Nonprofit risk management involves being honest about what is going on, then taking the next reasonable step in response to that reality. In prior posts, we explained how to become honest — by adopting core commitments, developing a timeline for progress, and performing a risk inventory. Now we turn to taking the next reasonable step, which is a matter of prioritization. A solid risk inventory exercise will ordinarily identify somewhere between 50 and 100 threats and opportunities across all nonprofit functions. This post will explain how to move forward with that list. In particular, it will explain who should be involved in prioritizing risks, how to prioritize, and what to do with the results.

Whose Priorities Are They? The Dialectic Among Board, Executive Director, and Staff

In a sole proprietorship or closely-held corporation, the question of who determines priorities is relatively simple. The organization exists to make money for its owners, and its owners determine the organization’s priorities. In most small businesses, the owners are closely associated with day-to-day decisions. The owners may delegate prioritization to one of their members. They may hire someone (a manager or CEO) to make such decisions. Whatever the precise details, however, operational and strategic priorities are determined by and on behalf of the owners.

In a nonprofit, however, the question is a more nuanced. Technically, as a matter of nonprofit law, “the organization” decides who weighs in and who makes the ultimate decisions about what is important. “The organization” speaks ultimately through its Board of Directors, which then delegates execution of the organization’s tasks to a CEO or Executive Director. Thus, ultimately, setting priorities is a matter for Board of Directors.

Yet, when considering nonprofit realities, having the Board be initially and principally responsible for prioritization is unrealistic. Members of nonprofit Boards are volunteers: they are unpaid, and they generally do not put much time into their director activities. The Executive Director knows dramatically more about the nonprofit than any since Board member, and probably knows more about the organization and its activities than all of the Board members together. The Executive Director and his or her staff are dramatically more engaged than the Board in everyday operations. Staff will ordinarily be more aware of the social, community, political, and economic environment relevant to the nonprofit. Thus, in a very real sense, the staff is much more competent then the Board when determining priorities.

When beginning nonprofit risk management, therefore, we advise the following process for prioritizing issues.

  1. Staff First. Initially, prioritization is a staff function. Staff knows operations, and the staff is aware of the environment in which the nonprofit acts. If “the staff” decides initial priorities, however, what does that mean? Ultimately, the Executive Director executes organizational objectives. She ultimately decides. But no Executive Director has visibility into all the issues within her organization. Furthermore, in some cases the Executive Director may be one of the “issues” facing the organization. For instance, succession planning implicates the Executive Director. Personnel issues often implicate the Executive Director. Management style may be an identifiable risk for an organization. Thus, having the Executive Director determine priorities on her own is dangerous. As a result, when the organization completes its first risk inventory, the same team of staff members who took the inventory should participate in prioritization exercise described below.
  2. Share with Board through Executive Director. After the initial risk inventory results in a set of priorities, with certain priorities at the top, the results should be shared with the Board. At that point, the Board should exercise its reasonable, informed business judgment to determine whether those priorities are appropriate. In doing so, the Board should probe the Executive Director about the factual basis for the prioritization. At the same time, the Board should recognize that this inquiry is not an invitation to micromanage. The organization hired the Executive Director to execute on organizational priorities. Execution is not a Board activity. Indeed, Frederick Funston and Stephen Wagner capture the Board/Executive Director dialectic perfectly when they advise, “Nose in, hands off.” The Board should be inquisitive, even skeptical, but it should leave the operational details and execution to the Executive Director and his or her staff.
  3. Develop Dialectic, Mediated by Executive Director. Over time, of course, priorities may change. As the organization begins to work on various threats and opportunities, some will decrease in priority, while new issues arise. Staff, through the Executive Director, will keep the Board informed of such changes, and the Board should weigh in periodically about whether the priorities match the overall direction of the organization. Furthermore, the Board may engage in an informed strategic planning process that modifies operational priorities. You want a healthy push and pull over risk prioritization.

 

A Simple Method for Prioritization

There are lots of ways to prioritize among competing issues. We prefer simplicity. As a result, we recommend the following process. After meeting to discuss the results of the risk inventory, each staff participant should take the following steps.

  1. Each staff member who participated in the risk inventory exercise receives a copy of the results of the exercise — that is, a list of the 100 or so items the team listed as potential threats or opportunities.
  2. Each participant is allocated 50 points.
  3. Each participant allocates those 50 points however she wants. She can allocate 50 points to one risk, one point to 50 items, or any division in between.
  4. Each participant performs this activity on her own. This is important. We want independent assessments.
  5. After each participant allocates her points, the results are tallied in a master document.

When deciding how to allocate points among various risks, each participant should consider three factors: Likelihood, magnitude, and speed of onset. In other words:

  • How likely is this risk to manifest?
  • If this risk manifests, how large an impact would it have on the organization?
  • If this risk manifests, how much time would the organization have between first noticing the manifestation and bearing the full impact of the risk? In other words, what is the risk’s lead time?

Plainly, the process just described is subjective. Large organizations can spend millions of dollars answering such questions. Almost no nonprofit (except higher end educational and medical institutions) has the resources to answer any of the questions of likelihood, magnitude, and speed of onset with accuracy and precision. Yet this methodology allows a team to provide substantial insight into the felt needs of the organization.

What Next – Toward the Risk Register

After the team participants perform their prioritizations, the Executive Director should review the results. She may want to go back and inquire from certain participants why they identified certain risks and why they voted their points as they did. She will undoubtedly know many of the risks, but she will have some surprises, as well.

At that point, the Executive Director should assign priorities based on her informed judgment. She should rank some items 1, others 2, and so forth, using a 5-point scale. The most important items — say, the first 25 or so — are placed in a risk register (described in our next Lean Risk Management post). That document will guide operational and strategic decisions for the organization. She will share portions of the risk register with the Board, as noted above.