In our last post, we explained how the human brain creates risk management challenges. In light of those issues, in this post we describe nine core commitments that enhance the likelihood of risk management success. We also provide questions for reflection and discussion under each commitment to help you build a risk-aware culture.
1. Risk management is a process.
Risk management is never completed, but instead always ongoing. As with the adoption of any new process, it will have predictable and unpredictable hurdles. The organization will reap some easy rewards and face some unexpected challenges. The value lies in pressing on.
Questions about adopting a risk management process. Here are some questions to explore:
- As an organization, do we have the commitment to implement risk management, even when we face setbacks?
- What resources can we set aside initially in order to support risk management?
2. Awareness trumps ignorance.
If you have read this far in this series, you agree that knowing is better than not knowing. It is better to know what you are up against, so that you can prepare and respond. Indeed, it can be challenging to understand why someone would ever prefer ignorance.
Yet it is perfectly rational for someone to value ignorance over awareness. A person may feel overwhelmed, so that he does not want to add additional issues to his awareness. He may feel comfortable in the moment, but may worry about feeling overwhelmed if he learns more information. He may worry about his ability to handle additional information, including evaluating that information and making choices about it. He may subconsciously wish to avoid the cognitive dissonance that might occur if new information on settles his current perceptions and preferences. He may feel that additional information will undermine him or cast doubt upon his choices and actions. He may fear what he may learn. Or he may feel powerless to act upon new information.
Risk management, then, can make people uncomfortable. Risk management emphasizes that it is better to know than to remain ignorant. An organization adopting a risk management program must become comfortable with the notion that, on balance, a hard truth is better than an easy lie.
Questions to raise about awareness and ignorance. An organization moving toward risk management should explore the emotions and beliefs of those who will be involved. Risk management may create discomfort, raise past errors, and even identify wrongful conduct. It’s important to gauge how the team feels about that step. Some questions to explore might include the following:
- What is the worst that can happen if we adopt a risk management program?
- What’s the best that can happen if we adopt a risk management program?
- What is the worst that can happen if we do not adopt a risk management program?
- What safeguards can we put in place to increase the comfort level of our team as we begin implementing a risk management program?
3. Simple trumps complex.
Lean risk management emphasizes that when faced with uncertainty, it pays to remove complexity. Whether in a process, a program, or a set of rules, complexity increases the likelihood of error and misunderstanding. Process improvement experts emphasize that standardizing the steps involved, reducing the number of steps, reducing options that could require additional branches of action or analysis, and reducing the number of individually tailored steps within a process will increase productivity, reliability, and effectiveness.
Questions about simplicity. Here are some questions that can be raised with a team about simplicity:
- Have we evaluated each of the major functions within our nonprofit to determine the core processes within that function?
- Have we documented the core processes within each function?
- Have we looked at each core process to determine whether each step is necessary, whether any step might be modified so as to reduce complexity, or whether any step might be standardized?
4. Mistakes are necessary. Making the same mistake repeatedly is not.
People and organizations are imperfect. Thus, risk management emphasizes mistakes. A nonprofit adopting a successful risk management program needs to accept that even the best team members and teams will make errors. Punishing errors and embarrassing those who make them undermines accountability and inhibit progress. An organization that is uncomfortable with admitting mistakes needs to raise and address that issue.
On the other hand, risk management seeks a culture of accountability. If people are making mistakes because they don’t know their jobs, that is a management problem, not an employee problem. Management needs to properly train and position employees. If someone is willfully neglecting procedures, or repeatedly careless, however, the nonprofit needs to address that, rather than ignoring it in a misguided effort to smooth things over.
Questions to raise about mistakes. An organization adopting risk management may want to raise the following questions for discussion:
- Who within the organization has never made a mistake?
- What are some organizational stories about significant mistakes and how the organization responded?
- What models of overcoming mistakes may we as an organization hold up as admirable?
- If we have hired the right people for particular job, can we accept that repeated mistakes by a team member shows an organizational training or job description fault to be corrected, rather than an individual fault to be punished?
5. We can never be perfect. We can always improve.
Perfectionism is incompatible with risk management. Risk management is built on the proposition that certainty is impossible. On the other hand, the risk management cycle is premised upon the idea that continuous improvement is always possible. As noted previously, the Japanese have a term for this idea: kaizen, defined as a continuous effort to improve across all levels of an organization, beginning with the individual. By focusing upon steady, incremental change, an organization can achieve significant progress over time. By adopting this philosophy, an organization beginning risk management can create a philosophy that emphasizes learning and improvement and deemphasizes smugness or embarrassment about mistakes.
Questions to ask about continuous improvement. Here are some questions an organization can raise about kaizen:
- What programs, training, and mechanisms do we currently have in place to help individual members of our team become better at their current jobs?
- What programs, training, and mechanisms to we have in place to permit team members to suggest improvements both within their job and with respect to other functions?
- How can we create incentives for our team members to raise potential improvements for the organization?
6. What gets measured gets done.
Metrics matter. Unless a nonprofit has identified concrete criteria for determining success or failure, and conveyed those metrics to those who will be held responsible, the organization cannot enforce accountability.
Nonprofits often object that metrics for various functions are arbitrary, especially when outcomes are difficult to measure. Indeed, as Douglas Hubbard explains in his book How to Measure Anything, such objections are not unique to the nonprofit sector. Hubbard notes that organizations and individuals may object to whether something can be measured and whether it should be measured:
“There are just three reasons why people think that something can’t be measured. Each of these three reasons is actually based on misconceptions about different aspects of measurement. I will call them concept, object, and method.
