Nonprofits work in highly risky contexts, but are expected to be risk-averse. They are told to adopt risk management, but not told when or how. They see how other sectors have begun adopting risk management principles, but find little guidance about how to adapt those same principles to their sector.
We want to change that this year. Starting tomorrow, we will publish a series of essays about how nonprofits can begin using risk management to improve their performance.
Here’s our tentative plan of publication. We say “tentative” because these are real “essays” — attempts or tries. These essays will not be the last word in nonprofit risk management. On some topics, they might be the first. As we receive feedback and watch the sector over the coming year, we may dive deeper into some topics or change the structure to accommodate current events.
We will begin with an overview of the nonprofit sector’s breadth. After providing this important context, we will describe risk management and contrast it with other activities. Also, because these essays will advocate a new form of risk management that we call “lean” risk management, we will also introduce the concept of “lean.”
We will then provide an overview of why risk management is necessary and how it can improve nonprofit performance. Lean risk management capitalizes on insights derived from contemporary research into the human brain. We tend to think about threats and opportunities in ways that hinder individual and organizational performance. By acknowledging those shortcuts and shortcomings and creating routines to avoid or reduce them, risk management helps an organization internalize learning, adaptation, and continuous improvement.
Next we will address the question of when in its life-cycle a nonprofit should adopt a risk management program. When a nonprofit is just getting underway, risk management may not be its top concern. An organization can look for signals that suggest when investment in non-profit risk management should become a priority.
The Risk Cycle – Identify, Prioritize, Respond, and Assess and Improve
Once a nonprofit decides that it is time to begin implementing risk management, it must decide how. These essays will provide a step-by-step path for piloting a risk management program. We will also describe the key commitments an organization must make in order to benefit from risk management. Certain attitudes improve the likelihood that risk management will be successful. We will identify those mindsets.
We will then detail the basic tools of risk management, including the risk inventory, the risk register, and the risk cycle. We will initially provide detailed guidance on how to perform a risk inventory within an organization. We will describe the risk inventory process — who should be involved, its timing, and what to expect during the process. Then we will provide detailed questions that can stimulate awareness of threats and opportunities throughout every functional area of an organization, including:
“Sales” to Users of Nonprofit Goods or Services,
Planning and Visioning.
We will also provide guidance about how to evaluate the external context in which your nonprofit operates.
We will next describe how to prioritize risks. We will describe different ways measuring risks against each other so that the organization can determine what threats and opportunities should receive top focus. The key tool introduced in this part of these essays is the risk register. This is a simple spreadsheet providing a prioritized punch list of risks, who is responsible for each risk, what the next step is with respect to that risk, and when the team should check back on that risk.
In the next segment of these essays, we will describe how a nonprofit can respond to particular risks. An organization has five basic approaches. First, it may need to research and measure threats and opportunities, to determine whether they are real and gather information about their true nature. For positive risks — opportunities — the organization should develop the opportunity, ordinarily using a pilot program. For negative risks — threats — the nonprofit has three options. It can try to avoid such risks by creating policies and procedures that steer the team away from dangerous ground. It can reduce (or mitigate) the threat by taking steps that decrease the likelihood of the threat happening, decrease its impact if it happens, or create early warning signals that provide lag time between awareness of the threat and its full impact. Finally, it can shift that risk to others using contracts, joint ventures, or insurance.
What should an organization do after identifying, prioritizing, and responding to risks? A nonprofit cannot live without risk – indeed it doesn’t want to. Nonprofits must accept some risk in order to function within the sector. Thus, one aspect of risk management is accepting residual risk.
But acceptance is not a passive process. To the contrary, an organization must periodically assess how its responses to identify threats and opportunities are working out. It can strive to improve its processes so as to be more efficient and effective over time. And finally, an organization can turn the risk management process into a risk cycle. Thus, we will describe how a nonprofit can raise risk management issues during everyday operations. We will also detail how a nonprofit can supplement its risk identification process by building in feedback loops for employees, end-users of services, and other stakeholders. The ultimate goal is to bake risk awareness and risk agility into every aspect of the nonprofit. Throughout this part of the series, we will explain how lean management insights, which emphasize continuous process improvement, can bolster the effectiveness of risk management efforts.
We will then turn to what we call the “meta-cycle” of risk management, which involves the board of directors. Nonprofit boards have a limited but critical role in risk management. We will describe the board’s role and provide tools that can be used to raise board awareness of risk management and energize the board to accomplish its tasks effectively.
After providing a timeline for implementation, we will discuss standard objections to adopting a risk management program. These include cost, competing priorities, employee resistance, “cultural” factors within the organization, fear of what might be uncovered, and worries about the burden that might be imposed by creating a risk management overlay on operations. We hope to show why those objections are readily overcome.
Inviting Your Questions
Again, these will be essays. We have thought a lot about the issues and advised many organizations about how to use lean risk management, but we welcome questions, comments, and critiques. If you have particular issues you would like us to address, let us know. Please use the comments section to interact with us along the way.