Chapter 3
Risk Mitigation Plan Development & Monitoring
The nonprofit management and capacity-building literature includes case study after case study of why corporate compliance, annual independent audits, and adequate insurance coverage only take a nonprofit organization so far when it comes to risk and sustainability. It prompted us to ask why so few nonprofits focus proactively on risk. For one thing, we found that nonprofit leaders rarely have the inclination or expertise to take on risk work on top of their other responsibilities. The tight budgets and limited bandwidth found in most nonprofit organizations, and the volatile environment in which they operate, called out for a written guide and online tools.
We wrote this book because so many nonprofit and NGO leaders worry about risk, but feel ill-equipped to address it. Executives say that they are more comfortable working from a quality improvement or performance management mindset because it speaks to organizational strengths, not vulnerability and weakness. Even a compliance environment seems to be easier for executives to engage because regulations, while often constraining and bureaucratic, are imposed externally and require little guesswork. The psychology of risk management requires personal and professional exploration of your own risk tolerance. It also requires an ability to accept the limits that your own history and experience places on the amount of risk you are willing to carry in the workplace. It comes from a deep understanding and acceptance that running a nonprofit means that you are in charge but not in control.
Our goal with this book is to take some of the risk out of risk management and make it easier for nonprofit leaders to do enterprise risk management. We want to help nonprofit leaders reduce the amount of time spent responding to and worrying about risk, increase efficiency when working with a consultant on a risk management project, and reduce the frustration that comes from having to build and implement a risk management system from scratch and with no guidance.
In this chapter, we get serious about risk management and monitoring. In Figure 3.1, you can see how risk management and monitoring fit into an overall ERM process.
Risk management and monitoring activities flow naturally from the work you’ve done so far to identify and understand risk in your organization. This chapter will help you get started with mitigation planning and detail the steps you need to take to reduce risk and exposure that could derail your operations and best laid plans. By the end of this chapter, you will be able to tie risks to solutions and construct and implement a customized ERM plan using a paper template or app.
Let’s recap the process so far. You’ve identified and prioritized the risks you will address in your ERM Plan. You have a Top 10 list of the most important risks to mitigate (Figure 2.4). You’ve considered the organization’s risk appetite—how much exposure, vulnerability, and uncertainty you can live with—and your staff capacity to resolve the identified risks (Figure 2.6). You’ve decided how much mitigation activity the organization can take on, and you know that actively managing key high-risk items will produce a better outcome than trying to handle every risk superficially and simultaneously. You’ve begun thinking about the kind of resources you will need to resolve the identified risks. Finally, you’ve been thinking about which program or department managers will be tasked with specific mitigation activities, who will be accountable for day-to-day mitigation work, and who will be responsible for putting solutions into place.
There are three parts to the ERM work at this stage:
–Turning your risk assessment into a risk mitigation plan (Figure3.1)
–Creating a risk register and risk mitigation log (Figure 3.4)
–Implementing your ERM plan and monitoring risk (Figure 3.5)
Turning Your Risk Assessment into a Risk Mitigation Plan
In designing risk mitigation strategies, the first rule of thumb is to figure out the simplest and most direct way of reducing or eliminating the risk. The second rule is to ensure that the solution proposed fits the risk and that it is likely to result in a measurable reduction in vulnerability or exposure. The third and final rule is to carefully consider the source and drivers of risk, whether it’s a single, cluster, or organization-wide risk and whether it is likely to reoccur. The goal is to develop and implement a set of mitigation activities that will reduce the risks you’ve identified. These considerations will help you frame the approach you will take to mitigation and mitigation planning.
Developing an organization that is risk-savvy means building risk awareness and opportunities for mitigation into daily operations and into overall management strategy. An organization that values communication and disclosure will create multiple channels for staff, board, volunteers, recipients, and others to report incidents and situations of concern. Smart leaders will create systems that have reinforcing and redundant features. In the US, this is referred to as belts and suspenders practice. In the UK, it’s called belt and braces. These redundant and reinforcing processes are protective strategies established out of an abundance of caution to catch or minimize risk.
