What can a 30-year veteran of nonprofit management in New York City teach us about risk management? A lot. We can now share that insight with you.

Michael Zisser recently retired from his position as CEO of University Settlement and The Door, which help more than 40,000 vulnerable New York City residents with basic social services. University Settlement started more than 130 years ago, and currently has more than $11 million in assets and annual revenues of more than $25 million.

After the sudden and spectacular collapse of Federation Employment & Guidance Service in 2015, New York’s Human Services Council convened a working group to evaluate what went wrong and provide recommendations to the nonprofit community and government. Zisser was asked to serve on that working group, and he focused on internal controls and risk management.

As part of that focus, in April 2015 Zisser circulated a short, incisive email about nonprofit risk management. Zisser’s email is reproduced here in italics in its entirety and without any edits. It’s worth a close read.

(1) Very few managers of non-profit human service organizations  have studied the concept of risk in any professional or educational context, so this subject has remained primarily “self-taught.” These issues could be taught, either in various graduate programs or on the job or in some other forums, but it is not in our culture to always be asking, “what are all the things which could go wrong in any given decision or situation[?]”

(2) Risk analysis could cover some or all of the following topics: (a) the financial and program implications of performance based contracting where the full value of a contract can be achieved only under certain conditions, even if the contract obligates the provider to budget as if 100% funding will be received; (b) lease obligations as a longitudinal risk with no audit requirement other than aggregate liability over time and with no requirement to document off-setting income sources to cover the lease obligation; (c) potential for Medicaid or other third-party payments or reimbursements at less than 100% of submittals for various legitimate or other reasons; (d) failure to set up in the fiscal record keeping system  a set of “funded” liabilities to cover likely or projected losses or obligations, including but not limited to Medicaid non-payments, accrued vacation, possible anticipated or unanticipated layoff or severance packages, retirement packages for senior executives, etc.; (e) facility or maintenance emergency issues, or possibly known facility expenses not covered by current income; (f) pay down of interest on use of a line of credit; etc.

(3) Non-profit organizations sign on to contracts irrespective of the potential risks because they have to, are tempted, want to grow, think they are mission related, don’t care if they are or are not mission related, are pressed by Boards or leaders or some other interested stakeholder, or fear for their survival and future standing in a competitive environment.  Careful analysis of the rationale for signing contracts is rare. Most contracts are non-negotiable and many lawyers would probably advise nonprofits against signing any government contract….except that we have no choice.  NO contract in our sector is created between equals, very few are designed to be fully loaded as to cost reimbursement. Such is the reality of our sector. Or, to paraphrase Oscar Wilde, we can resist anything but temptation.

(4) It is not clear who within an organization needs to understand risk analysis in its various forms. Which staff should be knowledgeable or responsible? Is it built in to an organizational culture? Do Boards understood the differences and similarities of risk in the for profit and non-profits worlds (or, even, in personal lives)? There are no direct questions regarding risk which are asked in ANY of the legal documents which non-profits are obligated to complete, nor are they part of most strategic plans. At the least, top staff leadership (fiscal, administrative and program) must know something, as should selected Board members. Audit firms can be asked to provide this service. Most strategic planning firms, even the expensive ones are not, in my opinion, especially helpful here except in a formula-driven way. But nothing here is especially challenging.

(5) There is nothing worse in our world than a risk averse organization, or risk averse staff or risk averse Board leadership. There is nothing better than an organization or leadership reasonably well prepared to manage risk when it occurs. (Note: Reminder, very few leaders understand risk in making key decisions, and most Boards do not have the sophistication to consider risk in key areas of concern. Lawyers on Boards do not help since they are uniformly risk averse.)

(6) Little or no venture capital funding is available in our sector to take even modest risks. The few exceptions are small scale or too expensive to access. We have no non-profit versions of private equity firms or investment banks. Most non-profits are severally under-capitalized, which means that taking risks is very risky, even if necessary.

(7) Endowments or reserve funds, where they exist, are primarily targeted to supporting on-going operations as common practice, a risky concept in itself and not supportive of an entrepreneurial enterprise. Boards may, in fact, be criticized if they engage in risky ventures and actually lose resources, which should be considered a possible outcome.

(8) There is no real way to protect against internal fraud (a key risk category) other than strict internal controls, and these are always vulnerable. Insurance is one answer, but many non-profits are probably either under-insured or are missing certain types of coverage.

(9) There is NO way to protect an organization from the risk of incompetent, dangerous, dishonest, or even nice people who can hurt the organization in ways hard to imagine. And, unfortunately, it is too often part of our culture to be hesitant in removing, criticizing or correcting such people.

(10) Denial of the possibility or existence of risk is pervasive, and at some point, not resolvable. Leaders are not praised or rewarded for taking on or resolving risk situations (unless they’re in the private sector).

(11) Reputational risk is, for most of us, the scariest issue. A good reputation can take years to build and seconds to lose.

HCS’s task force resulted in a research report and was instrumental in moving New York City nonprofits and support organizations to develop Ahead of the Curve, a working group that has been building risk management awareness and capacity in the City. After Ahead of the Curve held a symposium in September 2016, the Support Center published a report that we have cited on numerous occasions.