Getting Started

The process you are embarking on is basically linear, as the diagram shown in Figure 4.1 (and others in this book) shows.

You’ll see the diagram shown in Figure 4-1 throughout the book (and in The Nonprofit Risk App as well). It’s a reminder of the process that you’ll build to find and manage risk in your nonprofit organization. The process steps we outline will help guide you along the way. You begin with getting ready and rolling out the project in your organization. This process is critically important as you identify a project manager or hire a consultant to facilitate and start to assemble a team that will be working together for a period of time. Once your team is assembled, you can move on to identifying the risks to which your organization may be exposed. As you identify each risk, you assess its cause and significance: how likely it is to happen (once or repeatedly) and how much damage could it do. Risks are then categorized and ranked so that your planning work centers on the highest priority risks.

With your risks identified, assessed and prioritized, you move on to the third step, which is to develop mitigation strategies for each identified risk, implementing those strategies and monitoring the effects of your mitigation activity.

If you are thinking about assessing risk in your nonprofit organization, there are several strategies you can use. One way is to use benchmarks or metrics to compare your organization and its risks with peer organizations and see how your organization lines up against an industry standard. This is useful when a nonprofit organization has a strong quality and performance management process in place and several years of clean data. This approach allows an organization to set risk reduction goals and measure progress against a target. One challenge is that comparable benchmark data is hard to find for nonprofit organizations across all areas of programming and operations.

The other approach, which is the one we take in The Nonprofit Risk Book, is to help leaders work with the resources they have and know best: their own data and experience. To that end, we suggest areas for you to consider and pursue in your risk assessment effort, but our emphasis is on your organization. While it’s valuable to compare your organization with others, your attention and primary focus must be on developing an ERM risk mitigation plan and processes for your own organization.

There is one universal aspect of risk that holds for all organizations and it’s one you should keep top of mind: You are not alone in your worry about risk management, and you’re not the first to have to impose the discipline of ERM planning on a nonprofit organization. In talking with nonprofit executives and boards we have heard these worries expressed in countless meetings and as confidential requests for help and guidance. A board member or colleague reports a bad incident or operational crisis in wrenching detail believing that their organization is facing an unsurmountable challenge or terrible situation that no one else ever has.

In listening we are very often able to put minds at ease and see the weight lifted from their shoulders when we say, “Yes, this same thing happened two years ago at XYZ organization.” Fortunately, it is rare that a nonprofit nightmare arises with no warning and rarer still when catastrophe strikes in an entirely new way.

As we thought about the heavy weight of shame and isolation carried by executives and board members in the face of what is most often a consequence of nonprofit program operations and business models, we developed an even greater appreciation for the need to open up conversations about risk and risk management to make it as commonplace as conversations about other nonprofit management activities. We’ve taken these conversations to heart and offer an approach to risk management aimed at helping executives and boards find and fix vulnerabilities while they are still small and well before they grow into disasters.

Although it is basically linear, as you proceed with the ERM planning process you may realize that some changes need to be made, so you can easily revisit an earlier process point. It can be tempting in an effort like this to force it to be sequential with every step completed before proceeding to the next. Most planning and implementation processes move forward and back on the way to completion as new information emerges or conditions change. This said, planning projects cannot go on indefinitely and the beauty of plans is that once they are completed, anything left out can be added in at a later date or picked up in the next plan. The timeframe for your ERM planning process should be finite so that you don’t get caught in an endless feedback loop or the trap known as paralysis by analysis.

In order to move forward quickly, you will need a way of working that accommodates to the changes you will experience as you rollout and implement your ERM plan. There are two ways you can do that.

Some people prefer to work digitally, while others prefer to work on paper, so you can choose what you’re most comfortable with. If you compare the two methods, you’ll see that paper forms let you enter all of your data on grids or spreadsheets. With an app, you enter the data into smaller sections, and the app puts the data together according to your choices when you want to view it.

This structure allows the app to change the display as needed. For example, consider the risk mitigation log shown in Figure 4.2. As is the case throughout the Nonprofit Risk app and many other apps, the data is presented first as a list (such as the list of mitigation actions on the left of Figure 4.2). You can tap the pointed disclosure arrow at the right of each item in the list to see its details, as you see on the right of Figure 4-2. When you use the disclosure arrow or Info circle to look at details, you’ll find a Back button at the top left of the details screen. Use that to return to the list view. (You’ll see it at the top left of Figure 4.2 right.)

Taken together, the mitigation log in the app lets you enter dates for the creation of a Mitigation Action Plan (MAP), its review, and its completion. The app reminds you of upcoming MAP dates both within the app and (if you choose) by sending you notifications with whatever lead time you want.

With paper, the format for capturing your data is basically set when you choose your form. If you are undecided about whether to go with a paper or app tool for your ERM process, experiment with one hypothetical risk using the downloadable paper form, and try it again with the app. This will not only help you make your choice, but it will also get you into the routine of looking at risks so that you’re ready when you actually start your own non-hypothetical project.

The Nonprofit Risk App

The Nonprofit Risk app functionality parallels this book. When you launch the app for the first time, you will see an overview of your project. If you have opened the app for the first time, you will have an empty project to work with. An overview for a project in progress is shown in Figure 4.3.

Readiness and Rollout

Once you decide on using the app or paper template, you’re ready to begin the project as shown in Figure 4.4.

The methods needed to activate the readiness and rollout stage in an ERM process are tools you already have and use: research, training, meetings, persuasion, memos, newsletters, social, and anything other channels you and your organization use to communicate and engage with your staff, managers, volunteers, service users and board.