The idea is to create an ERM plan that fits seamlessly into your ongoing training, business processes, and other performance and quality improvement, oversight, and monitoring activities. Mitigation activities are recommended actions intended to fill in gaps caused by an organization’s vulnerabilities. Focus on the risks your team has identified across all areas of operations—program, staffing, finance, administration/operations, fundraising, communications, governance, and those occurring externally. The mitigation activities you choose should aim to close the gap between organizational vulnerabilities and the operational capabilities needed to address them. Risk mitigation, quality, and performance improvement strategies work in tandem to reduce exposure and improve practice. Expect that risk assessment and mitigation strategy development will be ongoing with your formal ERM plan developed or refreshed every 18 to 36 months. Imagine a scenario where your organization has a standing monthly meeting to review and monitor specific incidents and performance and quality metrics and a quarterly meeting to review progress made on the ERM plan.
When you begin to craft solutions to the risks identified by your team, think about ways to adapt or revise policies, procedures, business processes, and protocols. Consider ways to train or supervise staff, keeping these risks in mind. Explore technology solutions as part of or as a companion to other risk mitigation activities.
–Revise or develop new policies and procedures
–Redesign business processes and protocols
–Develop technology solutions
–Include a focus on ERM when onboarding staff and volunteers and when orienting new board members
–Rethink staff and volunteer supervision and training
You’ll want to build five foundational processes to support the implementation of your enterprise risk mitigation plan. Each process is discussed in detail below.
- Draft an enterprise risk policy that describes the framework for ERM activities.
- Use tools to develop Mitigation Action Plans (MAPs) to manage risk management activities.
- Establish a reporting process to share information with managers and board members. Monitor the status and completion of risk mitigation activities.
- Develop indicators to track risk, and summarize mitigation activities and document resolution.
- Create a schedule for producing and distributing mitigation monitoring reports and for reviewing the effectiveness and completion of mitigation activities.
Step 1. Develop an Enterprise Risk Policy that Describes the Overall Framework for ERM Activities
Your ERM policy is the place where you lay out the organization’s approach to risk and risk management. It codifies the standards governing organization risk practice—the way you’ll do things—and lays out expectations of staff, board, volunteers, vendors, affiliates, and others. A strong ERM policy starts with a statement that the practice of identifying, assessing, managing, and mitigating risk is an organizational priority. It should include language noting that risk management is everyone’s business. The policy should describe opportunities and outline the various channels for staff, managers, program participants, and board to report risk with no fear of reprisal. Your enterprise risk policy should cover all areas of organizational operations from programs and services to governance to finance and operations, from staffing to reputation and facility management, to a discussion of the external risks that affect agency operations. It should also reference an expectation of compliance with all laws, regulations, and organizational policies. The ERM policy statement should also explicitly acknowledge board and executive leadership accountability for actively managing risk and the tracking and oversight processes that will be used to monitor risk, risk mitigation, and risk resolution activities. Your ERM policy should also describe the internal control systems—the checks and reinforcing business processes—that will be used to manage risk. It should describe the escalation chain for notifying executive leadership and board of risk incidents and resolution. Finally, your ERM policy should delineate the rules under which your organization will operate its risk management activities. The ERM policy can be organized in a way that allows it to become a new section in your organization’s operations manual or onboarding material.
The basic elements of your ERM policy should include a discussion of:
–Risk Mitigation Philosophy and Goals. Why does risk management matter? What do we hope to accomplish through enterprise risk management? What risk reduction or quality or performance improvement targets do we wish to set and reach?
–Accountability Structure and Processes. Who is responsible for identifying and managing risk?
–Risk Committee Membership and Operations. How will the committee operate? What reports and data will be produced and reviewed? What is the general operating framework for the committee?
–Indemnification and Insurance Coverages. This section should include a description of insurance coverages, indemnification parameters, and other relevant provisions.
–Internal Audit and Compliance Monitoring and Validation Processes. How will the organization ascertain adherence to the ERM policy? Will it include internal program and fiscal audits or spot checks? What methods will be used to test and validate whether risk reduction strategies are working?
–Operating Policies and Requirements. How will the ERM policy and activities interface with other organizational requirements, including annual independent audits, compliance with laws and regulations, quality and performance improvement activities and industry best practice? What methods will be used to review policies or operating manuals to keep them current?
