Chapter 1
Thinking About Risk
We began talking about risk after reading report after report of high-profile business failures in well-regarded nonprofit organizations. The tragic downfall of these organizations, long known for providing important and even essential services, left us wondering why nonprofits and NGOs go belly-up and whether there was something to be done that could prevent or change this outcome. From these conversations and our experience leading, working as staff and volunteers, and serving on boards, The Nonprofit Risk Book was born.
As we began scanning the field in search of clues, patterns and examples emerged with alarming clarity. We found countless instances of nonprofit organizations, large and small, that had failed to heed warning signs or assumed they were too small, too large or too well-run to be harmed by risks common to nonprofits and NGOs. This point is well illustrated by the collapse of Hull House, FEGS, New York City Opera and Kids Company. Jane Addams established Hull House in a poor immigrant Chicago neighborhood in 1889 (built on ideas taken from Toynbee Hall, a settlement house that opened in London’s East End five years earlier). The Jane Addams Hull House Association became a pillar of the community and a fixture in the national social welfare scene. On January 19, 2012, Hull House unexpectedly announced bankruptcy and their anticipated closure. Within a week, employees were told that there would be no severance pay, no health insurance coverage, and no accrued vacation pay. The community residents served by Hull House were told they’d have to go elsewhere for assistance. The impact of the closure shocked not only employees and people served by Hull House, but it also left a gap in the city’s safety net, causing strain and worry across the city. How could such a respected and storied organization close suddenly after 122 years?
Just like Hull House and also seemingly without warning in 2015, FEGS Health and Human Services notified New York State and City governments that it had a $20 million deficit and would be closing its doors after 80 years of operation. These calls sent New York City and State leaders scrambling almost overnight to find sponsors for $250 million in programs serving 100,000 people, and jobs for a workforce of over 4,000 employees. As the story unwound, it became clear that early warning signs were missed or ignored.
It’s not just in social welfare and human services that these cataclysmic nonprofit failures have occurred. The New York City Opera was founded in 1943 with the goal of making opera accessible to a wide audience and, as years went on, with a secondary goal of supporting new American singers and composers. It became a part of Lincoln Center for the Performing Arts in 1966 and found a home at the New York State Theater at Lincoln Center where it performed for 45 years. Financial difficulties caused it to move from its performance home at Lincoln Center in 2011 to office space elsewhere in Manhattan. A few operas were performed at other venues in New York City, but on October 1, 2013, the New York City Opera filed for bankruptcy after a 70-year run. As of this writing, the New York City Opera is operating on a much smaller scale in a new format at other locations. While the story is not finished, the Opera’s future is not secure.
Problems like this are not limited to the United States or to long-established organizations. Kids Company was founded in 1996 to serve vulnerable children in London and, later, in Liverpool and Bristol. It grew rapidly, and by 2013 had a budget of £23 million and a staff of nearly 500 employees. Starting in 2009, various warning signs began to appear. By August 5, 2015, the charity closed its doors.
These organizations and others that have suffered the same fate offer important lessons. The rate of nonprofit closures has accelerated at an unprecedented pace, raising alarms for boards and executive leadership, as well as foundations, donors, governments, and the public. Each nonprofit failure, whether from insolvency or poor management, raises serious questions about the integrity and functioning of all nonprofits.
When a nonprofit or NGO fails, two questions are usually asked: “How did it happen?” and “Can it happen to us?” This kind of forensic or post-action review typically provides a case study in poor management, limited oversight, and little else. Rarely does a nonprofit’s collapse generate lessons that forward-thinking leaders can use to make their own organizations work better or protect them from the same fate.
Often, nonprofit leaders look at these organizational failures and see no immediate cause for alarm or action on their part. They see an extreme set of conditions and circumstances that don’t seem to apply to their organizations. Smart leaders know that there is more to the story.
The fact is that in each of these cases, there were warning signs that went unheeded. Before the crisis that led to closure, there were incidents that, in retrospect, should have been seen as critical moments where changes could have been made to avert the disasters. Even where major problems occurred, in retrospect critical inflection points stand out where mitigation efforts could have lessened the blow.
This book helps you identify risks before they present themselves as calamities. It applies to leaders of small and large organizations, multiple location and single program operations and organizations that rely on paid staff or are 100% volunteer led because risk is endemic. In other words, risk management applies to everyone who has management or governance responsibility for a nonprofit organization. So we begin with the basics—identifying risk. Without identifying risks, there is no way to mitigate them, so this book starts with the process of identifying risks. Then, with risks identified, we help you plan your mitigation actions. From identified risks and planned mitigation actions, we move to active implementation, tracking and oversight while keeping an eye on any emerging risks to be certain that they are controlled.
