Understanding the aggregate amount of risk associated with organizational performance and operations is the first step in a process to mitigate it. Organizational risk is assessed along a continuum, as there is no universal risk approach for all nonprofits. As a nonprofit leader moving into the world of active risk management, you must consider the aggregate amount of risk your nonprofit actually carries and bears – its risk profile – and its ability to tolerate and balance risk-taking – its risk appetite.
A nonprofit’s risk profile is the overall level of risk carried by your organization in its daily work. This includes internal risk as well as the external risk environment in which your organization operates. Your nonprofit’s risk profile is based upon an assessment of internal weaknesses, external threats, and leadership’s ability to tolerate exposure and vulnerabilities. The risk profile you develop will take your mission, strategy, plans, and objectives and marry it with executive and board tolerance for uncertainty and surprise. The risk profile will consider known, new, or emerging risks, and it will contemplate three additional types of risk: preventable risk that is usually related to internal practices that can be improved, strategy risk that contemplates likely risks and plans to contain them, and external risk that cannot be controlled but can be anticipated mitigated with advance preparation.
Assessing your organization’s risk profile is not about compliance and audits, nor is it about rules and regulations. Checklists and rules-based risk models do not diminish the likelihood or impact of risk events or the impact of cascading risk. Understanding your risk profile will enable you to anchor risk assessment to risk mitigation activities throughout your organization.
As with many challenges in life, actively managing risk means knowing and accepting your own strengths and limitations. To deal with risk, you must know how much of it your organization, staff, and leadership can bear and come to the work with an understanding of your organization’s capacity to manage it. The process of developing your risk profile starts by figuring out your appetite for risk.
A nonprofit’s appetite for risk is the amount of operational uncertainty an organization is willing to accept to reach its goals and how risk-averse or daring, entrepreneurial or deliberative your organization is. Both you and your organization need to determine how much risk you are willing to accept in pursuing goals. This can change overtime. Determining appetite is an exercise in finding the sweet spot between risk and expected payoff. One’s appetite for risk is usually measured as a vulnerability parameter in one or more functional areas of operations: financial, operational,programmatic, and strategic. Active risk management is the thoughtful process of recognizing and controlling risks so you can protect and conserve resources. Any active risk management program you put in place will cover all aspects of your organization, including its mission, services, strategic goals, activities, staffing, funding, and ongoing operations. Because it is far better to plan for risk than to deal with problems on an emergency basis, it is important for you to have a sense of the amount and types of risks that can be handled comfortably.