–Quality Improvement, Risk and Performance Tracking Reports and Activities. What information will be collected? How it will be reported out? How will cross-program, department or affiliate comparisons be made? How will benchmarks and relevant industry standards be used? How will outliers be addressed?
Step 2. Use Tools to Develop Mitigation Action Plans (MAPs) to Manage Risk Management Activities
Use the Mitigation Action Plan template or app to detail the activities your organization will undertake to prevent, reduce, or manage your identified risks and provide status updates to the executive team and board ERM committee. There are a handful of mitigation management tools that can be employed when you identify risk in your organization. Typical mitigation options include staff training, supervision, adding or reassigning staff, clarifying staff functions, disciplinary action as a last resort, retooling a business process or practice, a department restructuring or program closure as a last resort, a technology fix, or reassessing your insurance needs.
Your mitigation action plan must create a straight path linking the problem to an actionable solution. Remember that the activities you select and tools you choose to use should measurably reduce the risk or vulnerability you’ve identified and document the reduction in a way that is easy to understand. The MAP template or app will prompt you to do this. Some risks can be mitigated by using one tool, although it’s usually the case that a combination of tools will be needed to reduce an identified risk.
It’s worth reinforcing the point that in addition to the ERM mitigation plan, your organization will want to establish a new process or enhance your existing incident monitoring activities. Incident review details and process should be delineated in your risk policy. Your incident reports should include the date of the incident, description of the situation, details on time of day, location, staff or recipients present or affected, immediate actions taken, proposed actions to be taken, expected outcomes, person responsible for implementing the corrective action, resources needed, validation method, and due date. Where incident management tracks the remediation of specific hazards with a goal of returning the organization to normal operations as quickly as possible, risk mitigation planning seeks to address root cause and assumes a portfolio view of risk across departments and programs.
Step 3. Develop a Reporting Process to Monitor the Status and Completion of Risk Mitigation Activities
The reporting process you develop will work optimally if it feeds into a quality, performance, or risk committee at the staff level, to a board committee such as a Compliance or Quality Improvement, or to a newly established Risk and Performance Committee. These committees will be responsible for monitoring the status of ERM mitigation efforts and tracking implementation of the ERM plan. To make it easier to track implementation and mitigation activities and to monitor risks, you will need to construct a set of indicators and develop a report or dashboard that will allow you to keep an eye on key operations and identify emerging risks. These indicators can be framed as key performance indicators (KPIs), key risk indicators (KRIs), or a combination of the two. Each indicator represents a potential risk. The indicators should capture essential activities, critical incidents, or performance gaps in each department or program. We discuss KPIs in detail below.
Your ERM plan and mitigation monitoring activities are only as good as your underlying business processes. Strong management and quality and performance management will reinforce the commitment to preventing and reducing risks. This two-part action is a necessary process redundancy that is referred to as a belt and suspenders or hook and net process. If you don’t catch a vulnerability or weakness with one process, you’ll catch it with another.
If you already have a strong quality and performance management system and use KPIs, you can add new operations indicators or develop an additional set of KRIs. We prefer the simplicity of a KPI framework because it names the goal for data collection and tracking: to make your organization stronger and less prone or susceptible to risk. Your KPIs should include metrics for each operating department, division, and program. You can use the same functional categories listed in Chapter 2 and detailed in Part II of this book. We’ll quickly recap the functional categories here and offer some examples to prompt your thinking.
Monthly incident and performance review meetings align organizational goals and views of success across the organization. ERM monitoring meetings encourage discussion about progress toward organization-wide risk reduction goals. Both the monthly incident and performance review meetings and the quarterly ERM plan review meetings promote timely identification of emerging and deep-rooted risks. This process makes it possible to ground decision-making in data and facts. It enables comparison from year-to-year or across programs or affiliates. It creates a place to examine trends in performance, work flow or process gaps. It also helps everyone in the organization operate from the same base of information and develop a shared perspective on what works and what doesn’t. Risk governance and risk awareness are reinforced by Board and staff committees and protocols. The cross-functional team like the one you tapped to do risk assessment can be tapped to manage the ERM and KPI data and generate reports. You will have to consider what data platform you will use to capture and present the data in report or dashboard form.
