In the first eight installments in this series about lean risk management (LRM), we have explained why risk management is important and made the case that nonprofits should implement risk management processes after they exit the startup phase, if not before. In the next segment of this series, we will provide practical, step by step guidance about how to begin LRM. We begin that here, where we will describe significant milestones during implementation of a LRM process.
This has been the most challenging essay thus far in this series to write, because it attempts to define a timeline for a path that can have many forks and byways. Nonprofits have disparate levels of pre-existing risk management sophistication. They face varied cultural constraints and may be at widely divergent stages of organizational maturity. Thus, it is impossible to map a set of steps that all nonprofits should take in particular order. Moreover, because adopting risk management involves change management, other activities must accompany risk management tasks in the timeline.
Still, certain LRM steps tend to fall in a settled pattern. This post maps out those steps and provides guidance about how other necessary activities may be tucked into the overall path of adoption.
Seven Milestone Events
Adopting lean risk management is an organizational change. Thus, as with other change-management efforts, as you adopt lean risk management you will need to identify stakeholders, develop internal sponsors, create a shared vision, name goals, and budget for success. There is no set order for completing those tasks. They will be completed along with the seven milestones I set out below, and I will describe these tasks separately. Here, we set out the seven milestone events common among all risk management adoptions, including performing an initial risk inventory, developing an initial risk register, implementing a risk cycle among senior staff, training the board of directors, training mid-level personnel, and training line personnel.
1. Develop a Timeline
Like any other project, lean risk management takes time. Depending on the intensity of your work and the resources you commit, you can expect to develop a functional lean risk management process within 18 to 24 months. Of course, you will gain benefits along the way. Some of the early steps of risk management — including an initial risk inventory – yield powerful insights and identify low-hanging fruit, including threats that can be addressed before they ripen into crises, and opportunities for changes that yield significant returns. Still, one cannot expect changes overnight.
We advise that your formal timeline lay out these tasks and adopt a tentative schedule. Here’s a suggested approach:
By Month 1: Complete a tentative project timeline.
By Month 2: Complete the risk inventory.
By Month 3: Complete the initial risk register.
By Month 9: Implement a risk cycle among senior personnel and begin change management tasks.
By Month 15: Complete training of board of directors.
By Month 18: Complete training of midlevel personnel.
By Month 24: Complete training of line personnel.
2. Perform a Risk Inventory
The first activity you will perform as part of adopting a risk management process is the risk inventory, where a team within your organization will identify threats and opportunities across every function within the nonprofit, as well as external risks that could impact the organization.
As noted above, we advise a nonprofit to engage in this step early on during the adoption of risk management. Adopting a risk management process should be incremental and exploratory. Fortunately, a risk inventory does not require significant budget commitments. It is a toe-in-the-water activity. Thus, a risk inventory can and ordinarily should precede full commitment to adopting lean risk management. We provide detailed instructions for performing a risk inventory elsewhere. We will also address the risk inventory in detail over an upcoming series of posts.
3. Develop a Risk Register
Following close on the completion of an initial risk inventory, the organization should develop its first risk register. This involves prioritizing the risks identified in the inventory into the most important threats and opportunities facing the organization, then assigning those risks for specific follow-up from team members who commit to “own” those risks.
4. Implement a Risk Management Cycle Among Senior Staff
After performing a risk inventory and developing an initial risk register, a nonprofit should work to implement a regular risk management cycle among senior staff. This means raising the risk register as a regular agenda item at senior staff meetings, updating the register to reflect changes in priority as the organization addresses particular risks, and adding threats and opportunities as those arise in the ordinary course of business.
This milestone is important for a number of reasons. First, the organization needs to regularize the notion of risk management within senior staff. Second, the organization wants to reinforce a common vocabulary among its leadership. Finally, the organization seeks to tease out any frictions and inefficiencies within the system.
5. Train the Board
We advise waiting to train your board about risk management until after the organization has performed its initial risk inventory, developed its risk register, and regularized a risk management cycle within senior management. At that point, the board can be trained on its critical, but limited function in risk management.
6. Train Mid-Level Personnel
After senior personnel have regularized the risk management cycle within their senior staff meetings, mid-level personnel should be brought into the process. They should learn how to “manage up” with respect to their supervisors, raising risks and providing updates about progress and challenges. They should also learn how to “manage down” to their direct reports, identifying challenges rather than covering them up and encouraging line personnel to provide suggestions for improvement of activities throughout the organization.
7. Train Line Personnel
Finally, the organization should train line personnel about their risk management responsibilities. These may include the following:
- Act like owners. Risk management asks frontline personnel to think about how the job is performed while they perform their job. Workers should think about how they interact with others in order to achieve results.
