Chapter 2
Getting Started with Enterprise Risk Management
One reason we wrote The Nonprofit Risk Book is to take the guesswork out of what should be standard management practice within all nonprofits and NGOs. Once we started untangling the lessons learned from high profile nonprofit closures, we concluded that what seemed like a basic management tool was absent too often to be a simple oversight. We returned again and again to the operating reality of most nonprofits and NGOs—that leaders throughout the sector have their hands and plates full. There is seemingly no time in these lean organizations to hunt down hidden problems... until a crisis or tragedy strikes. The idea of this book is to help you build a risk management program and toolkit that prevents you from having to learn lessons the hard way.
This chapter begins with a focused examination of Enterprise Risk Management (ERM) and goes deeper into the discussion of nonprofit risk assessment and how to locate and understand specific risks in your organization. At the end of this chapter, you will be able to identify risks in your organization and complete a risk assessment using a paper or online app template. These activities will contribute to the development of an ERM plan using tools discussed later in Chapter 3.
Defining Enterprise Risk Management
Broadly speaking, risk is the possibility of something bad happening. When it comes to risk, we try our best to avoid it whenever possible. When we can’t avoid it, we try to manage it—like carrying an umbrella on days when rain is predicted. Risk avoidance and management is something we learn to do as individuals, but it also is something nonprofit leaders do for their organizations. A holistic approach to risk management across all organization operations is called enterprise risk management (ERM).
Enterprise risk management isn’t just about risk. ERM improves decision-making and day-to-day operations. It’s also about performance and strategy. It enhances an organization’s effectiveness by linking mission to action. In pursuing its mission, every nonprofit or NGO operates in an environment of uncertainty where things are never completely known. Enterprise risk management allows an organization to balance uncertainty and exposure. Enterprise risk management planning will help you answer several important questions, such as:
–What is our organization’s appetite for risk?
–How much risk can our organization handle?
–What is the best way for us to reduce risk?
–Do we have the right people to handle risk?
–How will we know that we’ve eliminated or reduced the potential impact of a risk event or a cluster of risk events?
Nonprofit Enterprise Risk Management Defined
Enterprise risk management for nonprofits and NGOs is defined as an approach that enables an organization to reach its strategic goals by reducing uncertainty, vulnerability, and exposure to events and activities that divert attention and resources away from its purpose and mission.
Getting Started with Enterprise Risk Management
Recognizing and managing risk is different than managing strategy. Thinking about risk centers on negative threats and failures versus a strategic focus on opportunities and successes. It is a counterintuitive mental model for most nonprofit leaders. In general, risk is hard to discuss because people tend to overestimate their ability to control life events that are actually controlled by chance. Behavioral scientists have found that people are inclined to be overconfident about their ability to predict risk, yet lack the ability to predict the full range of outcomes that can occur. There is a tendency to extrapolate from recent experience and apply this understanding and perception to an uncertain future. This confirmation bias drives us to favor information that supports our position and to discount information that challenges or contradicts this viewpoint. It becomes even more challenging when an event diverges from expectations, because most people escalate and cling tighter to their views and commitments.
These biases play out in an organization’s inability to talk about and explore mistakes and failures without judgment. The uncertainty with which most nonprofits operate and the human inclination to confirmation bias explains why leaders and organizations often overlook, discount, and delay action on emerging risks. Early warnings often come as ambiguous smoke signals and symptoms that suggest that something is amiss. Early warnings investigated and resolved differentiate false alarms from critical alerts.
Enterprise risk management is a disciplined way of dealing with uncertainty and threats. It creates an awareness that helps organizations identify and control risks. As a way of thinking and acting, risk management requires cultural and organizational discipline in the form of management processes and policies. By codifying performance expectations in rules and preferred actions, an organization’s policies and business processes enable staff to cope with uncertainty. By strengthening business processes and policies, leaders are able to prevent lapses, promote quality and protect vital resources. ERM provides a framework for identifying risks and deciding what to do about them and in what priority. Because risk is ever present in all nonprofits and NGOs, risk identification, assessment, and mitigation planning should be integrated into all aspects of organization activity.
A guiding framework for recognizing and acting on risks might look like this:
Step 1. Look for risks by asking what could go wrong in the future and what has gone wrong in the past in the organization and in similar organizations. In what ways is the organization vulnerable to risk? Could these risks recur?
Step 2. Consider the ways risks could affect the organization and where these risks would hit hardest within the organization. Use scenarios to stress test operations. What risks should be prioritized and handled first?
Step 3. Consider ways to control risk and risk reducing mitigation actions that could be taken. What are we prepared to do or change in order to reduce risk? What capacity and resources can be deployed to address risk?
