When people use the term “risk” in everyday conversation, they often mean the possibility a negative outcome. One talks about the risk of catching the flu, drinking and driving, or walking across the street without looking both ways. Some academicians and risk management professionals similarly define “risk” as “a state of uncertainty where some of the possibilities involve a loss, injury, catastrophe, or other undesirable outcome (i.e., something bad could happen).” (Hubbard 2009.) We disagree, and because the language of risk can be confusing, we spend this essay describing what we mean by risk and risk management.
Risk, Threats, and Opportunities
These essays advise a holistic approach to risk. Risk is neither good nor bad. Risk is simply an acknowledgment of the fact that none of us can see into the future and predict exactly what will happen. Risk “is any deviation from the expected. Defined this way, risk includes both downside and upside volatility.” (Segal 2011.)
If the concept of “upside risk” seems foreign, consider financial investments. We expect a lower rate of return from a money market account than a stock mutual fund. Because the stock mutual fund is a collection of securities, each of which could go up or down in value, we expect greater volatility, but also greater potential return. We hope that the mutual fund manager has chosen the collection of securities that, on balance, will appreciate in value. We understand that this might not be the case. We make the investment because there is risk, and we have some expectation of return that is commensurate with that risk.
When we work with risk management customers, we use the term “threat” when talking about potential negative events or consequences. A threat is something that could go wrong. We use the term “opportunity” when talking about potential positive events or consequences. Whether it is a new initiative, changing a process or policy, entering into a joint venture, increasing staffing in a particular function, or enhancing the training and development of existing staff, an opportunity is something that could go right. An opportunity is an uncertainty that presents upside volatility.
Of course, in many large organizations, risk management focuses almost exclusively on threats. Large organizations often devote significant budgets to identify and mitigate threats. They may have entire other departments like research and development and strategic planning devoted to positive risks. Thus, when larger organizations speak of “risk management,” they often mean prevention of loss. Although classifying “risk management” as synonymous with “threat management” may make sense when an organization is large enough to have substantial resources and divisions of labor, smaller, leaner organizations do not have that luxury. Thus, nonprofits beginning to implement lean risk management are best served by considering risk and risk management as dealing with both upside and downside uncertainties.
What is Risk Management?
If risk is uncertainty, risk management is about managing uncertainty. More specifically, as used in these essays:
Risk management is a commitment to a process of gathering credible information about threats and opportunities in order to manage the risks faced by an organization.
First, risk management involves a commitment. Risk management involves a commitment by senior leadership to have an organization identify threats and opportunities as a regular part of daily operations. Risk management does not mean casting an occasional eye toward uncertainty, but rather thinking about the potential consequences of activities as a matter of routine.
Second, risk management involves a process. Risk management is not something that can be done once in an exercise and never revisited again. It is instead a dynamic series of actions involving the adoption of systems, controls, policies, and procedures over time, then periodically evaluating those steps to achieve better results. This does not mean that risk management is complex; to the contrary, the principles are simple. But it does mean that risk management is ongoing, rather than static.
Third, risk management involves information. Individually, people are not very good at gathering information or evaluating that information. However, by gathering more than one viewpoint, considering additional sources, and systematizing the way we evaluate, we can accomplish tremendous feats of analysis.
Finally, risk management involves management — that is, taking steps to assert control. Risk management is not passive, but rather emphasizes active effort to take meaningful actions to address threats and opportunities.
Three Tools of Risk Management
Lean risk management emphasizes three basic tools: the risk inventory, the risk register, and the risk cycle.
A risk inventory is a process of looking for threats and opportunities. As described in later essays, a risk inventory is an exercise that allows your team to identify risks within every function of the organization, as well as threats and opportunities presented by the external environment.
A risk register is a methodology for prioritizing those risks, assigning them to responsible parties, and following up. We advise keeping it simple: an organization should adopt a basic Excel spreadsheet listing the particular risk, its priority, who is responsible for the risk, the next step the organization intends to take, and the date by which that action should be taken. As the team discovers new information or takes steps to address a particular risk, the risk may change priority and therefore go up or down on the list. Other threats or opportunities may be added. Some risks may be removed altogether as the organization deals with them. By gathering all these moving parts in a single document, the risk register provides a nonprofit with a dynamic prioritized punch list of high-value items for the organization.
A risk cycle implements regular check ins to drive home within your staff the fact that risk management is a regular part of business. These regular inquiries provide opportunities for team members to identify new risks, prioritize them, take steps in response, and then assess those risks in light of the responses. A nonprofit does not engage in a single risk management “project.” Instead, effective risk management includes incorporating the identification, prioritization, response, and improvement steps into the organization’s standard operating procedures. This can be graphically demonstrated in the following diagram:
Identify. An organization identifies threats and opportunities across its different functional areas. Initially, it does so through the “risk inventory” exercise just mentioned. Later, it hones that process by adding components that feed risk identification into the risk management process more organically, including feedback mechanisms for employees, donors, service recipients, and others.
Prioritize. When everything is important, nothing is important. Thus, the next step in effective risk management is to prioritize threats and opportunities, so that the organization understands its most important issues. As noted, an initial prioritization leads to the nonprofit’s first risk register.
Respond. Having identified threats and opportunities and prioritized them, the organization then makes decisions about how to respond. The nonprofit may decide to research and measure certain risks in order to understand them better. It may adopt policies and procedures to avoid certain threats altogether. For example, it might adopt and post safety procedures, adopt a nondiscrimination policy, or adopt a whistleblower procedure to allow employees to come forward with their concerns. The nonprofit may take steps to mitigate potential threats. It might fix a sidewalk to prevent injury, adopt a reserve policy to build a financial cushion, or train employees to perform tasks more safely and effectively. It may take other steps to develop opportunities identified through risk management efforts, including changing established procedures in order to achieve greater effectiveness or beginning new initiatives. The nonprofit may also shift its risk to other parties using insurance, joint ventures, or contract language that changes the nature of its interactions.
Assess and Improve. After identifying, prioritizing, and responding to certain threats and opportunities, risks will remain. That’s the nature of a nonprofit or any other organization. Since we can’t predict the future, we will always face uncertainty. Yet effective risk management includes self-reflection to determine whether there are ways to improve the organization’s performance. How are the policies and procedures working in practice? Have our mitigation efforts been effective, and could they improve through modification? Are we developing opportunities effectively, and do we have in place a methodology for identifying new opportunities? Have our risk-shifting activities accomplished their task in a cost-effective manner?
After responding, assessing, and improving, an organization does not rest. Instead, it continues to identify, prioritize, respond, and improve, in doing so, it creates virtuous cycles of strength and resilience.
If you have a process for regularly identifying risks, prioritizing them, and dealing with them, and doing that over and over again, you have a risk management process. Although some large organizations may spend millions of dollars on risk management, the underlying process is the same when a nonprofit begins that journey. Behind any potential complexity rests a simple question. How can we become increasingly aware of what is going on around us, including what we think might happen in the future, so that we can take the next reasonable step in the present moment to respond?
What Is Risk Management Not?
To gain a better idea of what risk management is, we can also identify what risk management is not.
Not Worrying. Risk management is the opposite of worry. Worrying is giving way to anxiety or unease. A nonprofit does not adopt risk management in order to fret or construct worst-case scenarios. Effective risk management programs do not freeze an organization or inhibit it from accomplishing its goals.
To the contrary, effective risk management helps an organization exercise informed judgment to manage its environment, control what it can control, take advantage of opportunities that are worth pursuing, and achieve its goals. As discussed in later essays, risk management decreases worry because senior leadership is more aware of the potential consequences of the nonprofit’s actions. Rather than fretting about the issues that lurk under every rock, the nonprofit executive can instead make informed decisions based upon greater awareness of the organization and its environment.
Not Strategic Planning. Because risk management uses the language of threats and opportunities, some nonprofit executives may be inclined to believe that risk management is synonymous with strategic planning. Most nonprofits have gone through strategic planning processes in which they have performed a SWOT analysis, which looks at strengths, weaknesses, opportunities, and threats. Yet risk management and strategic planning are distinct. Strategic planning projects into the future what an organization would like to accomplish. Risk management focuses on identifying threats and opportunities within the current environment so that the nonprofit can accomplish its goals.
Although much work has been done over the past decade to improve nonprofit strategic planning, most strategic planning is usually static, or at best episodic. A nonprofit engages an outside consultant to create a strategic plan. The strategic plan projects objectives into the future (usually three or five years) and may map out performance benchmarks along the way. Some strategic planning processes end there: the planners believe that by identifying objectives, they have provided value by creating a common sense of direction within the organization. Some strategic planning processes go further, revisiting the strategic plan periodically in order to assess progress and, if necessary, modify either the goals or the methodologies for achieving those goals.
By contrast, risk management emphasizes creating a dynamic process for identifying and addressing threats and opportunities as they arise within an organization. Risk management focuses on creating processes and procedures that energize all levels of an organization to be alert to issues that might affect operations. Effective risk management strives to create a “learning organization,” where employees are taught to ask questions, admit uncertainties, acknowledge mistakes, and improve every aspect of the organization over time.
Not Auditing. Some nonprofit executives believe that risk management is closely related to auditing. This misconception can arise in at least two contexts. First, they may believe that an organization does not need a risk management program because it undergoes annual financial audits. Second, they may believe that the auditing process performed by accountants is synonymous with risk management. Both beliefs are dangerously misguided.
Financial audits are performed by accountants. They are performed in order to determine whether a nonprofit’s financial statements are presented in accordance with generally accepted accounting principles. Nonprofits get annual audits either because they have reached a stage of income at which some regulatory authority demands annual audits, or they have funders who demand independent audits in order to have some outside verification of a nonprofits assets, liabilities, and cash flows.
Annual financial audits, however, are not the same as risk management. The purpose of an independent financial audit is not to identify threats and opportunities for an organization. Independent financial audits are performed solely for the purpose of providing some outside verification of the financial condition of the nonprofit. Auditors will routinely provide a “management letter” to a nonprofit at the conclusion of an audit identifying any material weaknesses in the financial reporting functions uncovered during the audit. They will sometimes provide additional notes and guidance about other operational issues they see during their audit. But auditors do not take responsibility for identifying risks throughout an organization. Having an annual audit in no way excuses an organization from having a risk management program. Any organization that took that approach would place itself in peril.
Not Insurance. Insurance and risk management are not synonymous. Insurance is one part of an effective risk management program, because it is one way of shifting certain threats to a third party. But for at least four reasons, in all but the smallest and newest nonprofits insurance cannot be the only risk management approach:
1. Risk management efforts can reduce the need for insurance and reduce its cost. The theory of risk management is to identify potential threats and take steps to reduce the likelihood or impact of those threats. Sound risk management can reduce the chances of identified risks coming to fruition. Risk management can reduce the magnitude of exposure. It can often reduce the speed at which potential problems turn into claims.
2. Insurance rarely covers all of a covered loss. Deductibles, co-pays, damage caps, and other limitations reduce the value of the insurance relative to the claim presented. Furthermore, to the extent that a claim results in litigation, the out-of-pocket costs of that litigation may not be covered by an insurance policy. Even if the litigation attorney’s fees and costs are covered, an insured faces substantial costs in terms of business disruption. And rarely does any form of insurance cover the reputational cost of claims against an organization. To paraphrase Warren Buffett, it takes a long time to build a reputation, but only a single incident to destroy it.
3. There are other ways to shift risk of loss. An insurance policy is basically an agreement in which both sides make a wager. You, as the insured, are hedging against the possibility that a claim will arise. The insurer is betting that, on average, few enough claims of the sort insured against will arise that the premiums, invested responsibly, will cover the company’s exposure and create profits. As a potential insured, you have other ways to hedge against a threat. To the extent the threats involve business relationships (e.g., employment, purchase or sale of goods or services), much of the risk can be identified and addressed through sound contracting practices. Other threats may be reduced by entering into joint venture, partnering, or consortium arrangements with others. Still other threats may be reduced by seeking and employing expert counsel (e.g., law, accounting).
4. Despite professions about being “a good neighbor,” standing “on your side,” putting you “in good hands,” insurance companies are in the business to make money. They make money by collecting premiums, investing that money, and avoiding the payment of claims to the greatest extent consistent with business ethics and the law. This means that any insurance policy will be subject to certain exclusions. It also means that the insured must carefully disclose all pertinent information in an insurance application. It is unsound business for an insurer to generously overlook exclusions or statements in an insurance application that could be read, in hindsight, to be less than fully candid. In other words, when the time comes to make a claim, never assume that an insurer is looking out for your organization. Only you can do that — through sound risk management.
Not A Crystal Ball. A risk management program does not attempt to catalog and address every possible threat and opportunity. No reasonable organization could ever achieve such omniscience, and it is fruitless and wasteful to try. As Nassim Nicholas Taleb has persuasively explained in his book The Black Swan, every organization faces the possibility of a “black swan” — an event that is outside the realm of regular expectations and yet has an enormous impact. (Taleb 2007.) But even ignoring extreme events, no organization can create a risk management program that identifies and addresses every possible risk. Risk management involves committing a reasonable amount of resources to being more aware of a nonprofit’s environment, and then taking steps to address the uncertainties within that environment.
Rather than thinking of risk management as a crystal ball, a better metaphor is a lamp in the darkness. A lamp doesn’t allow the traveler to see around corners or deep into pits. A lamp cannot prevent something harmful from sneaking up behind the traveler, nor does it generate the volition that impels the traveler on her journey. Still, a lamp can help the traveler identify hazards, avoid pitfalls, and perhaps find tools and paths along the way. Furthermore, as its light fades off into the distance, a lamp may provide the traveler with a healthy reminder of the limits of what can be seen, so that she chooses her course with due care and mindfulness.
Thus, as used in these essays, risk is not a bad thing. Risk simply is. Risk is an admission that there are no crystal balls. Risk management, as well, is an acknowledgment that there are no crystal balls. We cannot predict the future. However, by creating processes in which we identify current failures within an organization, current threats, and current opportunities, we can improve a nonprofit’s chance of meeting its current and future needs.