- See something, say something. Risk management requires frontline personnel to act as the eyes and ears of senior management by identifying threats and opportunities they see in their everyday activities.
- Abide by policies and processes, but also suggest improvements. Risk management emphasizes that an organization must adopt clear policies and procedures to define how workers perform tasks. Clear policies and procedures may prohibit activities that pose a significant risk to the organization, or they may channel activities away from threats. Line personnel need to be made aware of the why behind the rules, so that they will more willingly follow instructions. But knowing the why, they may also be looking for ways that the purpose behind the procedure can be more effectively achieved. Line personnel therefore should be trained and empowered to suggest changes in policies and procedures.
- Admit mistakes and worries. Line personnel must also learn to be willing to admit when they make mistakes. They need to be encouraged to speak up about their concerns. They should be rewarded for being open and honest about their observations. Ultimately, by training line personnel to be vulnerable in this sense, the organization achieves greater strength and resiliency.
Change Management Tasks
As noted above, adopting risk management involves change management, as well. You will affect organizational culture, and you may encounter vested interests that need to be addressed and modified. As a result, you will need to accomplish basic change-management tasks along the path to lean risk management.
Identify Stakeholders and Their Interests
It is critical to identify those who have a stake in the implementation and success of a risk management process. Your Board of Directors, senior staff, line personnel, end-users of your services, and your donors all have distinct stakes.
The Board of Directors. As noted elsewhere, risk management is ultimately a governance function. The Board of Directors is responsible for ensuring that a nonprofit has a reasonable risk management program. Board members also have important practical stakes in risk management. Board members may serve on nonprofit boards for a variety of reasons, but at bottom they are performing a free service because they believe in the mission of the organization. Board members do not want to be embarrassed or ashamed by unforced errors within the organization. They don’t want to be held accountable for alleged breaches of their fiduciary duties because of preventable managerial or governance failures.
Counterbalancing these incentives to adopt risk management, however, some board members may be hesitant to adopt risk management because it diverts funds from ultimate end-users of the nonprofits services. Some board members may be worried about the so-called “overhead” borne by the nonprofit. Other board members may be unfamiliar with the concepts of risk management, particularly the modern concept that risk management should be focused not only on downside risks (threats) but also upside risk (opportunities).
Thus, a Board of Directors may be a natural ally in adopting risk management, but one cannot presume that every board member will immediately be on board with the concept.
Senior Staff. Senior staff may have strong incentives to adopt risk management practices. Effective lean risk management can streamline operations and allow senior staff to greatly extend their vision into the everyday activities of the organization. An effective risk management process can provide a window into line operations and serve as a self-sustaining early warning system.
Nevertheless, senior staff may be hesitant to adopt risk management. First, they may worry that a risk management process will uncover mismanagement or poor choices. They may also be hesitant to open their functional area to comment and potential criticism from other senior staff members. Finally, they may feel that risk management activities distracts them and their direct reports from performing the functional tasks for which they are responsible (and upon which their compensation may depend).
Line Personnel. Line personnel may have mixed feelings about adopting risk management. To the extent risk management is perceived as adding additional tasks, they may resist. If risk management identifies mistakes and poor performance, they may feel uncomfortable. If they perceive that the culture is not going to allow them to speak up about their potential concerns, they may hesitate to participate.
On the other hand, a risk management process can energize and empower line personnel to take a more active role in their organization. Risk management can provide a channel for voicing frustrations about inefficient and ineffective processes. It can also provide a forum for identifying and exploring new initiatives that could materially improve working conditions and effectiveness within the organization.
End-Users of Nonprofit Goods or Services. The users of your nonprofit’s goods and services have a direct stake in your risk management process. One core objective of a risk management process is to make an organization a safer, more effective, more sustainable provider of goods and services. Ultimately, current and future recipients of your services are the beneficiaries of those risk management activities.
Donors. Your funders also have an important stake in your risk management work. As noted previously, funders are concerned that nonprofits are not doing enough about risk management. Ultimately, funders want to see nonprofits achieve their objectives. Risk management enhances the likelihood that a nonprofit will avoid unforced errors and respond to uncertainty with greater agility. That increases the likelihood of meeting mission-critical objectives.
Still, some donors may need some persuading to see the value proposition behind investment in risk management. It’s a sad fact that some funders balk at any non-programmatic spending. For those donors, you could refer them to information showing why funders have a strong interest in your adoption of an effective risk management process.
Seek Senior Leadership Sponsorship
A risk management program needs internal champions in order to succeed.
