Talk to us about whether we can perform triage that may help things run better or unlock potential value.
Risk Alternative’s Value Proposition
How can we increase decision-making clarity through risk management?
Individually, humans don’t do very well with risk. We perceive risks inaccurately, and we avoid blame when things go wrong. (We talk more about this in this blog post.) By creating systems that create opportunities for input from different points of view, and by training team members to be more aware of threats and opportunities, Risk Alternatives can help organizations to have a much clearer perspective of their priorities and how to reach their goals.
How can risk management give me peace of mind?
Peace of mind comes from knowing what you face, preparing to face it, knowing that you have acted responsibly, and knowing that you have taken steps to ensure that your organization will have the resiliency to grapple with expected and unexpected challenges.
We know some people think it’s better not to know what bad things can happen. We agree instead with those who understand that threats are often less daunting after they have been identified, examined, and addressed.
We think that one of the worst possible feelings a leader can have is that dread that comes at about 7 p.m. at night. She has been in meetings all day. She has loads of emails she hasn’t read. She has another event tonight before she can go home. She knows that she has seven or eight balls up in the air, but she doesn’t even know where those balls are, and she knows that she is the only person responsible for catching each ball as it comes down. Worse yet, although she knows about those balls, she worries that there are still others up there she doesn’t even know about. How can you juggle what you can’t see and don’t even know about? What should she pay attention to? Why does it have to be another sleepless night?
Contrast that with another busy leader. She knows that her team has been empowered and energized to identify threats and opportunities, so she knows she is not alone. Her team has prioritized those threats and opportunities and assigned champions for the biggest risks. Each threat has specific mitigation efforts assigned, and the team regularly follows up to ensure that mitigation is moving forward. She also knows that her team has identified potential opportunities that could build additional value. Although the leader is ultimately responsible, she is not the first person assigned to catch the ball.
We can help leaders be in the second scenario rather than the first. That’s peace of mind.
How can risk management unlock value?
At least three ways: eliminating waste, increasing effectiveness, and developing opportunities into valuable new initiatives.
Even the best organizations have lots of waste. Management consultant Peter Drucker once estimated that even in the most efficient companies, up to 90 percent of effort is wasted. Rather than being discouraged by that assessment, Risk Alternatives thinks it shows how much value is waiting to be captured if an organization simply makes risk awareness a part of everyday operations.
We increase effectiveness by simplifying processes and adopting procedures – ways that everyone in the organization performs a task. Too often a few key people know how to do key tasks. Everyone else does they best they can. This is especially a problem in nonprofits and start-ups, where key personnel (executive director, founders) might know how everything is done, but if any of those people get hit by a bus, the organization is in peril. By simplifying and documenting, Risk Alternatives can make it possible for an organization to run without key personnel. That creates resiliency and permits an organization to scale up.
Finally, at Risk Alternatives we emphasize that there are positive as well as negative risks. Risk management can identify opportunities that can be nurtured into new, profitable initiatives.
How can we save money using risk management?
Every situation is different, but every customer has the potential to save money using risk management principles.
By learning how to take stock of threats and opportunities, you can allocate your scarce resources more wisely.
By energizing and empowering employees and team members to look for threats and opportunities, you can identify ways to cut costs and improve efficiencies that leadership simply didn’t know about.
By learning to identify key performance indicators and key risk indicators in your operations, you can learn to measure results and therefore learn what actually works and what needs improvement.
By documenting processes and procedures, you can avoid reinventing the wheel each time the organization takes action, so that your team can focus instead on taking the best action possible in the most efficient way.
By learning how to rank threats and opportunities according to potential impact, likelihood of occurrence, and speed of onset, your organization can determine what you should focus on first, next, or not at all.
What’s our potential return on investment if we hire Risk Alternatives?
By increasing clarity about threats and opportunities, organizations can be more nimble. They can reduce costs by standardizing their procedures. They can unlock and develop new opportunities. They can get rid of obsolescent practices.
Organizations that strive to identify threats and opportunities as part of everyday operations function better than their peers. They have better investment performance. The gain and keep the trust of their clients, owners, and stakeholders. They are more reliable. They make better business partners.
For more about the potential return on investment, click here.
Risk Alternatives’ Process
What tools does Risk Alternatives use with its customers?
We use tools of risk management, governance, and compliance to provide value to our customers. In our basic package, we train customers to use risk management tools to make identifying threats and opportunities a basic part of everyday operations. With our advanced solutions, we provide tailored risk management, governance, and compliance training and implementation.
What are the basic steps in a risk management process?
Risk Alternatives maintains that if you want to thrive, you need a solid awareness of the threats and opportunities you face and what you can do about them. We help you apply a four-step process to provide that awareness:
1 – IDENTIFY threats and opportunities faced by the organization.
2 – PRIORITIZE your risks by considering likelihood, magnitude of impact, and speed of onset.
3 – RESPOND to risks by avoiding unacceptable risks, mitigating the threats you have to face, shifting some risks to others, and developing positive risks (opportunities); and
4 – ASSESS/IMPROVE by evaluating how your responses have changed your organization’s prospects.
What do you mean by governance?
Governance means the way that an organization’s owners or stakeholders interact with leadership, and how leadership interacts with line personnel.
What do you mean by compliance?
Compliance addresses how an organization ensures that it is abiding by outside rules (e.g., laws, regulations, and contracts) and internal standards of conduct (e.g., codes of conduct, policies, and procedures). Compliance involves making sound decisions about how the organization can and should act and creating incentives for proper conduct.
We Are Insatiably Curious
Why do you call yourselves Risk Alternatives?
Too often people believe risk is always negative. We don’t think so. We believe there is enormous value in thinking about risk in terms of alternatives. We think the name flows naturally from that perspective.
How can Risk Alternatives be experts in every conceivable risk?
We aren’t. We have faced a wide variety of risks and helped clients adopt solutions to deal with many different sorts of risk, but there are always new threats and opportunities, and no organization is going to be able to provide expert advice about every one of those. Here at Risk Alternatives, we don’t even try. Instead, we help you develop systems and processes so that your own team can apply its expert knowledge more effectively. We can also help you find experts in various areas to provide targeted solutions on a cost-effective basis.
So Risk Alternatives knows more about the risks facing organizations like ours than we do?
You know more about your business than we ever will. But we know something about how to help organizations think more clearly about the threats and opportunities they face and deal with those risks effectively.