Step 4. How will we knit together our risk mitigation efforts to make an ERM program and plan? How will we integrate ERM activities into our other quality improvement and performance management activities? Who should be involved in developing and implementing solutions?
Teeing Up the ERM Planning Process
There are three stages of any ERM planning process: Readiness and Rollout, Risk Identification and Assessment, and Risk Mitigation Plan Development and Monitoring. We describe these three distinct stages in Figure. 2.1, which flows sequentially to make the process easy to follow. In practice, the stages can overlap.
Let’s take the stages one by one.
–Readiness and rollout. This is the process of raising awareness, getting ready, and rolling out ERM. Getting staff and board members to focus may be the most difficult part of the process. This book offers useful guidance to motivate people and help you work through organizational resistance.
–Risk identification and assessment. This is the process of identifying and analyzing risks that can harm your organization. This book helps you identify areas of vulnerability and risk within your organization and in the external operating environment. It also offers a framework to help you decide which risks are most important and how to prioritize them.
–Risk mitigation plan development and monitoring. This is the process of combining your priority risks with planned actions to resolve them and building a protocol to monitor progress. This book offers templates to help you determine your organization’s risks, establish priorities, and design a risk mitigation plan.
Along with the staging of the ERM planning process, there are also important considerations about who will lead the process and how long it will take. Setting up an ERM planning process for the first time can be challenging. Some nonprofit organizations choose to manage the ERM planning process with existing staff. Others prefer to bring in a consultant to organize and facilitate the process. In either case, naming a project manager is essential. Ideally, the project manager is a well-respected staff member who knows the organization and is known for getting things done. Whenever possible, establishing an ERM Planning Team to work hand-in-hand with the Project Manager is desirable. Project planning software that links activities and deadlines can help organize the work and work assignments.
Another consideration in the ERM process is the amount of time it will take to complete and implement the ERM plan. The biggest factor in estimating the timeline for an ERM project is the organization’s size and complexity of its operations. A small organization staffed by volunteers that operates several programs or runs a single annual event like one concert and a half-dozen classroom music programs, sponsors a workshop for young composers, and has two fundraisers a year, may need a longer timeframe to complete the ERM than a nonprofit organization of similar size staffed by paid employees. Similarly, a large multi-service, multi-site organization that relies on a mix of paid staff and volunteers may need several months to complete its ERM plan.
You should expect each stage of the ERM planning process to take several full days (up to 21 hours) that are spread out over the course of a 6–12-week period. Some experts believe you can do a rudimentary ERM plan in one full day session. What matters most is that you give yourself and your team clear direction on the task and enough time away from daily activities to observe and reflect. You should plan to build in a minimum of one meeting at each stage for discussion about findings and to make decisions about future actions and next steps.
Stage 1. Readiness and Rollout
All ERM programs start with a frank assessment of organization structure, culture, and capabilities. An organization’s culture is expressed through its activities and performance. It is expressed in what staff, managers, and leaders say and do, how they do it, and what they strive to do. Organization capabilities are the unique combination of talent and resources available to deliver on an organization’s mission. How the organization delivers its services and organizes itself to get its work done will shape the ERM process.
Smart leaders know that complacency is the enemy of organizational effectiveness. They know that it corrodes culture, alienates clients and staff, and stifles curiosity. For ERM to work, leaders need to value problem solving and build a culture that values learning and testing new ways to solve old problems.
Smart leaders can forecast opportunities on the horizon and the possibility of something going wrong. They know that some risks are worth taking, while others could prove disastrous for their organization. They know that there is no way to avoid risk and they understand that taking risks is vital for impact. An effective ERM process requires leaders to know their own appetite for risk and the risk tolerance limits of their boards and organization.
Step 1. Taking Stock of Your Organization and Its Readiness for ERM
As you begin thinking about introducing ERM to your organization, you will want to take stock of your organization’s readiness to engage in this kind of focused effort (Figure. 2.2). It helps to think through questions that will allow you to gauge how open or prepared your board and staff members are for a deep dive into the mechanics of your organization’s operations. Start by thinking about your organization’s legal structure and its life cycle, culture, and experience with planning. Here are some questions to consider: Are we a start-up or legacy organization or something in-between? Do we have an annual goals document developed with board, department, and program managers and staff? Have we implemented a strategic or business plan successfully before? Are board and staff comfortable working across departments, programs, and divisions? Are we an internally-facing organization making management hires and promotions from within? Are staff members comfortable with accountability and performance expectations? Are we comfortable talking about risk and mistakes? How receptive is our organization to change?