Step 4. Develop Indicators to Track and Report Risk, Summarize Mitigation Activities and Document Resolution
Key performance indicators (KPIs) serve as early warning alerts to catch vulnerabilities in programs or operations. They enable data-informed decision-making, offer a snapshot of current status, trends over time, and help you progress toward your goals. Using key indicators helps benchmark programs and operations and makes it easier to spot outliers that may need special attention. The indicators you choose need to be organization-wide. They can cascade down to programs and departments or to individual staff, as you choose. Using metrics changes an organization’s culture. Metrics can be expected to change the way your board, managers, staff, and volunteers think and act.
The ERM plan outlines a series of mitigation activities that can be tracked and captured in data reports or dashboards over time.
–Develop risk and performance indicators to track progress made to reduce, prevent, or eliminate risk
–Develop reduction targets for each category of risk
–Collect and report data monthly, quarterly, and annually
–Identify positive and negative outliers across programs or departments
–Consider quarterly and year-over-year trends
–Establish organizational, department, and program benchmarks
When considering indicators you will want to answer these questions: What risk or performance questions do we want to answer? What do we need and want to know about our programs and operations? Do we already collect data that can be used to measure a reduction in risk? Can we get other meaningful data? Do we have a data source (technology platforms, surveys, interviews, focus groups, satisfaction surveys, journey mapping, research/evaluation, observation, attestation, peer-to-peer, qualitative, and quantitative data)? How reliable is our data and what data quality improvements are needed for it to be useful in tracking risk reduction?
There are many KPIs to consider. The key is to choose the fewest number of indicators needed to capture the main areas of quality, performance, and risk in your organization across all programs and departments. You can turn other indicators into data dashboards for program directors or department managers. The list below offers some indicators to consider as you think through your own short list of KPIs.
oRecord-keeping and record retention practices meet industry standards.
oReport on pending litigation, large insurance claims, payouts, settlements and disclosures are shared with the board annually.
oA disaster-recovery plan is in place for all departments and programs.
oAdequate insurance coverage is in place for each line of business.
oFacility maintenance plans are current for all sites.
oAll facilities are in a state of good repair and all facility violations have been cured.
oProgram and department manuals are up to date.
oFleet management policies are current and a maintenance plan is in place.
oEmergency and disaster recovery plans are current with staff trained in their use.
–Programs
oAccreditations or licenses for all programs or facilities are up to date.
oProgram evaluation and impact data on some or all programs are shared with staff, board, funders, and the community.
oA safety and incident management plan is in place for all programs and sites.
oServices are fully enrolled and subscribed and data is available on program utilization and vacancies.
–Financial Management
oGovernment contracts or foundation grants cover the cost of all program operations.
oA current financial sustainability plan is in place.
oThe annual budget includes 3–6 months of cash reserves.
oFraud prevention activities and testing internal controls are operating in all programs and departments.
oAudit findings are monitored for material deficiencies, significant findings, and business recommendations.
oA Board- and auditor-approved expense allocation methodology is used in all programs and departments.
oBoard has reviewed and approved annual operating and capital budgets.
oQuarterly reporting on revenue mix by source.
oFinancial reporting and presentation material meets industry standards.
oFASB, 990, and other government accounting and reporting practices are consistent with industry standards and submissions are complete.
oLine of credit accounting report is produced and distributed quarterly.
oCash flow report is produced monthly for executive staff and quarterly for board.
oQuarterly report on cost per unit of service by program type is produced and distributed to executive staff and board.
–Staffing
oAll hiring processes meet fair labor and industry best practice standards.
oEmployee handbook is current and meets legal and industry standards.
oStaff and leadership have the political acumen needed to manage programs, finances, contracts, and grants.
oA code of conduct, organizational ethics, and values is distributed to all incoming staff, volunteers, and board members.
oA succession plan for key positions is in place.
oStaffing coverage ratios are maintained and reported for each program.
oCompliance with fair labor practices.
oStaff turnover or vacancy rates higher than 10% annually are tracked and reported for each program or department.
oBackground checks and clearances are conducted for all employees.
oAnnual corporate compliance training is completed by all employees.
