Now more than ever, if you don’t have a strong risk management process, your nonprofit is in peril. But there is hope. In this series, we’re going to explain why and how, step by step.
Make no mistake: nonprofits are critical to our communities
It’s hard to overestimate the economic impact of nonprofits in the United States:
- In 2013, nonprofits provided 5.4 percent of the US gross domestic product—a total of $905.9 billion.
- Nonprofits employed approximately 13.5 million paid workers in 2007. Counting volunteer hours, “the nonprofit sector employed 18 million full-time equivalent workers, making it “the largest workforce of any US industry.” (Salamon 2012.) That makes the nonprofit sector “larger than construction, larger than finance and insurance, even larger than retail trade and all of the branches of manufacturing combined.” (Id.)
- Nonprofits comprise half the nation’s hospitals, almost half the institutions of higher education, close to 80 percent of vocational rehabilitation facilities, approximately 80 percent of daycares, almost all operas and orchestras, one out of every five nursing homes, and about one-third of private clinics and home health care facilities. (Id.)
Impressive as those figures are, they understate the importance of nonprofits. Nonprofits often provide essential goods and services for those who are most at risk. They address the needs of those who, because of age, health, socioeconomic status, or power relationships, cannot operate effectively on their own in our economy. If our economy is an engine, nonprofits are a vital lubricant. Nonprofits reduce friction, helping the otherwise sharp edges of society function more productively.
Nonprofits face a risk conundrum
Nonprofits work in highly risky contexts, but funders, board members, and government watchdogs expect nonprofits to be risk-averse. Nonprofits know they should adopt risk management, but don’t know when or how. Nonprofits see other industries implementing risk management but find little guidance about how to adapt those same principles to their sector.
Nonprofit leaders are always a single tweet away from disaster. You are one disgruntled employee or dissatisfied client away from a lawsuit. One compliance slip-up away from losing grant funding. One failed training away from turning a misguided volunteer into a massive liability.
Even if you think you know where a lot of risks lurk, others hide in unexpected places throughout your organization. How engaged are your staff? How’s their morale? Are your core business processes documented so that you won’t have to start over from scratch if a critical employee leaves? Do you have solid data that says what clients actually want? Does your board actually advance and sustain the mission, or do they zig-zag between the Scylla of micromanagement and the Charybdis of disengagement?
It’s a risky business model, right? The fact is until you implement effective risk management,
- You cannot know your real priorities, because you haven’t rigorously identified and ranked your hidden threats and opportunities;
- You cannot say that you are effectively stewarding donor resources, because you don’t know whether you really should be spending those resources on higher priority items;
- You imperil the health, safety, wellbeing, development, and engagement of your employees because you have not confirmed whether you are adequately identifying and responding to threats in the workplace;
- You jeopardize your service population, exposing beneficiaries to unwarranted dangers; and
- You risk your mission because you have not applied a proven program for early warning and response to potential challenges.
Nonprofits strive for sustainability, growth, and responsiveness. Relatively few, however, have adopted one of the most powerful tools for improving resilience and agility: risk management. Our continuing survey research from nonprofits in many communities across the United States shows that few nonprofits have robust risk management processes. Nonprofit leaders may have read that nonprofits should adopt risk management processes and programs (Mintz, 2012; O’Rourke, 2013; Leonberger, 2017). Yet they don’t want to head down a path that will impose additional burdens and create more anxiety for themselves and their overworked and underpaid teams.
Nonprofit leaders have options—but only one of them makes sense
In the face of these challenges, if you’re a nonprofit leader, you have a few options.
- You could try doing nothing. That just takes you one step closer to disaster. A year from now, you will be at this crossroads again—maybe with worse facts.
- You could go to an accounting firm or law firm looking for risk management training. But accounting firms are likely to focus only on financial risks, so ask yourself whether they have the expertise to help you in all the other areas of your nonprofit—operations, IT, talent and reputation management, and so on. Law firms have the same limitations. Law firms document business transactions and bring and defend lawsuits, but that doesn’t qualify them as competent risk management support. (Also, if you hired an accounting firm or law firm, who would actually be doing your work? Would it be a partner with expertise and experience or a more junior member of the firm who’s using your engagement for on-the-job training?)
- You could search—for a long, long time—for someone who can provide you with tools you can use today to start making a difference. Or,
- You could read this series.
This series can change your nonprofit for the better, forever
This series of articles aims to provide another path. By the end of this series, you will understand that risk management is a proven source of sustainability and growth. Furthermore, you will have the tools to begin using risk management to improve your organization.
Who should read this series?
We write these articles principally for nonprofit staffs and boards of directors. You face increasingly rigorous and unpredictable standards of care. You need to understand how to use risk management principles to protect and advance your operations.