Here are some additional questions to consider at the beginning of your ERM planning process.
–Organization structure. How is your organization structured? Are you an association, network, or federation? Do you have subsidiaries? Do you have a single administrative entity and one set of policies, or are affiliates managing their own back office and setting their own policies? Are your activities housed in one office or are your operations spread out across locations? Are liabilities shared by the organization or held by affiliates?
–Governance structure. How does your board of directors operate? Are roles and responsibilities formalized and are bylaws up to date? Are terms of office specified or open? Do you operate with active board committees or an executive committee?
–Management structure. How does the organization operate? Do you have a strong executive or a management team approach? Is your management hierarchy—reporting lines, span of control, roles and responsibilities, and decision-making authority—clearly delineated or fluid? Do staff and volunteers know what their responsibilities are and to whom they report?
–Business model. What services do you provide and how do you deliver and pay for them? Do you provide a single service or are you a multi-service organization? Do you hold government contracts or receive government funding? Are you privately funded for all or part of your work? Do you monitor program quality or performance? Are you staffed by employees, volunteers, or independent contractors? Do you operate in a single or across multiple jurisdictions?
Why Do a Readiness Assessment?
Investing time and resources in risk signals a shift in perspective at the top of the organization. Preparing for ERM planning begins the critical process of heightening the risk awareness of board, managers, staff, and volunteers, as well as your funders, government partners, and vendors. Getting ready to do ERM planning will expose areas of vulnerability and raise staff anxiety. This will surface resistance in departments and programs that are not running as well as they could, and will generate enthusiasm in departments and programs where quality and performance improvement is highly valued. ERM establishes an expectation that the organization will begin looking for and assessing risk through focused attention and a deliberate process. It puts everyone on notice that identified risks and areas of vulnerability will be actively managed and that risks identified will be mitigated. Setting the tone at the top is key to moving forward with an organization-wide process of reflection and self-assessment around risk.
ERM readiness preparation begins with a series of questions: What are our biggest vulnerabilities and where are we most vulnerable to threats? What could possibly go wrong and how would it affect the organization? What can we do to prevent risk and what actions will we take if something bad happens?
Is the Organization Prepared to Change?
The arc of change begins with a focus on enterprise risk management and ends with new levels of accountability and improved monitoring, reporting and performance. For nonprofits and NGOs with sophisticated performance management, continuous quality improvement, or compliance processes, adding a focus on risk will feel like a continuation of work already underway. For organizations that come to ERM by way of a financial crisis, lawsuit, critical incident, or other crisis, or whose knowledge about day-to-day operations is communicated anecdotally or informally, the level of scrutiny and responsibility generated by a focused assessment of risk may be unwelcome or resisted. In either case, the change initiated by the ERM process will need to be supported and actively managed.
You’ll know that you’ve hit a pocket of resistance when discussion of risk is met with responses that include verbal or behavioral pushback:
“We don’t need this.”
“We know where our risks are.”
“We don’t want to substitute creativity and mission focus for a focus on compliance.”
“We tried this before and it didn’t work.”
“We already do this.”
“We’re overworked and cannot take on additional responsibilities.”
The starting point for ERM, like any organizational change, is to identify a handful of people who have an affinity for innovation and improvement and who instinctively look for opportunities to stretch and grow the impact of their work. A small band of ERM enthusiasts can help you prepare to bring the organization along.
When ERM is working in an organization, everyone is on the same page and feels the same level of urgency to identify, follow up and cure outstanding issues. In organizations with a robust ERM focus, there are quarterly meetings of a Board Risk or Quality Improvement Committee in addition to monthly staff-level meetings to review progress made in addressing identified risks. The board and staff greet these meetings as an opportunity to strengthen operations and practices and to improve quality and performance. When ERM is integrated seamlessly into agency operations, its full value becomes apparent.
Step 2. Find Champions and Build a Team
Thinking about your organization as the sum of its parts helps everyone take responsibility for identifying and managing risk. Engaging program, department, and division heads, managers, supervisors, front-line staff, volunteers, and boards in thinking about risk increases the likelihood that issues will be identified early. The earlier a problem is identified, the greater the chances are of resolving it before it turns into a crisis or does damage. It allows many eyes and ears to look and listen for things that could harm your organization and affect its ability to achieve its goals or do high-quality work.
The idea behind ERM is to take a comprehensive look at risk within departments, job functions, and across the entire organization. Within each functional area of operation—whether it be a program or line of business, finance, back-office administration or support —your team can assess vulnerabilities related to their job duties or areas of responsibility. You will want to establish a solution-oriented and non-judgmental environment to encourage your project manager or team to share information, be forthcoming about mistakes made, acknowledge weaknesses, and propose solutions to risks identified in their operation.