What’s Special About Nonprofit Risk?
Nonprofit organizations operate in a complex environment characterized by risk, but many nonprofit leaders have limited experience engaging risk actively. Nonprofit executives manage to mission. They believe that if they are doing good, only good things will happen. They rely on a cherished belief that a mission focus will protect them. While it’s true that a mission focus—doing good—is the distinguishing feature of nonprofit organizations, when all attention and resources are focused on activities that serve constituents or causes, organizations can lose sight of their underlying business operations and operating environments, making them more prone to risks that could have been identified and mitigated earlier. This blind spot is where nonprofit risk management begins. It is also at the heart of what distinguishes the practice of risk management in the nonprofit and commercial worlds.
Risk creates organizational distress that causes nonprofits and NGOs to lose their ability to make wise choices. Time, talent, attention, and resources shift to crisis mode and all other organizational activities take a back seat to addressing this urgent, immediate need. Managing crises is costly—astronomical amounts of money are spent directly on injuries, damages and settlements, lawyers and reputation management, and indirectly on staff time diverted to addressing and cleaning up the fallout.
The disruptions caused by nonprofit failures have moved the discussion of risk from an “it-can’t-happen-here” mentality and from the purview of accounting firms, auditors, the insurance industry, and charity watchdogs who are typically the custodians of organizational risk, to the nonprofit boardroom and executive suite. The following sections offer a framework for thinking about nonprofit risk, along with an overview of typical risks affecting nonprofit organizations and how to uncover and deal with them. In the chapters of Part II, you’ll find details on how to bring enterprise risk management into your organization and how to find and manage risk.
The Nonprofit Business Model Creates Risks for Many Nonprofit Organizations
The nonprofit business model presents a unique environment for risk. There are six challenges that are carried by most nonprofits as a matter of course. These risks are viewed as the price of doing business in the nonprofit sector and they are vastly different from risks carried by commercial enterprises.
–Multi-year government contracts with flat funding can cause budget deficits because the cost of providing services increases every year but contract funding does not.
–Complex program eligibility can make it hard to identify people who are approved to attend a program or use a service. This can leave the organization with programs that are not fully subscribed, or, on the other hand, ineligible participants who receive services for which there is no reimbursement from funders.
–Required fundraising matches to cover basic operating expenses for services otherwise supported by a government contract or need to increase fees beyond what patrons or recipients can afford in order to generate sufficient operating revenue.
–Increasing costs of doing business with no steady source of additional revenue to cover staff salaries and benefits, supplies and materials, and costs that grow each year.
–Growing demand that exceeds the organization’s ability to respond, creating long waiting lists, poor client relationship management, and community dissatisfaction.
–Rigorous performance requirements and the need for back-office operations that require new technology, a data analytics team, or quality improvement activities that are not reimbursed through government contracts or through private fundraising which favors direct support to programs and services.
These and other nonprofit risks are discussed generally in Part I and in more detail as essential nonprofit functions in Part II.
6 Common Warning Signs of Underlying Risk
The challenges outlined in the previous section are the operating reality for most nonprofit organizations large or small. The six warning signs outlined in this section are proxies for underlying risk. Where these problems occur, risk is sure to follow.
–No regularly scheduled budget oversight or monitoring. This means no controls on spending or recognition of deficits and a serious lapse in board governance.
–Limited data sharing on agency activities, operations, or performance, and no routinely scheduled incident, program, and back-office performance review. This means the organization is not learning from experience or correcting mistakes.
–Limited communication, irregular feedback, or no corrective action monitoring. This means there is little shared understanding of or accountability for achieving goals.
–Late filings or late submissions of required tax, financial, grant, or government reports. This puts the organization in jeopardy of penalties, revocation of charity status or non-renewal of essential government or foundation grants.
–High staff turnover or low productivity. This red flag suggests a troubled work environment and the provision of low-quality services.
–Poor client relationship management and customer service. This means that service recipients do not get what they need and often leave early before completing the program.
If one or more of these risks exist in your organization, you should prepare to dig deeper to identify the cause and act on them as quickly as possible using mitigation strategies you will find in Chapter 3.
What Is Risk?