–Governance
oBylaws are current and comply with local law and industry standards.
oCompletion rate of 100% for annual conflict-of-interest training and disclosure attestations.
oBoard-approved annual budget.
oRegular meetings are held and decisions are made with a quorum present.
oInvestment policy is reviewed and updated annually.
oBoard approvals are given and recorded for contract execution, borrowing limits, spending approvals, and purchase or sale of building.
oAnnual performance and compensation reviews meets local standards for all executive staff.
–Fundraising and Communications
oCharity review rating and organization reputation is monitored regularly.
oCrisis communications plan is current.
oGap to actual funds raised and fundraising by source/type is reported quarterly.
oUnfavorable press is tracked as a significant risk and reported to members of the executive team and board.
oAnnual fundraising expenses are below 35%.
–Environment
oCommunity engagement activities are tracked and reported by type and activity.
oRegular monitoring of changes in federal, state, regional, local regulations and legislation.
oAdvocacy activities are conducted in accordance with regulations and meet industry standards.
oNo political contributions are made with organization funds.
oWeapons or active shooter policy is current and staff have received training.
–Technology
oCyber security policy is current and implemented in all departments and programs.
oData recovery plan is current and regularly tested.
oData privacy is maintained in all programs and departments and all breaches are disclosed timely.
oSufficient staff members are trained to enter data and produce reports from all data platforms.
Step 5. Create a Schedule for Monitoring ERM Plan Implementation and Reviewing the Effectiveness of Mitigation Strategies
Performance and progress on ERM plan implementation should be monitored monthly at the program and department levels. Summary reports should be provided to the executive team and board quarterly and annually, with year-to-date and year-over-year comparisons available. It can be useful to develop outlier reports to flag programs or departments where performance is well above or below the system-wide average. One rule of thumb is to use your fiscal year and board meeting calendars to establish reporting dates.
Creating a Risk Register and Risk Mitigation Log
Using the template or app is a quick way to build your ERM plan and mitigation status tracker. The template below offers an easy way to get started. The Risk Register tool allows you to capture your most important risks and risk assessment detail on the severity, importance and source to create a work plan for addressing them. Drop the Top 10 or your other priority risks into the risk register. The risk register and mitigation log show the source and severity of risks to be mitigated. It allows you to sequence the timing of mitigation activities, identify the risk owner and mitigation manager, and track mitigation implementation and completion dates. By documenting this risk detail, you are establishing parameters you can use to develop a mitigation plan for each risk.
Figure 3.2 shows a risk register you can download and use.
If you use The Nonprofit App, the Risk Register has the same information; however, instead of multiple columns, buttons at the top let you sort and re-sort the data to focus each aspect of the risk as you see fit. You can see the app’s risk register in Figure 3.3.
The risk register is where your organization will determine the areas of risk you will explore, the source of the risk, the risk’s likely effect on your organization, and the risks you will want to mitigate in this round of ERM planning. As a rough guide, you can start by using your top ten risks or including risks your team has identified in programs, finance and agency operations. Note whether the risk is internal or external, and the likelihood, impact, and vulnerability posed by each risk you’ve identified. Once completed, this template becomes the basis for your ERM plan.
After you identify and prioritize the risks you will mitigation in your ERM plan, you will want to move on to the Risk Mitigation Log. The log can be used to capture the set of activities you will undertake to reduce, prevent, or eliminate identified risks. It will also capture the methods you will use to track successful implementation, the lead person or responsibility owner, and a validation methodology for confirming successful completion or cure. You can use basic metrics to track progress made in implementing risk mitigation activities, and you can validate completion or cure through attestation, spot-checks, internal audit, document review, and site visits. Figure 3.4 shows the Risk Mitigation Log in the app.
Figure 3.5 shows the details for a single risk mitigation action from the log.
In thinking about the activities or strategies you will use to tackle risk in your organization, you will want to think carefully about your risk appetite and organizational risk tolerance. Will you be able to eliminate, reduce, or manage the risk with the planned activities? How will you or board feel if, after taking action, some element or degree of risk remains?