Step 3. Engage Managers, Staff, and Board in Risk Assessment
Talking about risk and how to avoid it is an essential part of enterprise risk management. Educating board officers, managers, employees, and volunteers about risk will help prevent mistakes caused by ignorance and will ground all activities in an awareness and understanding of organizational culture and ways of working. People must fully understand what they need to do, how they may do it, and what they cannot do.
Just like a focus on program quality or performance, it is important to make conversations about risk and risk awareness an everyday activity. Setting the tone at the top and reinforcing risk awareness through training, supervision, annual staff performance reviews, and in standing meetings creates a climate where managers and staff can actively engage in risk identification and assessment activities and provide regular updates as the process unfolds.
Here are four ways to communicate your commitment to better manage risk and your intention to engage all board, staff, interns, and volunteers in risk awareness and enterprise risk management activities.
Introduce the concepts of risk and risk management when you onboard new employees, interns, volunteers, and board members. Hold an orientation and provide a description of the organization’s approach to risk management in handbooks for new employees, board members, interns, and volunteers. The orientation will have a broader focus but it should include a discussion of performance, a definition of risk, and description of risk management activities.
Build a risk management focus into training and supervision. Provide training, annual refreshers, and regular supervision for staff, interns, and volunteers so they learn the organization’s goals, values, expectations, and desired practices. Include a discussion of risk and how to handle it as an ongoing conversation in each session.
Include risk management discussion items on standing meeting agendas. Incorporate a discussion of risk and risk management into regularly scheduled monthly or quarterly meetings with staff to help them identify risk in their areas of responsibility, discuss how risk is handled now, and create a plan for how to more effectively manage and mitigate risk.
Establish a risk committee or vest a standing committee with responsibility for monitoring risk. Include a discussion of risk and risk management at board meetings and task one board committee with responsibility for monitoring implementation of ERM plan activities. Help the board understand the organization’s risks and risk profile. Accept that like quality improvement and performance management, risk identification will be ongoing and that engaging in active governance around risk mitigation activities is important.
When beginning an ERM planning process, it is important to know that the board and senior management team are ready to commit the time needed to construct and implement the plan. Whether staff led or consultant facilitated, the board, project manager or team selected to lead the ERM effort must set the tone at the top and insure that the necessary risk mitigations activities outlined in your ERM plan (policies, processes, and practices) are implemented. Your organization will be well served if you convene a work group of managers, staff, and volunteers to help inform the project manager or team during ERM plan development. The configuration of team members will depend on what makes sense for your organization. It’s important to constitute an ERM planning team that spans program, administrative, financial, and back-office functions. What’s key is putting together an enthusiastic and engaged ERM team and doing the necessary preparation to communicate ERM to managers and line staff.
It’s important to consider the readiness and receptivity of staff and volunteers to the ERM process and devise a plan to address concerns, resistance, and apathy. This can be done in a kick-off meeting and through smaller department or program discussions. You can use the time to inform, educate, and raise awareness of organizational risk, why mitigation is necessary, and why ERM is everyone’s concern and responsibility.
Step 4. Frame out the Process
This book includes templates to simplify the risk assessment and mitigation plan development process. The templates are available in a paper or app format. Using these templates as guides will allow you to jump-start your ERM planning and create a first-generation plan. Over time, your team can customize or adapt the framework to meet your needs.
The templates and other guides in The Nonprofit Risk Book will help you focus your time and resources on creating an ERM plan in real time. The plan itself can be developed over a period of weeks, depending on the size of the organization and capacity of the ERM project manager or team. Implementation and monitoring activities will typically roll out over a 6 to 9-month period and run between 12 to 18 months, depending on the plan scope and the infrastructure in place. Start the process by creating a description of the ERM process, it’s goals and a timeline for your ERM planning process and share it with your staff and board.
Stage 2. Risk Identification and Assessment
Once you’ve laid the groundwork for an ERM planning process, it’s time to identify and assess risks (Figure 2.3). Your risk assessment will identify broad categories of actual and potential risk in your organization, analyze their characteristics, and consider what could happen if these risks occur. The goal here is to identify risks or vulnerabilities that could grow into risks before they harm or interfere with the organization’s ability to do its work.