“1. Concept of measurement. The definition of measurement itself is widely misunderstood. If one understands what measurement actually means, a lot more things become measurable.
“2. Object of measurement. The thing being measured is not well defined. Sloppy and ambiguous language gets in the way of measurement.
“3. Methods of measurement. Many procedures of empirical observation are not well known. If people were familiar with some of these basic methods, it would become apparent that many things thought to be unmeasurable are not only measurable but many already have been measured.
“In addition to these reasons why something can’t be measured, there are also three common reasons why something “shouldn’t” be measured. The reasons often given for why something “shouldn’t” be measured are:
“1. The economic objection to measurement (i.e., any measurement would be too expensive).
“2. The general objection to the usefulness and meaningfulness of statistics (i.e., “You can prove anything with statistics”).
“3. The ethical objection (i.e., we shouldn’t measure it because it would be immoral to measure it).”
As demonstrated by Hubbard’s insights and throughout the balance of these essays, however, reasonable measurement metrics can be established for almost any inquiry. Emphasizing measurable outcomes can significantly reduce uncertainty and increase accountability.
Questions for metrics. Here are some questions to explore relating to measurement within the nonprofit:
- What are our most important metrics with respect to each function within the nonprofit?
- How are those metrics conveyed to those who will be held accountable?
7. Senior management must support risk management.
Because risk management is designed in part to identify threats, identify and learn from mistakes, and improve processes over time, adopting a risk management program shows a commitment to the possibility of change. If senior management is not visibly and vocally behind that effort, risk management will likely stumble.
Questions about senior management support. Here are some questions to ask in order to gauge senior management support for a risk management program:
- Has the nonprofit’s board of directors adopted a resolution supporting risk management within the organization?
- Has the CEO or executive director provided a memorandum to all team members explaining the implementation of the risk management program, identifying the key milestones in that implementation, describing the value proposition of risk management, and asking for feedback?
- Have senior staff been trained on what risk management is, how it is implemented, and why it is important?
8. Context is critical.
Risk management raises, but does not answer, questions about ultimate organizational goals. Thus, an organization beginning a risk management program needs to identify its organizational objectives and how it is performing with respect to those objectives. Risk management is a means to an end, but those ends shape the means.
Questions about context. Here are some important questions to determine context within the organization:
- To what ends are we managing risk? In other words, what does our strategic plan set out as our objectives? How are we performing when measured against those objectives?
- Have we adopted an annual operating plan and, if so, what objectives are identified in that plan? How are we performing against those objectives?
- What is the organization’s mission statement? What challenges have been experienced with respect to that mission in recent years? What challenges do we foresee?
- What core values drive the organization? How are those values incorporated into operations, hiring and firing, and other aspects of the nonprofit?
9. We need risk management goals.
When an organization adopts risk management, it needs goals and milestones. Otherwise, there is no basis for evaluation.
Questions for risk management goals. Here are some questions to explore with respect to goals:
- How will we know if our adoption of risk management is a success?
- How will we know if our adoption of risk management program is such a failure that it should be abandoned?
- What are our significant milestones during implementation of our risk management program?
* * *
Any human endeavor is fraught with risk. Humans are fallible creatures. A risk management process built on the core commitments above, however, provides a way to harness a team’s efforts productively, leading to at least four potential benefits:
Institutionalized inquiry, learning, and multiple perspectives. An effective risk management process engages multiple perspectives. As a result, it reduces reliance on any one viewpoint. This diversity helps account for and respond to the fact that anyone perspective is colored by individual interpretation and expression. Thus, we may expect better decisions:
“We should not expect individuals to produce good, open-minded, truth-seeking reasoning, particularly when self-interest or reputational concerns are in play. But if you put individuals together in the right way, such that some individuals can use their reasoning powers to disconfirm the claims of others, and all individuals feel some common bond or shared fate that allows them to interact civilly, you can create a group that ends up producing good reasoning as an emergent property of the social system.”
A routine of accountability and humility. Risk management can create a routine of interaction about important issues within the organization. By doing so — by actively encouraging and requiring the organization to list, discuss, and address threats and opportunities – it can reduce reliance on our fallible memories and instead begin emphasizing reality and accountability.
“Understanding how the mind yearns for consonance, and rejects information that questions our beliefs, decisions, or preferences, teaches us to be open to the possibility of error. It also helps us let go of the need to be right. Confidence is a fine and useful quality; none of us would want a physician who was forever wallowing in uncertainty and couldn’t decide how to treat our illness, but we do want one who is open-minded and willing to learn. Nor would most of us wish to live with out passions or convictions, which give our lives meaning and color, energy and hope. But the unbending need to be right inevitably produces self-righteousness. When confidence and convictions are unleavened by humility, by an acceptance of fallibility, people can easily cross the line from healthy self-assurance to arrogance.”
Reduced uncertainty. Effective risk management compels an organization to identify threats and opportunities. This process itself reduces uncertainty by bringing attention to issues that might otherwise go unnoticed by senior management. But then, once threats and opportunities are identified, the organization may focus resources on gathering information about particular risks. As explored in a later post, management can then develop targeted actions to reduce uncertainty about those risks.
Increased awareness of opportunities. The risk management methodology set forth in this series emphasizes the upside of risk, as well as downside. Thus, risk management can help a nonprofit be more opportunistic about potential initiatives.
In short, risk management cannot guarantee success. But it’s dramatically better than the alternatives.