Risk identification, management, prevention, and control have become more important across all types of organizations. The previous sections focused on some specific nonprofit concerns, but this section covers a broader spectrum of risks that affect all business operations. They are the basics when it comes to contemporary risk discussions. The descriptions of risk in this section can help orient you to the concept of risk and get everyone in your organization speaking the same language about risk. Understanding risk is the first step in being able to work together to identify, mitigate, and manage your organization’s risk.
The classic definitions of risk focus on misfortunes that may occur. To be more specific, risk is often defined as the potential to gain or lose something of value. In a business context, risk is described as the probability, threat, susceptibility, or consequence of damage, injury, hazard, liability, loss, or any other negative event, situation, or condition caused by internal or external vulnerabilities that may be avoided through prospective or preemptive action.
For nonprofits and NGOs, risk can be regarded as any issue that may cause an organization to lose sight of or divert from its mission, purpose, or daily operations. Risk can come from a single event or from multiple vulnerabilities interacting across some or all of an organization’s departments, divisions, or functions.
Traditionally, organizations consider financial risks such as fraud and cash management practices, whether it spends too much on fundraising, or if it relies on a few large donors. But non-financial risk creates as much vulnerability for nonprofits and NGOs as it does for commercial businesses. After the global financial crisis of 2008, and the corporate governance and ethics problems that have emerged over the last several decades, more attention is being paid to risk in all of its forms across all types of organizations. Most contemporary definitions of risk go beyond misfortunes that may actually occur to risk scenario planning that includes the possible effects of uncertainty on organizational goals.
Individual risks can be characterized in many ways, but there are three sets of descriptors that apply to all risks:
–Types of risk. Describes the sort and scope of risk.
–Dimensions of risk. Describes the source of risk and the degree of harm caused by risk.
–Categories of risk. Describes risks in the context of key organizational functions.
Identifying and describing the particular set of risks facing your organization is an important element in enterprise risk management. The clearer risks are defined in your organization, the better. The following sections of The Nonprofit Risk Book include ways to describe risks in greater detail.
Types of Risk
Risks can be episodic and incident-driven with one outsized situation or problem causing harm to your organization. Risks can also be systemic or structural. These risks are those that appear regularly and are generated by something baked into an organization’s operations (usually as a byproduct of other initiatives or ways of working). Risk can occur through a complex chain of events or clustering of problems that interact and magnify the significance of individual factors to cause harm to your organization.
Dimensions of Risk
Thanks to work being done on corporate compliance and enterprise risk management in the for-profit and not-for-profit sector by organizations like The Committee of Sponsoring Organizations of the Treadway Commission (COSO), International Organization for Standardization (ISO), Chartered Global Management Accountants (CGMA), BDO USA and Deloitte US, nonprofit and NGO leaders are learning to think about the specific features of risk and the degree of harm that can result from risks left unaddressed. We call this the dimensions of risk. Understanding the dimensions of risk will help you look for, identify, prioritize, and begin to manage risk. There are four basic dimensions of risk: source, likelihood, impact, and vulnerability.
–Source. Does the threat or concern originate from inside or outside of my organization?
–Likelihood. What is the probability that this risk has, can, or will occur in my organization? Is this risk very likely, moderately likely, or not very likely to occur?
–Impact. How significant will the effect of this risk be on my organization? How serious could the consequences of this risk be for my organization? Is this a high risk, medium risk, or low risk?
–Vulnerability. Is my organization safe from this risk? How much risk exposure does my organization have?
Categories of Risk
All nonprofits and NGOs will find risk across all functional areas, departments, divisions, and programs. By thinking holistically and looking functionally, you can help each member of your team locate risks that are central to their everyday work and portfolio of responsibilities. There is a series of questions you can pose to your team that can help them focus on specific risks in your organization. These general questions will help you drill down to the processes and practices that may pose specific risks for your organization. Risk in each functional area of operations is discussed more fully in its own chapter.
5 Operating Risks in Key Organizational Pillars
The functional areas of an organization—its departments, divisions, and programs—are home to operating risks. Operating risk comes from a breakdown, misalignment, misuse, or misunderstanding of goals, tools, or processes. We consider five organizational pillars in which risk presents itself:
–People. The people you serve, as well as the people who work inside your organization. Their wants, needs, skills, education, motivations, and goals all come into play in the daily operations of your organization.
–Policy. These are the formal rules that you set or are set for you, as well as the informal guidelines that may be handed down from founders or other leaders of the organization, that govern the daily operations of your organization.
