Risk lives in every organization and every aspect of organizational operations. But the risk mix, likelihood of occurrence, and potential impact differ from organization to organization. Thinking about risk necessitates a careful look by department, program, business line and function to identify vulnerabilities. Enterprise risk management (ERM) is the discipline that looks at organizational risk and searches for patterns and combinations that need a broad approach to identification and mitigation. ERM can make a big difference in nonprofit success.
Most nonprofit leaders are so busy dealing with day-to-day activities that they are too stretched to keep up. They experience as overwhelming the thought of adding one more thing to the to-do list. Some leaders rely on faith or magical thinking to shield them from actively engaging and managing risk. They embrace the belief that managing to mission will protect them from disaster. Denial is a powerful balm, but it offers no protection when it comes to risk.
Active risk management prevents disjointed, one-off crisis responses that drain energy and resources. It can shield your nonprofit from internal vulnerabilities and external threats, giving you breathing room to respond to new opportunities instead of rushing to put out fires.
Active risk management isn’t just about risk. Active risk management improves decision-making and day-to-day operations, and it saves money. It also enhances performance and strategy. Active risk management makes space for a nonprofit to balance uncertainty and exposure while remaining focused on mission.
Active risk management planning will help you answer five important questions: ·
What is my organization’s appetite for risk?·
How much risk can my organization handle?·
What is the best way for us to manage risk?·
Do we have the right people to handle risk?·
How will we know that we’ve eliminated or reduced the potential impact of a risk event or a cluster of risk events?
As you begin thinking about introducing active risk management in your organization, you will want to take stock of your organization’s readiness to engage in this kind of focused effort. It helps to think through questions that will allow you to gauge how open your board and staff members are for a deep dive into the mechanics of your organization’s operations and how prepared they are to deal with the challenges they find.
1. What is your nonprofit’s legal structure and its lifecycle and culture? Are you a start-up or legacy operation or something in-between? Does your nonprofit rely on formal or flexible policies and practices? Are your board and staff comfortable working across departments, programs, and divisions? Are most of your managers promoted from within or do you recruit more broadly?
2. Does your nonprofit have experience with organizational and department planning? Do you have a strategic and annual plan or annual goals document? Have we implemented a strategic or business plan successfully before?
3. Are staff at all levels familiar with your quality improvement and performance and accountability expectations?
4. Is your nonprofit comfortable talking about mistakes, missteps or missed opportunities?
5. How receptive and welcoming is your nonprofit to change?
Here are some additional questions to consider as you think about introducing active risk management into your organization:
- Organization structure. How is your organization structured? Are you an association, network, or federation? Do you have subsidiaries, do you have a single administrative entity and one set of policies, or are affiliates managing their own back office and setting their own policies? Are your activities housed in one office or are your operation spread out across locations? Is liability shared by the organization overall or held by affiliates?
- Governance structure. How does your Board of Directors operate. Are roles and responsibilities and meeting schedules formalized or flexible? Are bylaws up-to-date? Are terms of office specified or open? Do you operate with active board committees or an executive committee? Does your Board monitor program quality, performance and/or compliance?
- Management structure. How does the organization operate? Do you have a strong executive or a management team approach? Is your management hierarchy (reporting lines, span of control, roles and responsibilities, and decision-making authority) linear or matrixed, delineated or fluid? Do staff and volunteers know what their responsibilities are, to whom they report and the scope and limits of their decision-making authority? Is decision-making authority centralized or delegated?
- Business Model. What services does your nonprofit provide and how do you deliver and pay for them? Do you provide a single service or are you a multi-service organization? Do you hold government contracts or receive government funding? Are you privately funded for all or part of your work? Are you staffed by employees, volunteers, or independent contractors? Do you operate in a single or across multiple jurisdictions?
Asking and answering these questions will help you frame your thinking about who to engage and how to structure an active risk management program in your organization.