The specific goals of this phase are to:
–Identify your organization’s risks and vulnerabilities and categorize them by organizational function
–Determine the severity of risk
–Assess the possibility of recurrence and impact of risk
–Prioritize key risks needing mitigation
–Consider the drivers of risk
–Create a Risk List
–Create a Top 10 Risk List
–Develop an outline for your ERM plan
Step 1. Risk Identification
Start with a mix of general framing and specific questions to guide your thinking and begin to surface issues, patterns, or trends. This section offers four approaches you can take to identify the risks that matter for your organization.
–Look for risks that affect most nonprofits. Consider common financial, programmatic, operating, and compliance risks that are frequently found in nonprofit organizations and those in your specific field. There are risks that can affect all nonprofits and risks that are specific to the kind of work you do.
–Identify critical risks in your organization and flesh out your risks. Add organization-specific risks to your list. You can use the Risk Details template or the app to capture the risks you have identified.
–Organize risks. Categorizing risks will help you determine priorities for mitigation and action.
–Create a Top 10 Risk List. This is a quick way to engage your team in risk identification and assessment. For smaller organizations or organizations that want to begin a risk management process quickly, this may generate the risk detail you need and you can move to Stage 3, “Building Your ERM Mitigation Plan.” For organizations taking a long view or risk management, this can be an opening exercise with your team to jump-start the process.
In this section, you will find several tools to help you organize your risk assessment activities and makes sense of your findings.
All nonprofit organizations and NGOs are required to meet certain government requirements around operations, board responsibilities and structure, financial management, and fundraising activities. These framing statutory or regulatory requirements offer a first look at possible areas of risk. US nonprofits are required to have whistle-blower protection policies that shield employees and volunteers from retaliation for reporting waste, fraud, or abuse. This includes a confidential reporting channel, investigation of the allegation, no repercussions to the reporter, and stringent document preservation and retention requirements. Additionally, annual conflict of interest reporting by board and staff, establishment of an audit committee, board review of the organization’s or other tax forms prior to submission, strong internal controls, as well as up-to-date policies including a written investment policy, a process for setting executive compensation, handling real estate transactions, annual independent audits with an exit conference, and making audits, tax forms, and fundraising practices available to the public. In the US, new FASB requirements will change how nonprofits do their accounting and reporting.
California, New York, the United Kingdom and other jurisdictions have stringent standards for nonprofits and charities operating there. A good starting point for your ERM plan is a frank assessment of your organization practice and compliance with national, state, regional, county, province, or local rules.
Organizations like BDO, FMA, Imagine Canada and Deloitte offer useful online resources on nonprofit and NGO risk. Another go-to resource includes standard-setting organizations that focus primarily on risk in commercial enterprises. While not identical to the risks facing nonprofits or NGOs, the standards are relevant; RIMS, CGMA, and COSO raise the bar for nonprofit risk management.
The International Classification of Nonprofit Organizations (INCPO) identifies major groupings of nonprofits and NGOs: arts, culture and recreation, health and social services, environment, development and housing, education and research, advocacy, law and politics, philanthropy, international, religious, business, and professional associations. Check out online discussions of risk and industry conferences in your specialty area to broaden the scope of your review.
Getting Started with a Top 10 List
Ask your ERM team of board members, managers, staff, and volunteers to identify risks in their areas of responsibility. You can ask them to identify a single key risk or multiple risks. If there is consensus about the risks identified, you can prioritize them and create a Top 10 list. This exercise offers an opportunity to begin talking seriously about risk. It will heighten awareness of risks across the organization and build a shared sense of responsibility for developing solutions. Smaller organizations may find that a Top 10 Risk List will take you to the limits of your organization’s resources for risk management. In this case, you can jump to Stage 3 and begin building your ERM mitigation plan outlined in Chapter 3.
Look for Common Nonprofit Risks
To get started thinking about nonprofit risk and what risk looks like in your organization, we’ve compiled a list of frequently occurring nonprofit risks. Not all nonprofits or NGOs have these vulnerabilities, but the list may prompt you to think about things to watch out for. Some of these risks are unique to nonprofits, but others occur in all kinds of businesses. Consider the list to kick-start your thinking about risks your organization may face.