You will also want to attach a timeframe and an owner to each risk mitigation activity, as demonstrated in Figure 3.5. Who in the organization will be responsible for doing the work to reduce, eliminate, or manage the identified risk, or will you bring in outside experts to assist? When will the work start? How complex is the solution to implement? What are the cost and resource considerations for mitigating these risks? How long will it take to complete? What is the due date for completion?
Your risk register and mitigation log will capture a configuration of risks unique to your organization. It will be tailored to your needs, your risk appetite and tolerance, and to the capacity of your managers to implement. If dutifully implemented, this bespoke plan can be used for a period of up to three years to reduce, eliminate, or manage the risks you face.
Reporting and Mitigation Accountability Strategies
The ERM team will meet every month with owners of each risk, will check in at regular monthly, quarterly, and annual intervals, and attest to and provide data on progress made to reduce the risks identified in the ERM plan until goals are reached. At each check-in, the manager or risk owner should describe activities undertaken to reduce or mitigate the risk. Validation activities like spot-checks, internal audit, and program or document reviews can test for the absence or reduction of identified risks and adjustments can be made to amend the mitigation strategy as needed. A final test at completion completes the mitigation.
A Note on Residual Risk
Organizations cannot eliminate risk completely. Carefully crafted mitigation strategies and actively managed implementation will allow you to reduce risk to an acceptable level.
Implementing Your ERM Plan and Monitoring Risk
There are five phases to an ERM plan implementation:
–Securing agreement on the organization’s risk profile. You and your ERM team must share a consistent view about risk and agree to model and reinforce it with staff, volunteers, affiliates, and vendors. This means that you have established parameters about risk appetite, risk tolerance, and risk policy. You have identified, narrowed down and arrived at consensus on the priority risks to be addressed in your ERM plan. You and your team have agreed on desired mitigation activities and owners responsible for each identified risk, and you have agreed to a deadline date for completion of risk mitigation activities.
–Arriving at clarity about the organization’s risk management, governance structure, and management responsibilities. Strong risk management practice starts with the tone set at the top. The executive team and board leadership have roles to play in increasing risk awareness and management within the organization.
–Entering the agreed upon list of organizational risks and risk events to be mitigated in the Risk Register and Risk Mitigation Log. Your ERM project manager can be tasked with managing the ERM work. This individual is responsible for constructing the ERM plan with agreed upon ERM tools, and for managing the ERM initiative. Your ERM team, in conjunction with your program and department heads, can use one or several monthly ERM meetings to refine the list of identified risks to a number that your organization can act on effectively. You can use the Risk Register template or app to capture and rank risks and select those your organization chooses to mitigate.
–Agreement on risk mitigation activities to prevent, reduce, or eliminate risk. Your ERM team and department and program managers can use one or more of the monthly meetings to craft mitigation solutions for each identified risk. Remember that the mitigation activity should produce a discernible and measurable reduction in the risk it is intended to address.
–Continuous tracking of internal and external risk events, enhanced reporting and monitoring of risk and performance, and biannual ERM plan updates. The timeframe for your ERM plan can stretch over an 18- to 36-month period, depending on resources and other organizational priorities. It is best to get your organization on a regular cycle of ERM planning and to keep your risk register current and mitigation plan updated. Extending beyond a three-year timeframe on any mitigation activity adds its own risks. For most nonprofit organizations, the pace of change is too fast and the consequences of failing to keep up are too great to adopt a long-term view of risk. Conditions on the ground in your programs, operations, or community served; your plans for growth, consolidation, or cutbacks and progress made on your strategic goals—anything that shifts or changes your work will create new pockets of risk that need attention. Similarly, changes in the funding, legislative, or regulatory environment, or social and political climates pose risks if left unexamined and unaccounted for.
Summary
Successful ERM plan implementation is completely dependent upon the tone set at the top and upon a regular pattern of reinforcing communication, training, supervision, performance reviews, and data sharing. Information and accountability are the cornerstones of effective ERM.
This chapter provides you with details for the various steps to take in your plan. In Chapter 4, we will walk you through other ERM planning tools and how to use them. By the end of the chapter, you will have an idea of whether using a paper or online tool is right for you, your team, and your organization. You can start testing the tools by entering your own data. The remaining chapters of The Nonprofit Risk Book focus on risks in key areas of operations and the backbone of your organization.