We also write these posts for funders. When funders place their resources in the hands of a nonprofit, they need to be confident that the investment is sound. A nonprofit without adequate risk management is flying blind. Funders have no reasonable expectation that such a nonprofit understands its real priorities or will use donated resources effectively. As we will explain in this series (based on our original research), although funders are worried about nonprofit risk management, they don’t have a shared vocabulary for discussing risk management issues with grantees. Foundations and other donors need to inform themselves about emerging risk management principles so that they can ensure that their target investments are using those principles effectively.
Finally, we write this series for nonprofit advisers. Attorneys, accountants, and bankers need to be aware of whether their clients are protecting themselves from emerging threats and preparing themselves to seize emerging opportunities. Consultants providing organizational development, leadership training, strategic planning services, or other advice need to consider how those efforts interact with the risk management function. Advisors and consultants can achieve substantial synergies by becoming more aware of what risk management is, why it is essential, how it improves operations, and how to implement it.
Let’s start with a common vocabulary
If we are going to go on a lean risk management journey together, we need to know what those terms mean. So let’s take the phrase apart, starting with the base of “risk management.”
What is risk management?
Risk management is a commitment to a regular process of gathering credible information about the threats and opportunities in order to manage the risks faced by an organization. Each element of that definition is important.
- Risk management involves commitment. It is not sporadic, and it is not something that merely percolates up spontaneously from below within an organization. Risk management requires a commitment by senior leadership to become aware of risks and to use that awareness in decision-making.
- Risk management involves a process. It is not a static activity. One doesn’t “do” risk management once, in an exercise, and never revisit it. Instead, risk management involves a dynamic series of actions or steps involving the adoption of systems, controls, policies, and procedures, then periodically evaluating those steps to achieve better results. But don’t be intimidated. Risk management does not require enormous effort. In fact, over time, risk management saves resources.
- Risk management involves information. Individually we are imperfect gatherers or interpreters of information. Yet, by gathering diverse viewpoints, considering additional sources, and systematizing the way we evaluate, we can accomplish tremendous feats of analysis.
- Finally, risk management involves management. This element emphasizes the ongoing nature of effective risk management. An organization commits to the process. It identifies threats and opportunities. It prioritizes. It takes action. And then, it assesses the results and begins again.
Risk management is not a doctrine of fear. It is a method of empowerment. Taking action is part of any business, and any action brings risk. Standing still is also risky: the most dangerous act is hesitation in the face of a compelling need for change. Risk management allows an organization to act with increased confidence and resolve, aware of threats, and alert to opportunities.
As we will describe in detail later, the tools of risk management are simple. An organization begins with a “risk inventory,” during which team members identify threats and opportunities across the entire range of nonprofit functions. A nonprofit that implements the lessons within this series will have a measurably greater awareness of the context in which it operates and its organizational strengths and weaknesses.
This inventory results in a “risk register“—a prioritized punch list of high-value threats and opportunities to be addressed, including a description of the risk, who “owns” that risk within the organization, what the next step is, and when the organization should check back about that risk. This tool can become a standard part of staff meetings and a foundation for planning and operations. These first two elements of risk management have a substantial return on investment:
- Clarity, as the organization, for the first time, understands the range of threats and opportunities it faces.
- Identification of low-hanging fruit, as the nonprofit finds threats and opportunities that they can address with little expenditure and enormous potential return.
- Engagement, as team members feel rewarded for speaking up to identify threats and opportunities.
- Buy-in, as staff develops a greater appreciation of the interrelationship of different functions within the nonprofit.
- A solid basis for short-term actions, as the inventory and prioritization routines identify pressing issues.
- An equally strong foundation for long-term planning, since the nonprofit will have a greater understanding of the context in which it operates, including its current and potential reach.
Ultimately, effective risk management does not end with the risk inventory and risk register. Thus, this series will continue by explaining how a nonprofit must incorporate a “risk cycle” into its operations, feeding the ongoing risk management process through team meetings, staff meetings, periodic evaluations, and feedback loops. Using this risk cycle, the nonprofit begins a routine of identifying and prioritizing risks, then responding, then evaluating and improving over time.
In the next segment of this series, we will describe how a nonprofit can respond to particular risks. An organization has five basic approaches. First, it may define and research a risk to make sure staff know what they are actually focusing on. For “positive” risks—opportunities—the organization should develop the opportunity, ordinarily using a pilot program. For “negative” risks—threats—the nonprofit has three options. It can try to avoid such risks by creating policies and procedures that steer clear of peril. It can reduce (or mitigate) the threat by taking steps that decrease the likelihood of the danger happening, minimize its impact if it happens, or create early warning signals that provide lag time between awareness of the threat and its full manifestation. Finally, it can shift that risk to others using contracts, joint ventures, or insurance.