–Fundraising/Marketing activities
oUse of donor-restricted funds for a different purpose
oUnauthorized use of the organization name or logo
oLimited reputation management and media monitoring processes
–Government audits and investigations
oPoor tracking of government contracts
oLow rating on government performance scorecards
–Data protection and cyber security
oStaff using personal e-mail for work-related communications
oData breach of client, staff, or donor personal information
–Program
oFailure to maintain privacy and confidentiality
oInappropriate contact between staff and clients/participants
oComplaints from clients/participants
oClient/Participant safety
–Staffing/Personnel
oSexual harassment
oSleeping or intoxication on the job
oStaff turnover
oLate payment of employee benefits
oNo annual Executive Director performance and compensation review
–Volunteers
oPoorly defined responsibilities and blurred roles for staff and volunteers
oNo background checks completed for assignments working with cash, children, youth or vulnerable adults
–Financial management
oIrregular board or executive review of financials
oPoor investment returns
oManagement of petty cash, purchase cards, or credit cards
oPersonal use of petty cash
oTheft of funds
oAccounting practices
–Facility/Space
oWorkplace injuries
oFire/safety violations
oUnused leased space
oNo disaster emergency plan
oTheft or loss of food, supplies or equipment
oNoncompliance with charity bureau or government regulations
oIncomplete/inaccurate information on activities, finances, or operations
oNo annual conflict-of-interest training
oFrequent company auto accidents
oComplaints from neighbors
Step 2. Risk Assessment
How vulnerable is your organization to risk? Identifying risk is only part of the story. You need to weigh risks to decide which are priorities and warrant immediate attention, and which could have outsize effects on your organization. In most nonprofits, risk clusters on the service and program side of the house and in the finance area. But risk is also found in other functional areas of the organization where leaders are far less likely to take note and where fewer processes are in place to identify vulnerabilities or exposure.
When moving from risk identification to risk assessment, start from what you know and what you worry about. Think about the things that keep you up at night—what we call your worry list.
–What external and internal risks do you often see in your organization?
–What risks have you seen or heard about in other organizations?
–That risk can’t happen here… or can it?
–What does your experience and data tell you about risks in your organization?
–What story does the risk data tell you?
Risk assessment looks at what risks or vulnerabilities are present in the organization or its operating environment. Risk can surface in all nonprofit organizations and in any department, program, or operational function. When risk emerges, it is typically due to a breakdown, lapse, or omission in one or more of the key operating pillars of an organization. These key pillars include your people, policies, practices, business processes, and technology.
People. Do you have the right people in the right jobs? Are your programs and operations staffed by people who can perform at or above expectations in their jobs? Do you have a sufficient number of staff and supervisors to perform critical activities? How do you handle human error or mistakes? How do you supervise and support staff and volunteers to prevent fraud, collusion, inefficiency, theft, inappropriate behavior, or poor performance? Does your organization have a code of ethics and statement of values?
Policies. Are the organization’s rules and protocols formalized in writing and clearly and regularly communicated to staff, board, and recipients? How do you test for comprehension, understanding, and implementation? Are program and department manuals current and do staff members receive an orientation and annual refresher training? Do you update your policies annually to reflect current conditions, regulatory or industry changes, and new services or revenue streams? Do your policies include notification and escalation processes, internal controls, and supervisory sign-off? Do you have a risk policy?
Practices. Is practice consistent from person to person in your program, department, or division? How does your organization prepare employees and volunteers to think about risk, quality, and performance? How do you train, supervise, modify, correct, or use progressive discipline to improve performance and effectiveness and to reduce risk?
Processes. Are your business processes formalized and standardized? Do they flow from your policies? Do you have a notification and escalation process for critical information, untoward events or incidents? Does everyone understand the decision-making processes? Does your organization have a formal process for identifying, addressing, and tracking risk in each program, division, or department?
Technology. What technology solutions can you use to identify risk? Do you use automated financial management, talent management systems, electronic case records, or purchase cards? Are your data systems linked or tied to a quarterly dashboard report? How do you use the data you collect to identify areas of risk or issues to be addressed? Do you have a sensitive data inventory (where data is kept, acceptable use, records retention, encryption, security) and disaster recovery system?
In any risk assessment, the organization must evaluate an array of factors that might lead or contribute to a loss or claim or otherwise contribute to exposure.
Here are some tips to consider as you begin your risk assessment process:
–You can start with a focus on programs and services or risks to clients or participants, as these are the reason your organization exists, but your enterprise risk assessment efforts cannot stop there.
–Dive quickly into organizational operations asking a series of questions to assess risk awareness, risk tolerance, appetite for ERM, biggest worries (What trends are worrisome? What risks could deeply damage your organization? Where are improvements needed?), and what drives or causes risk.
–Take a hard look at government contracts and other legal or regulatory requirements. Have you submitted reports, claims, or data in a timely manner? Are your operating licenses current?
–Dig deep into your data reports and data system capabilities: Is your organization automated or paper-driven? How do you collect and use data? Are reports available regularly? Do all staff and board see them? Are they easy to read and understand? Is the overall data quality reliable and accurate? Does the data capture processes, activities, and deliverables? Be on the lookout for gaps, such as departments or programs with no data.
