Learning the Language of Nonprofit Risk Management

When people use the term “risk” in everyday conversation, they often mean the possibility of a negative outcome. One talks about the risk of catching the flu, drinking and driving, or walking across the street without looking both ways.

Some academics and risk management professionals similarly define “risk” as “a state of uncertainty where some of the possibilities involve a loss, injury, catastrophe, or other undesirable outcome (i.e., something bad could happen).” (Hubbard 2009.) We disagree, and because the language of risk can be confusing, we spend this post describing what we mean by risk, risk management, and our favored approach, Lean Risk Management™. (If you are new to this series, you can see the overview here and the first post here.)

Risk, Threats, and Opportunities

These posts advise a holistic approach to risk. Risk is neither good nor bad. Risk is simply an acknowledgment of the fact that none of us can see into the future and predict exactly what will happen. Risk “is any deviation from the expected. Defined this way, risk includes both downside and upside volatility.” (Segal 2011.)

If the concept of “upside risk” seems foreign, consider financial investments. We expect a lower rate of return from a money market account than a stock mutual fund. Because the stock mutual fund is a collection of securities, each of which could go up or down in value, we expect greater volatility, but also greater potential return.

We hope that the mutual fund manager has chosen the collection of securities that, on balance, will appreciate in value. We understand that this might not be the case. We make the investment because there is risk, and we have some expectation of return that is commensurate with that risk.

When we work with risk management customers, we use the term “threat” when talking about potential negative events or consequences. A threat is something that could go wrong.

We use the term “opportunity” when talking about potential positive events or consequences. Whether it is a new initiative, changing a process or policy, entering into a joint venture, increasing staffing in a particular function, or enhancing the training and development of existing staff, an opportunity is something that could go right. An opportunity is an uncertainty that presents upside volatility.

Of course, in many large organizations, a risk process focuses almost exclusively on threats. Large organizations often devote significant budgets to identify and mitigate threats. They may have entire other departments like research and development and strategic planning devoted to positive potential risks. Thus, when larger organizations speak of “risk management,” they often mean prevention of loss.

Although classifying “risk management” as synonymous with “threat management” may make sense when an organization is large enough to have substantial nonprofit resources and divisions of labor, smaller, leaner organizations do not have that luxury. Thus, nonprofits beginning to implement lean risk management are best served by considering risk and risk management as dealing with both upside and downside uncertainties.

What is Risk Management?

If risk is uncertainty, risk management is about managing uncertainty. More specifically, as used in this series on Lean Risk Management™:

Risk management is a commitment to a process of gathering credible information about threats and opportunities in order to manage the risks faced by an organization.

First, risk management involves a commitment. Risk management involves a commitment by senior leadership and board members to have an organization identify threats and opportunities as a regular part of daily operations. Risk management does not mean casting an occasional eye toward uncertainty, but rather thinking about the potential consequences of activities as a matter of routine.

Second, risk management involves a process. Risk management is not something that can be done once in an exercise and never revisited again. It is instead a dynamic series of actions involving the adoption of systems, controls, policies, and procedures over time, then periodically evaluating those steps to achieve better results.

This does not mean that risk management is complex; to the contrary, the principles are simple. But it does mean that risk assessment is ongoing, rather than static.

Third, risk management involves information. Individually, people are not very good at gathering information or evaluating that information. However, by gathering more than one viewpoint, considering additional sources, and systematizing the way we evaluate, we can accomplish tremendous feats of risk analysis.

Finally, risk management involves management — that is, taking steps to assert control. Risk management is not passive, but rather emphasizes active effort to take meaningful actions to address threats and opportunities.

Three Tools of Risk Management

Risk management emphasizes three basic tools: the risk inventory, the risk register, and the risk cycle.

A risk inventory is a process of looking for threats and opportunities. As described in later posts, a risk inventory is an exercise that allows your team to identify risks within every function of the organization, as well as threats and opportunities presented by the external environment.

A risk register is a tool for prioritizing those risks, assigning them to responsible parties, and following up. We advise keeping it simple: an organization should use a basic spreadsheet listing the particular risk, its priority, who is responsible for the risk, the next step the organization intends to take, and the date by which that action should be taken.

As the team discovers new information or takes steps to address a particular risk, the risk may change priority and therefore go up or down on the list. Other threats or opportunities may be added. Some risks may be removed altogether as the organization deals with them. By gathering all these moving parts in a single document, the risk register provides a nonprofit with a dynamic, prioritized punch list of high-value items for the organization.

A risk cycle implements regular check-ins to drive home within your staff the fact that risk management is a regular part of business. These regular inquiries provide opportunities for team members to identify new risks, prioritize them, take steps in response, and then assess those risks in light of the responses.

A nonprofit does not engage in a single risk management “project.” Instead, effective risk management includes incorporating the identification, prioritization, response, and improvement steps into the organization’s standard operating procedures. This can be graphically demonstrated in the following diagram:

Identify. A successful nonprofit organization identifies threats and opportunities across its different functional areas. Initially, it does so through the “risk inventory” exercise just mentioned. Later, it hones that process by adding components that feed risk identification into the risk management process more organically, including feedback mechanisms for employees, donors, service recipients, and others.

Prioritize. When everything is important, nothing is important. Thus, the next step in effective risk management is to prioritize threats and opportunities, so that the organization understands its most important issues. As noted, an initial prioritization leads to the nonprofit’s first risk register.

Respond. Having identified threats and opportunities and prioritized them, the organization then makes decisions about how to respond. The nonprofit may decide to research and measure certain risks in order to understand them better.

It may adopt policies and procedures to avoid certain threats altogether. For example, it might adopt and post safety procedures, adopt a nondiscrimination policy, or adopt a whistleblower procedure to allow employees to come forward with their concerns.

The nonprofit may take steps to mitigate potential threats. It might fix a sidewalk to prevent injury, adopt a reserve policy to build a financial cushion, or implement nonprofit trainings for employees to perform tasks in a safer and more effective way.

It may take other steps to develop opportunities identified through risk management efforts, such as beginning new initiatives or changing established procedures in order to achieve greater effectiveness.

The nonprofit may also shift its risk to other parties using insurance, joint ventures, or contract language that changes the nature of its interactions.

Finally, a nonprofit may decide to simply monitor a risk to observe what happens over time, perhaps applying some “trigger” criteria to indicate a need to act.

Assess and Improve. After identifying, prioritizing, and responding to certain threats and opportunities, risks will remain. That’s the nature of a nonprofit or any other organization.

Since we can’t predict the future, we will always face uncertainty. Yet, effective risk management includes self-reflection to determine whether there are ways to improve the organization’s performance.

How are the policies and procedures working in practice? Have our mitigation efforts been effective, and could they improve through modification? Are we developing opportunities effectively, and do we have in place a methodology for identifying new opportunities? Have our risk-shifting activities accomplished their task in a cost-effective manner?

After responding, assessing, and improving, an organization does not rest. Instead, it continues to identify, prioritize, respond, and improve, and in doing so, it creates virtuous cycles of strength and resilience.

If you have a process for regularly identifying risks, prioritizing them, and dealing with them, and doing that over and over again, you have a risk management process. Although some large organizations may spend millions of dollars on risk management, the underlying process is the same when a nonprofit begins that journey.

Behind any potential complexity rests a simple question. How can we become increasingly aware of what is going on around us, including what we think might happen in the future, so that we can take the next reasonable step in the present moment to respond?

What is Lean Risk Management™?

In this series, we will explain that risk analysis goes hand in hand with continuous process improvement, a term popularized by the “lean management” movement. “Lean” arose out of work by Toyota Motor Company to do more with less during the early years after World War II. When Toyota caught up with and then surpassed US auto manufacturers in the early 1980s, academics and business leaders began evaluating and documenting what made Toyota different. (Womack et al. 1990).

John Krafcik first referred to these practices as “lean” in 1988. (Krafcik 1988.) Since then, lean practices have spread not only within manufacturing, but also throughout service industries. (George 2003.)

As Jon Miller and his coauthors put it, lean businesses strive to advance “a set of core beliefs, including . . . engaging the total workforce, servant leadership, visualization of the real condition of things, respect for people, appreciation for standards, scientific problem-solving, alignment of purpose not only with customers but also with broad stakeholders, curiosity, humility, and a view to the long term.” (Miller et al. 2014.)

We advocate a Lean Risk Management™ approach for six reasons.

First, when properly performed, risk management is incremental and iterative. You perform a cycle, then check to see how the system responds. You don’t devote an enormous amount of nonprofit resources initially, and you never spend more than you need. Instead, you take it one step at a time. You use the three tools described above – the risk inventory, risk register, and risk cycle – to build the capacity you need over time. This incremental, data-driven approach is the essence of lean.

Second, risk management is not a senior management job. Rather, it involves energizing an entire workforce to identify and deal with risks as a part of everyday operations. The lean in lean risk management emphasizes shared accountability and staff empowerment.

Third, as in lean, a relentless focus on the customer should drive every risk management decision.

How do we currently provide value to the customer? What value do we really provide? How do we really know what the customer wants? What factors threaten or impede the stream of activities that lead to providing that value to the customer? What opportunities are available to improve our performance? These “value stream” questions, drawn from lean methodology, create powerful rubrics for guiding risk management decisions.

Fourth, most threats and opportunities that need to be managed are internal to organizations. By training to become radically aware of what the nonprofit currently faces, then taking measurable, incremental steps in response to those risks, organizations can achieve remarkable transformations over time. Lean management principles, methods, and tools provide detailed guidance for this continuous process improvement.

Fifth, “lean” philosophy emphasizes customer focus and continuous improvement so as to provide exactly what the customer wants, when he or she wants it, and with a minimum of waste. Given that nonprofits are always pushed to do more with less, lean principles and methods provide a reasoned basis for nonprofit operations.

But finally, and just as important, “lean” emphasizes investments in resilience and sustainability to serve clients and communities more effectively over time. Thus, a lean approach to risk management fits within a broader philosophy about nonprofits. Nonprofits need to be there for the long haul. It helps no one for nonprofits to run on a shoestring. The best risk management involves sustained investment in the nonprofit training and support of your team. Lean Risk Management™ is all about building better nonprofits.


Nonprofits Build Strength Together (BeST)

Risk Alternatives sponsors and curates an online group for nonprofit leaders who want to build resilient organizations.

To stay informed about this group, called Nonprofits Build Strength Together (BeST), click the button below.