The obvious candidate for risk management leadership is the executive director or CEO. An effective risk management program will not be implemented over the objection of the executive director/CEO. If the executive director does not make risk management a priority, any risk management function will be stunted. If the executive director resists, s/he will have plenty of tools to sabotage available. On the other hand, an executive director can emphasize the priority of risk management by raising the issue with senior leadership, raising the issue with staff in general, raising the issue with the Board of Directors, demonstrating an awareness of risk management vocabulary and best practices, and allocating budgetary resources to risk management.
A risk management process also will not achieve its objectives unless the Board of Directors at least supports the concept of implementing a risk management process. This does not mean, however, that the Board ordinarily leads in the early stages of risk management adoption. As with many initiatives within a nonprofit, staff may lead the board in this process. Staff may well be better informed than volunteer board members about nonprofit governance best practices. Furthermore, staff may be focused more on the operational realities of the organization.
Thus, as advised in the timeline above, staff might decide to perform a risk inventory, develop the organization’s first risk register, and begin regularizing a risk cycle within senior leadership before bringing the initiative to the Board for long-term consideration. Performing those initial tasks may give critical support to the effort by identifying low hanging fruit that proves risk management’s value proposition to the board over the longer haul.
Develop and Foster a Shared Vision
A nonprofit also needs to adopt a shared vision of why the organization is embarking on a risk management initiative. This vision may include some or all of the following rationales:
- The nonprofit may wish to meet minimum best practice standards within the state, including those addressing risk management and process improvement.
- The nonprofit may want to bolster its strategic planning function by creating a foundation of awareness about the organization’s actual capacities and challenges.
- The nonprofit may want to provide measurable increases in safety for personnel and operational resilience for the organization.
- The organization may want to reduce insurance costs insurance costs.
- The nonprofit may wish to demonstrate its commitment to risk management to various stakeholders, including those identified above.
- The nonprofit may want to increase the visibility of threats and opportunities throughout the organization.
- The organization may want to develop a process that leads to measurable performance improvement year over year.
- Finally, the organization may wish to foster a culture of learning, willingness to express concerns, and willingness to admit errors.
Articulating a shared vision is critical groundwork for effective risk management. A shared vision can overcome objections. A common understanding of what is at stake can energize teams to perform tasks they would otherwise hesitate to perform. A shared vision can also provide comfort and direction when a project gets bogged down. When the path gets tough, it is important to keep in mind why the destination is important.
It’s not enough to say “we want to adopt a risk management process.” Without some concrete goals, it may be impossible to determine whether or when you achieve that outcome. Assuming you follow the timeline above, by the time you set goals your senior staff will have already achieved certain milestones. From that vantage, effective goals may include the following:
- Complete orientation and training of senior staff.
- Complete orientation and training of the Board of Directors.
- Complete training of line personnel.
- Identify at least X number of new opportunities as a result of regular risk management meetings.
- Complete X straight months of considering the risk register at least monthly during one or more senior staff meetings.
- Identify at least X number of new threats as a result of regular risk management meetings.
- Increase self-reported staff awareness of risk management vocabulary and responsibilities by X percent.
- Reduce insurance costs by X percent.
Develop a Budget
Your risk management work will require both time and money. Even if you do not engage outside consultants to assist you in the process, paying attention to risk management issues will require some dedicated staff effort. If you are like most nonprofits, you likely do not have substantial unencumbered personnel right now to devote to risk management. Depending on the size and sophistication of your organization, heading up the risk management effort could range from much less than full-time job to a full-time job for multiple staff members. You can expect your risk management efforts to pay off with reduced time and effort to certain tasks over time, but you cannot expect that payoff to be immediate. You will need to allocate resources.
If you engage outside support, you can expect that a risk inventory and associated training for a small group of senior leaders might cost between $5,000 and $15,000 (depending on the size of your organization), developing a risk register might cost an additional $5,000 to $10,000, board training may cost between $5,000 and $20,000, and mid-level and line personnel training might cost an additional $20,000 or more (again, depending on the size of your organization).
Of course, the investment compares favorably with the cost of even a single public misstep. In this era of instantaneous communication and permanent electronic records, an error can cascade into a crisis overnight. Even if risk management does not prevent crises, the existence of an effective program can provide staff and Board with comfort that they are doing their best to steward the organization. Accordingly, when allocating resources toward risk management, you should consider it a bedrock expenditure.
Take your time in adopting lean risk management. Be deliberate, and at each stage, pause to see what’s going well and what needs improvement. By all means, however, do adopt a risk management process. Your nonprofit’s long-term resilience depends on it.