–Begin noting which risks are internal or external. Does the source of risk come from your people, practices, programs, policies, technology, or organization structure or does it come from regulations, contracts, the environment or the community?
–Begin thinking about the likelihood and impact of the risks you’ve identified. For each identified risk, consider whether it's an ongoing vulnerability. Consider the degree of harm the risk could cause.
Identify and Flesh Out Your Risks
Once you’ve considered risks that typically affect nonprofits and NGOs, turn your focus to the risks in your own organization. Ask your division heads, department heads, and program managers to identify key risks in their areas of responsibility. They should look to their own staff, operations, and activities to uncover current or potential risks. Encourage them to follow smoke signals—hints that something is amiss. They should work from experience to identify risks that threaten to derail their operations and add details to flesh out the categories and dimensions of risk discussed briefly in Chapter 1.
–Organize risks by grouping them into categories that reflect functional areas of operations.
–Assess the likelihood of occurrence, recurrence, and impact a risk would have on operations.
–Determine the severity and mix of risks.
–Look for places where risks cluster.
–Determine the likely cause or driver of the risk.
–Think about the capacity and resources needed to address and resolve the risk.
–The Risk Matrix model and the Risk Detail template and app are easy-to-use tools to help you identify and flesh out your risks.
Step 3. Organize and Describe Risks
Create a taxonomy to categorize your organization’s risk by function, department, division, and program. Remember that risk occurs in all corners of nonprofit and NGO operations. Use the taxonomy to group similar risks under a single broad operational category. Look for risk in obvious and less obvious places. A standard nonprofit risk taxonomy covers all nonprofit operations and activities.
–Governance
–Programs and Staffing
–Volunteers
–Financial Management
–Fundraising
–Communications
–Environmental/Community Technology
–Facilities
–Operations/Administration
Throughout the book, we use the functional areas above as categories to illustrate where risks occur and how risk can emerge. There is a chapter dedicated to risks and risk considerations for each functional area.
To understand the origin of risk, your organization will engage in an exercise to pinpoint causal factors. The underlying factors that interact to create risk or the conditions in which risk can grow are called drivers. Use the five organizational pillars described previously in Step 2 (Risk Assessment) of this chapter as a framework to explore the forces that cause or restrain risk in your organization.
–Policy. Does the risk come from rules governing agency operations?
–People. Does the risk come from people and practice? Does it come from poor communication, limited supervision, weak feedback loops, or limited monitoring?
–Process. Does the risk come from business processes or protocols?
–Technology. Does the risk come from poor data quality, lack of information and analytic capacity, or hardware issues?
–Structure. Does the risk come from the organization of departments and functions, or from the management and supervisory hierarchy?
There are three other considerations that enrich understanding about the nature and importance of risk in nonprofits and NGOs: location, recurrence, and capacity to cure. Each of these considerations fleshes out your understanding of risk in your organization. They shed light on the dark corners of hidden or poorly understood risk to help you better understand what it will take to prevent or mitigate risk in your organization.
–Pinpoint the location of risk. Where did the risk occur or where is it likely to occur? What do you know about the program or department in which the risk occurred?
–Determine the department or program capacity to resolve the identified risk. What staff and other resources might be necessary to reduce risk?
–Determine whether you have identified an organization-wide risk, a single risk event, or a cluster of risks.
–Has the identified risk happened in one program, service, or department, or is it occurring or likely to occur in more than one location?
–Does the identified risk have a history or has it occurred before?
–Is it likely the risk will reoccur?
Tools for Risk Assessment
As we considered nonprofit risk, we wanted to develop an approach to ERM that would take the guesswork out of risk identification and assessment and put easy-to-use tools within reach for nonprofit leaders pressed for time. This section provides one model and two tools that you can use to make your own risk list and capture assessment detail and priority decisions. There are two primary tools for risk assessment: the Risk Details tool and the likelihood/impact matrix. You can use these tools from a paper template (Figure 2.4) or with an app like The Nonprofit Risk App (Figure 2.5).
Both on paper and in the app, you start with your risk list. On paper, you can populate the template with your list of risks and vulnerabilities, as shown in Figure 2.4. You may want to start thinking about a Top Ten list of risks now. As you see in the form on Figure 2.4, you can list your risks in two columns where the first column includes a top 10 list for high priority risks. You can add columns as you need them.
In the app (Figure 2.5), you tap Edit at the top right to enter a new risk with the +. You can then use the disclosure triangle (the right-pointing arrow) to move to details for the risk as you see in Figure 2.5 right. There you can select the items that are most likely to be causes of the risk and the ones that are most likely to be needed for mitigation.
Another feature of the Risk Details tool is its ability to help you capture your impression of your capacity to resolve the issue. The final section of the Risk Details tool lets you summarize the solution as it appears at this point. (Remember that with the app, you can always come back and change things as you get more information.).
Completing the Risk Details tool puts you on the road to mitigation planning, which is covered briefly here and in greater detail in Chapter 3.
Likelihood/Impact Matrix
Likelihood and impact are two dimensions used to assess the degree of harm that can result if a risk in your organization is not addressed. Likelihood is defined as the probability that a risk has, can, or will occur in the organization. The likelihood rating ranks the risk as very likely, moderately likely, or not very likely to occur. Impact is defined by how significant the effects of the risk could be on the organization. It answers the question of how serious the consequences would be if this risk occurred. Would the risk have a high, medium, or low impact?
You can use a two-by-two matrix like the one shown in Figure 2.6 to rank the risks on your list according to likelihood and impact. You take the risks identified in your Risk List and, in a discussion with your team, place each risk in the box that reflects your best thinking on the probability and effect it would have on your organization. Each box in the matrix corresponds to a scaled value, one that runs from high-to-low likelihood and another that runs from high-to-low impact. There is no single right way to forecast the likelihood or estimate the impact of risk. It helps to have your team involved in this exercise to add perspective and offer differing points of view.
Reaching team consensus on risk likelihood and impact will help you make decisions about resources needed and mitigation strategies with confidence. Figure 2.6 illustrates how a Likelihood/Impact Matrix might be completed by a nonprofit or NGO. The risk matrix tool answers the question: how vulnerable is your organization to risk?
Moving to ERM Mitigation Planning
ERM is not a one-time activity. To build a culture that is risk aware, open about communicating risk concerns, and actively engaged in risk mitigation, everyone in the organization needs to become fluent in the language, meaning, and consequences of risk and understand their own role in risk management.
Risk activities are actions taken to cure or reduce the effects of an identified risk. It’s the place where the organization decides what needs to be done to reduce, eliminate, or prevent risk from occurring or recurring. There are only a few ways to mitigate risk and these approaches can be used individually or in tandem, depending on the nature of the risk involved and your organization’s capacity and resources available. The choices are clear-cut:
–Eliminate the risk. The organization can decide to eliminate the practice that is causing risk.
–Mediate the risk. You can mediate the risk through changes in policy, practice, technology, or people. This includes the development or revision of operating policies, enhancements to existing training and supervisory activities, new or enhanced technology solutions, personnel changes, or changes in business process and practice.
–Track and monitor performance. Mitigation monitoring includes an ongoing review of the completion and effectiveness of risk mitigation plan activities. Risk mitigation monitoring assesses the effectiveness of the activities put in place to reduce, eliminate, or prevent risk. Risk monitoring most often includes a review of key performance and risk indicators, validation checks like internal audits, or policy and practice spot-checks in non-financial areas of operation.
There are usually multiple methods to cure an identified risk and you can decide to use more than one approach to address the identified risk. Sometimes the risk can be mitigated by a change in business processes or the way things are done. It can also be mitigated by training, increased supervision, or developing a policy or business process where one does not exist.
This is best done through:
–Biannual ERM planning
–Monthly risk event review
–Quarterly risk mitigation review
–Adding an ERM focus to other quality and performance enhancing activities
–Regular reporting on risk mitigation activities alongside quality and performance improvement activities
–Board, staff, and volunteer training and refreshers
Risk mitigation monitoring is a check-in process for reviewing the status and completion of risk reduction activities. Risk event monitoring usually occurs monthly as part of an organization’s quality and performance monitoring activities or as a standalone meeting. Risk mitigation monitoring typically occurs quarterly and with a yearly summary report of organization-wide performance and trends. All risk monitoring involves a review of planned activities and relevant data and a determination of whether the identified risk has been reduced, eliminated, or prevented.
Your ERM plan is the one document that lists:
–Identified organizational risks to be addressed
–The mitigation strategies or activities that will be undertaken to deal with each risk identified
–The desired goal that will come if the risk is dealt with properly
–Performance indicators that support effective risk mitigation
–The owner or person(s) responsible for implementing the risk mitigation activity, and the due date for completion
In Chapter 3, we will cover the steps for transitioning your risk assessment to an ERM plan and take you through plan development, tracking, and resolution activities.
Summary
This chapter shows you how to begin your ERM project and how to take the first concrete steps to identify and assess risks. In the following chapter, you will move on to manage and mitigate risks.