–Practice. This is how things are actually done. Practice is what people do and how they do it. It can reflect formal or informal customs, conventions, culture, or habit.
–Process. The ways in which things are done. This describes workflow and a set of formalized activities or repeatable steps to reach organizational goals.
–Technology. In today’s world of work, technology is everywhere and part of everything we do. It is the hardware and software that processes information and facilitates communication. It can be used fully, partially, or worked around.
Why Nonprofit Enterprise Risk Management Matters
Risk lives in every organization and aspect of organizational operations. But the risk mix, likelihood of occurrence, and potential impact differ from organization to organization, necessitating a careful look by department, program, and function to identify vulnerabilities. Enterprise risk management (ERM) is the discipline that looks at organizational risk and searches for patterns and combinations that need a broad approach to identification and mitigation.
Enterprise risk management can shield your organization from internal vulnerabilities and external threats, giving you breathing room to respond to new opportunities. Most nonprofits and NGO leaders are so busy dealing with day-to-day activities that they find themselves stretched to keep up. They experience the thought of adding one more thing to the to-do list to be overwhelming and they believe that managing to mission will protect them from disaster. These leaders don’t realize that:
–Disjointed one-off crisis response drains energy and resources.
–The fear of identifying risks doesn’t mean they won’t happen.
–Risks can be mitigated by baking solutions into daily operations.
–Denial, “it-can’t-happen-here,” or “it’s-out-of-our-control” ways of thinking are surefire breeding grounds for risk.
–There are ways to identify resources, capture data, and develop indicators to monitor and respond to emerging risk events.
Once leaders consider the disruption, expense, and effort it takes to manage a crisis and imagine the peace of mind that can come when problems are averted or mitigated, the work of enterprise risk management becomes more appealing.
As leaders move into the work of risk management, they must consider the aggregate amount of risk the organization actually carries and bears—its risk profile—and its ability to tolerate and balance risk-taking—the risk appetite:
–Risk profile is the overall level of risk in which your organization operates.
–Appetite for risk is the amount of risk an organization is willing to take to reach its goals and how risk-averse or daring the organization is.
Risk Profile
Understanding the aggregate amount of risk associated with organizational performance and operations is the first step in a process to mitigate it. Organizational risk is assessed along a continuum, as there is no universal risk profile for all nonprofits or NGOs.
An organization’s risk profile is based upon an assessment of internal weaknesses, external threats, and leadership’s ability to tolerate exposure and vulnerabilities. The risk profile you develop will take your mission, strategy, plans, and objectives and marry it with executive and board tolerance for uncertainty and surprise. The risk profile will consider known, new, or emerging risks, and it will contemplate three additional types of risk: preventable risk that is usually related to internal practices that can be improved, strategy risk that contemplates likely risks and plans to contain them, and external risk that cannot be controlled but can be anticipated and mitigated with advance preparation.
Assessing an organization’s risk profile is not about compliance and audits, nor is it about rules and regulations. Checklists and rules-based risk models do not diminish the likelihood or impact of risk events or the impact of cascading risk. Understanding your risk profile will enable you to anchor risk assessment to risk mitigation activities throughout your organization.
As with many challenges in life, actively managing risk means knowing and accepting your own strengths and limitations. To deal with risk, you must know how much of it your organization, staff, and leadership can bear and come to the work with an understanding of your organization’s capacity to manage it. The process of developing your risk profile starts by figuring out your appetite for risk.
Appetite for Risk
The organization needs to determine how much risk it is willing to accept in pursuing its goals. This can change over time. Determining appetite is an exercise in finding the sweet spot between risk and opportunity. The appetite for risk is usually measured as a vulnerability parameter in one or more functional areas of operations: financial, operational, programmatic, and strategic.
Every organization faces different risks, so a one-size-fits-all risk management program is not possible. The experience and knowledge of volunteers, board members and staff should be the basis for developing a sound risk management program. Risk management is the thoughtful process of recognizing and controlling risks so you can protect and conserve resources. Your risk management program should cover all aspects of your organization, including its mission, services, strategic goals, activities, staffing, funding, and ongoing operations. It is far better to plan for risk than to deal with problems, so it is important for the organization to have a sense of the amount and types of risk it can handle comfortably.
Summary
This chapter provides an overview and general description of risk in the nonprofit world. The following chapter will guide you through identifying specific risks in your organization.