The more you inform and engage your organization in thinking about risk and risk awareness, the better your plan will be. Broad-based support and buy-in will strengthen the ERM work and the ERM planning project. A mandate handed down from “on high” may not be the way you typically start change projects in your organization, but an enthusiastic embrace of risk management by leaders from the start is a necessary signal that this work is valued and a priority. It’s unusual that ERM has to be mandated and closed to discussion, but in cases of significant resistance, the process may need a kick start.

It is useful to keep an eye out for outright opposition to the project. Opposition may come from people who are simply averse to change, or it may come from people who feel specifically threatened by the details of the project. It’s important to remember that any change in practice or process changes the work and work experience of someone in the organization. Be aware of who will be affected by the shifts and ensure that they are informed and invited into the process to speak from experience and offer suggestions for dealing with necessary changes. As we’ve said before, risk awareness is everybody’s business.

At this point, be sure that you have identified a project manager and ERM team, an easy to understand description of the purpose, goals, activities and timeline for your ERM planning effort If you’re using the app, you can enter this information in the project overview text box as illustrated in Figure 4.3.

It is important to remember that risks arise all the time and are often unpredictable by nature. You want to build an ERM plan that takes into account known risks that need mitigation and hypotheticals, also called scenario risks, that are based on a future state or uncertainty. You don’t want to create an ERM plan that locks your organization into a set of risk mitigation activities that cannot not accommodate to the changing circumstances of nonprofit organizational life, the environment you work in, or the work you do.

When you are ready, it’s time to move on to the next phase: risk identification and assessment.

Risk Identification and Assessment

Now it’s time to move on to identifying and assessing your priority risks. You can start with your top ten risks or use the sample list of risks as described in Chapter 2 and add organization-specific risks as you go, Once you have your risk list, drop it into the risk register and begin to dig deeper into the cause, location, severity and likelihood of each risk. Figure 4.5 shows the roadmap for risk identification and assessment.

Figures 4.6 and 4.7 show the beginning of the risk identification and assessment process. On paper, we show a single form for both; with the app, the data is entered separately for the register and list. This reflects the difference between the app and paper-based interfaces. Choose whichever way is easiest for your organization.

Building the Risk List

Use the steps outlined in Chapter 2 to develop your list of risks. Again, you can start from the list of common nonprofit risks, from a risk identification session with staff, from a list developed by department and program or with the assistance of a consultant or business advisor or from your top ten risk list. As part of the assessment phase, you can highlight certain risks based on any criteria (including what resources are available to work on them), and you can prioritize them.

If you are working on paper, enter the list on a form such as the one you see in Figure 4.6. You can download it as a PDF file (see the Introduction for details). Note that the paper form combines the risk list and risk register, which you can fill in two steps.

If you are using the app, you generally switch back and forth between the list of risks shown in Figure 4.7 and the details for each risk shown in Figure 4.8.

Tap Edit to enable the + button and add new risks. When you’re done, tap Done which replaces the Edit button or Cancel which will appear at the left. As is the case with all lists in the app, tap the disclosure button at the right of each item in the list to add its details. Figure 4.8 shows the details entry view for a risk.

The details for each risk shown in Figure 4.8 may give you pause. You will need to consider which programs or departments may be home to the risk, which activities in the program or department may be causing or interacting in a way to cause risk and whether the program or department has the capacity to resolve the identified risk. You may check and uncheck the checkboxes a number of times as you delve into the causes and possible mitigation strategies. Filling in the details for each risk as shown in Figure 4.8 is a critical part of the process.

Note: Figure 4.8 shows aspects of your organization. They may correspond to some or all of the functional areas discussed in Part II, but often they are different.

Turning the Risk List into a Risk Register

If you are working with paper, such as the downloadable PDF files, move the data from your risk list into the risk register shown previously in Figure 4.6.

With the app, your risk register is already populated with your risk list when you tap the Risk Register tab as you see in Figure 4.9.

The controls at the top of the window let you sort the risk register. As you see in Figure 4.8, that is the same data you have in columns on paper as seen in Figure 4.6.

What matters is that you have the information available in whatever format you are comfortable with. Make sure that there are no omissions.

For each risk in the risk register, add its details using the disclosure triangle at the right of the risk in the risk register. Figure 4.10 shows the details for a risk register item.

Note: It is expected that your assumptions may change as you work with the data and look at it invarious ways, sort it, and review it. Understanding the data and what it reflects about your organization is a normal part of the process that will help you identify and assess risks.

Risk Mitigation Plan Development & Monitoring

With your risk register in hand, you can move on to a risk mitigation plan as seen in Figure 4.11.

After completing your risk register, you can create a mitigation log that captures the activities you will undertake to reduce organizational risks. For each risk, you now need to develop mitigation actions. Again, you can do this on paper or with the app. With the app, your mitigation log starts from your risks, as seen in Figure 4.12.

You can add more actions to each identified risk, and you can sort the mitigation log by the dates for creating, reviewing, or closing each mitigation action. As with the risk register, the more ways you rearrange the data and work with it, the more you will understand your organization and its risks.

You can add new mitigation actions for each risk by tapping on Edit and then + as you see in Figure 4.12. Once you have created a new mitigation action, tap the disclosure triangle at the right of a mitigation action to provide its details as you see in Figure 4.13.

Summary

In this part of the book, we recapped the enterprise risk management process starting from preparation for ERM, continuing to risk identification and assessment, and moving to mitigation planning for an ERM plan you developed for your own organization. In the second part of the book, we will explore risk in the functional areas of nonprofit operations and offer practical insights to deepen risk awareness and inspire creative solutions. You’ll see what they are, what general warning signs you should watch for, and specific questions to ask to identify and understand the risks. Only by understanding the risks can you develop a meaningful and successful mitigation plan.