What should an organization do after identifying, prioritizing, and responding to risks? A nonprofit cannot live without risk—indeed, it doesn’t want to. Nonprofits must accept some risk to function within the sector. Thus, one aspect of risk management requires monitoring residual risk.
But monitoring is not a passive process. On the contrary, an organization must periodically assess how its responses to identify threats and opportunities are working out. It can strive to improve its operations to be more efficient and productive over time. And finally, an organization can turn the risk management process into a risk cycle.
Thus, we will describe how a nonprofit can raise risk management issues during everyday operations. We will also detail how a nonprofit can supplement its risk identification process by building in feedback loops for employees, end-users of services, and other stakeholders. The ultimate goal is to bake risk awareness and risk agility into every aspect of the nonprofit. Throughout this part of the series, we will explain how lean management insights, which emphasize continuous process improvement, can bolster the effectiveness of risk management efforts.
We will then turn to what we call the “meta-cycle” of risk management, which involves the board of directors. Nonprofit boards have a limited but critical role in risk management. We will describe the board’s role and provide tools that nonprofits can use to raise board awareness of risk management and energize the board to accomplish its tasks.
After providing a timeline for implementation, we will discuss standard objections to adopting a risk management program. These include cost, competing priorities, employee resistance, “cultural” factors within the organization, fear of what a nonprofit may uncover, and worries about the burden if the nonprofit adds risk management as an overlay on operations. We hope to show why those objections are meritless.
What is “lean”?
In this series, we will also explain that risk management goes hand in hand with “continuous process improvement,” a term popularized by the “lean management” movement. “Lean” arose out of work by Toyota Motor Company to do more with less during the early years after World War II, when the company faced challenges while trying to compete with US auto manufacturers. Over time, Toyota came to emphasize empowerment on the shop floor, coupled with rigorous discipline to provide the maximum value to customers with a minimum of waste.
When Toyota caught up with and then surpassed US auto manufacturers in the early 1980s, academics and business leaders began evaluating and documenting what made Toyota different. (Womack et al. 1990). John Krafcik first referred to these practices as “lean” in 1988. (Krafcik 1988.) Since then, lean practices have spread not only within manufacturing but also throughout service industries. (George 2003.) As Jon Miller and his co-authors put it, lean businesses strive to advance “a set of core beliefs, including . . . engaging the total workforce, servant leadership, visualization of the real condition of things, respect for people, appreciation for standards, scientific problem-solving, alignment of purpose not only with customers but also with broad stakeholders, curiosity, humility, and a view to the long term.” (Miller et al. 2014.)
Why “lean risk management”?
We advocate a “lean” risk management approach for six reasons.
First, when correctly performed, risk management is incremental and iterative. You complete a cycle, then check to see how the system responds. You don’t devote an enormous amount of resources initially. Instead, you take it one step at a time. This incremental, data-driven approach is the essence of lean. When we train on risk management, we emphasize this test and assess approach.
Second, risk management is not a senior management job. Instead, it involves energizing an entire workforce to identify and deal with risks as a part of everyday operations. The lean in lean risk management emphasizes shared accountability and staff empowerment.
Third, as in lean, a relentless focus on the customer should drive every risk management decision. How do we know what the customer wants? What exactly do we offer? How do we provide that value? What factors impede our delivery of value to the customer? What opportunities may improve our performance? These “value stream” questions, drawn from lean, provide persuasive rubrics to guide risk management decisions.
Fourth, most threats and opportunities are internal to organizations. By training to become radically aware of a nonprofit’s challenges, then taking measurable, incremental steps in response to those risks, organizations can achieve remarkable transformations. Lean management principles, methods, and tools provide detailed guidance for continuous process improvement.
Fifth, “lean” philosophy emphasizes customer focus and continuous improvement to provide what the customer wants, when he or she wants it, with a minimum of waste. Given that nonprofits always need to do more with less, lean principles and methods provide a reasoned basis for nonprofit operations.
But finally, and just as significant, “lean” emphasizes investments in resilience, sustainability, and redundancy to serve clients and communities more effectively over time. Thus, a lean approach to risk management fits within a broader philosophy about nonprofits. Nonprofits need to be there for the long haul. It helps no one for nonprofits to run on a shoestring. The best risk management involves sustained investment in the training and support of a nonprofit team. Lean risk management is all about building better nonprofits.
So now that you understand what we’re talking about, do you want the rest? If so, sign up for the entire series for free below: