Nonprofits play a significant role in the US economy:
- In 2013, nonprofits provided 5.4 percent of the US gross domestic product — a total of $905.9 billion.
- Nonprofits employed approximately 13.5 million paid workers in 2007. Adding the full-time equivalent of volunteer hours, the nonprofit sector employed 18 million full-time equivalent workers, making it “the largest workforce of any US industry – larger than construction, larger than finance and insurance, even larger than retail trade and all of the branches of manufacturing combined.” (Salamon 2012.)
- Nonprofits comprise half the nation’s hospitals, almost half the institutions of higher education, close to 80 percent of vocational rehabilitation facilities, approximately 80 percent of day cares, almost all operas and orchestras, one out of every five nursing homes, and about one third of private clinics and home health care facilities. (Id.)
Impressive as those figures are, they understate the importance of nonprofits in our communities. Nonprofits often provide essential goods and services for those who are most at risk. They address the needs of those who, as a result of age, health, socioeconomic status, or power relationships, cannot operate effectively on their own in our economy. If the economy is an engine, nonprofits are the lubricant — reducing friction, helping the otherwise sharp edges of society function more productively.
Nonprofits strive for sustainability, growth, and responsiveness in order to meet their important role in society. Relatively few, however, have adopted one of the most powerful tools for improving resilience and agility: risk management. The very thought of “risk management” causes many nonprofit leaders to cringe. Risk management, they think, means worrying about everything that could go wrong. Nonprofit leaders already feel overwhelmed by the threats facing their organization. They may have read that nonprofits should adopt risk management processes and programs (Mintz 2012; O’Rourke 2013, Leonberger 2017), but they don’t want to head down a path that will impose additional burdens and create more anxiety for themselves and their overworked and underpaid teams.
This series of essays aims to shift that opinion.
This series will explain why risk management is essential for nonprofits. Until a nonprofit implements effective risk management,
- The nonprofit cannot know its true priorities, because it hasn’t rigorously identified and ranked its hidden threats and opportunities;
- The nonprofit cannot say that it is effectively stewarding donor resources, because it does not know the context in which those resources are being spent;
- The nonprofit unreasonably risks the health, safety, wellbeing, development, and engagement of its employees, because it has not confirmed whether it is adequately identifying and responding to threats in the workplace;
- The nonprofit places its service population in jeopardy, exposing beneficiaries to unwarranted threats; and
- The nonprofit is impeding its mission, because it has not applied a proven program for early warning and response to potential challenges.
By the end of this series, readers will understand that risk management is a powerful source of sustainability and growth.
Should You Read These Essays?
These essays are written principally for nonprofit staffs and boards of directors. You are being held to increasingly rigorous and unpredictable standards of care, and you need to understand how to use risk management principles to protect and advance their operations.
The essays are also written for funders. When funders place their resources in the hands of a nonprofit, they need to ensure that the investment is sound. A nonprofit that does not have risk management in place is flying blind. Under such circumstances, funders have no reasonable expectation that the nonprofit understands what its priorities should be or how it will perform with donated resources. As we will explain in these essays, funders are justifiably worried about nonprofit risk management, but they don’t have a common vocabulary for discussing risk management issues. Funders need to inform themselves about emerging risk management principles so that they can ensure that their target investments are using those principles effectively.
Finally, these essays are written for nonprofit advisers. Attorneys, accountants, and bankers for nonprofits need to be aware of whether their clients are protecting themselves from emerging threats and preparing themselves to capitalize on emerging opportunities. Consultants providing organizational development, leadership training, strategic planning services, or other advice to build nonprofit capacity need to consider how those efforts interact with the risk management function. Advisors and consultants can achieve substantial synergies by becoming more aware of what risk management is, why risk management is important, how it improves operations, and how it is implemented effectively.
What Is Risk Management?
Risk management is a commitment to a regular process of gathering credible information about the threats and opportunities in order to manage the risks faced by an organization. Each element of that definition is important.
Risk management involves a commitment. It is not sporadic, and it is not something that merely percolates up spontaneously from below within an organization. Risk management involves a commitment by senior leadership to become aware of risks and to use that awareness in decision-making.
Risk management involves a process. It is not a static activity. One doesn’t “do” risk management once, in an exercise, and never revisit it again. It is instead a dynamic series of actions or steps involving the adoption of systems, controls, policies, and procedures, then periodically evaluating those steps to achieve better results. But please, don’t be intimidated. This doesn’t mean risk management requires enormous effort. In fact, over time, risk management saves effort.
Risk management involves information. Individually we are imperfect gatherers or interpreters of information. Yet, by gathering diverse viewpoints, considering additional sources, and systematizing the way we evaluate, we can accomplish tremendous feats of analysis.
Finally, risk management involves management. This element emphasizes the ongoing nature of effective risk management. An organization commits to the process. It identifies threats and opportunities. It prioritizes. It takes action. And then it assesses the results and begins again.
Risk management is not a doctrine of fear, but instead empowerment. Taking action is part of any business, and any action brings risk. Make no mistake, standing still is also risky — in fact, the most dangerous act is hesitation in the face of a compelling need for decisive change. Risk management allows an organization to act with increased confidence and resolve, aware of threats and alert to opportunities.
As we will describe in detail later, the basic tools of risk management are simple. An organization begins with a “risk inventory,” during which team members identify threats and opportunities across the entire range of nonprofit functions. A nonprofit that implements the lessons within these pages will have a measurably greater awareness of the context in which it operates and its organizational strengths and weaknesses.
This inventory results in a “risk register” — a prioritized punch list of high-value threats and opportunities to be addressed, including a description of the risk, who “owns” that risk within the organization, what the next step is, and when the organization should check back about that risk. This tool can become a standard part of staff meetings and an important foundation for planning and operations.
These first two elements of risk management have a substantial return on investment. Performing a risk inventory and creating an organization’s first risk register may lead to dramatic results:
- Clarity, as the organization for the first time understands the range of threats and opportunities it faces.
- Identification of low-hanging fruit — important threats and opportunities that may be addressed with little expenditure and enormous potential return.
- Engagement, as team members feel that they are rewarded for speaking up to identify threats and opportunities.
- Buy-in, as team members develop a greater appreciation of the interrelationship of different functions within the nonprofit.
- A solid basis for short-term actions, as the inventory and prioritization processes identify pressing issues.
- An equally strong foundation for long-term planning, as the organization will have a greater understanding of the context in which it operates, including its current and potential reach.
Ultimately, effective risk management does not end with the risk inventory and risk register. Thus, this series will continue by explaining how to a nonprofit may incorporate a “risk cycle” into its operations, feeding the ongoing risk management process through team meetings, staff meetings, periodic evaluations, and feedback loops. Using this risk cycle, the nonprofit begins a routine of identifying and prioritizing risks, then responding, then evaluating and improving over time. (We will also focus on responses to risks, continuous improvement, incorporating a board of directors into risk decision-making, and overcoming objections to risk management.)
What Is “Lean”?
In these essays, we will also explain that risk management goes hand in hand with continuous process improvement, a term popularized by the “lean management” movement. “Lean” arose out of work by Toyota Motor Company to do more with less during the early years after World War II, when the company faced challenges while trying to compete with US auto manufacturers. Over time, Toyota came to emphasize empowerment on the shop floor, coupled with rigorous discipline to provide the maximum value to customers with a minimum of waste.
When Toyota caught up with and surpassed US auto manufacturers in the early 1980s, academics and business leaders began evaluating and documenting what made Toyota different. (Womack et al. 1990). John Krafcik first referred to these practices as “lean” in 1988. (Krafcik 1988.) Since then, lean practices have spread not only within manufacturing, but also throughout service industries. (George 2003.)
As Jon Miller and his coauthors put it, lean businesses strive to advance “a set of core beliefs, including . . . engaging the total workforce, servant leadership, visualization of the real condition of things, respect for people, appreciation for standards, scientific problem-solving, alignment of purpose not only with customers but also with broad stakeholders, curiosity, humility, and a view to the long term.” (Miller et al. 2014.) We advocate a “lean” risk management approach for five reasons.
First, when properly performed, risk management is not a senior management job. Rather, it involves energizing an entire workforce to identify and deal with risks as a part of everyday operations.
Second, a relentless focus on the customer should drive every risk management decision. How do we currently provide value to the customer? What value do we really provide? How do we really know what the customer wants? What factors threaten or impede the stream of activities that lead to providing that value to the customer? What opportunities are available to improve our performance? These “value stream” questions, drawn from lean methodology, create powerful rubrics for guiding risk management decisions.
Third, most threats and opportunities that need to be managed are internal to organizations. By training to become radically aware of what the nonprofit currently faces, then taking measurable, incremental steps in response to those risks, organizations can achieve remarkable transformations over time. Lean management principles, methods, and tools provide detailed guidance for this continuous process improvement.
Fourth, “lean” philosophy emphasizes customer focus and continuous improvement so as to provide exactly what the customer wants, when he or she wants it, with a minimum of waste. Given that nonprofits are always pushed to do more with less, lean principles and methods provide a reasoned basis for nonprofit operations.
But fifth, and just as important, “lean” emphasizes empowerment of line personnel, as well as investments in resilience, sustainability, and redundancy in order to serve customers more effectively over time. Thus, a lean approach to risk management fits within my company’s broader philosophy about nonprofits. Nonprofits need to be there for the long haul. It helps no one for nonprofits to run on a shoestring. The best risk management involves sustained investment in the training and support of a nonprofit team.
So now that you understand what we’re talking about in these essays, we will move on to why risk management is important — in our next essay, scheduled for two weeks from today.