Estimated Reading Time: 16 minutes
By Melanie Lockwood Herman
If you’ve been hearing references to Enterprise Risk Management or ERM frameworks you’re probably wondering whether this particular incarnation of risk management is relevant to your organization. You may also be wondering whether transforming a perfectly good risk management function into an ERM program is worth the time, effort, and expense.
ERM sometimes feels out of reach. The sentiment, “we can’t afford ERM” is expressed by teams from small, nimble organizations as well as teams working in larger, better-resourced nonprofits. The NRMC team believes that ERM fundamentals should not be elusive or out of reach for any mission driven nonprofit. In this article we explain three ways to broaden your approach to risk management.
When asked “What is ERM?” by nonprofit leaders, I often cite the explanation provided by Michael Power, in his book, Organized Uncertainty. Power writes that, “. . . ERM should be understood as referring to any broadly-based conception of risk management . . .” I’m also drawn to the definition of ERM found in Rick Nason and Leslie Fleming’s book, Essentials of Enterprise Risk Management. Nason and Fleming write that, “Simply put, enterprise risk management (ERM) is an integrated and holistic approach to risk management within an organization.” Nason and Fleming continue by explaining that, “The overarching goal of ERM should be on making an organization more effective and efficient.”
My colleague Diana Del Bel Belluz explains that, “For me ERM is focused on the strategic objectives of the organization and therefore more closely linked to the value-creation chain. Traditional risk management tends to focus on value protection, usually in operational or functional silos.”
Inspired by the work and writing of former NRMC board member H. Felix Kloman, we would add “resilience” as both a worthy goal and expected consequence of the commitment to broader, more holistic risk management. Mission fortifying risk management strategies should build resilience. Leaders of a nonprofit that embraces ERM should be confident in their ability to seize opportunities and counter calamities that would bring an unprepared nonprofit to its knees.
Given the myriad ways that nonprofit missions are changing the world and the lack of a sure-fire way to accurately predict mission-disrupting events, every organization stands to benefit from evolving risk-taking and risk management capabilities. Whether you want to improve risk identification, build risk understanding across diverse and interdisciplinary teams, or inject greater creativity and buy-in into your risk management strategies, taking a broader, ERM approach can be helpful.
In the section below, we explore three contrasting approaches to getting an ERM program underway at a nonprofit. Does one approach feel like a good fit? Can you “sell” ERM based on the scope described in one of these options? With all three approaches, keep in mind that although it may be easy to generate some initial curiosity and excitement, sustaining a commitment to ERM is a perennial challenge. To sustain your ERM efforts you’ll need to secure the buy-in and support of the executive team and also demonstrate how new ERM capabilities and activities yield a worthwhile pay-off. Remember to link risks to the strategic priorities of the organization and your nonprofit’s goals related to growth or improved results.
I recently heard from a newly anointed risk leader who has been tasked to “implement ERM” in short order. A long lead-up or pensive planning period prior to getting underway won’t work for this newly-minted risk champion. If you need to quickly test the waters and also demonstrate the potential of ERM, consider a three-step ERM Quick Start.
Step 1: Invite staff at your organization to attend a 90-minute ERM organizing and information session. Although you may be inclined to hand select invitees, consider opening up the opportunity to anyone who’s interested with an invitation similar to the one below.
“Join me next Wednesday from 10-11:30 a.m. in the conference room to discuss Enterprise Risk Management, a holistic approach to risk management. We’ll discuss how ERM could be helpful in advancing our mission. Bring your risk-taking and risk management ideas, as well as your worries and pet peeves related to risk. Come prepared to learn and share!”
Step 2: Convene the ERM organizing and information session. Use a simple agenda to guide and facilitate discussion, such as:
Step 3: Report Back and Launch. Pull together your notes from the organizing meeting. Add a “next steps” section and include a list of the specific commitments made by attendees. A possible format for the report is:
Consider sending a pre-read to everyone who signs up for the initial organizing session. Here are three suggested pre-read and pre-watch items:
A Measured Start is appropriate for a team that is intrigued by the potential benefits of ERM but doesn’t want to over-commit or over-promise. This six-step approach involves measured steps over a period of six months.
Step 1: Conduct a survey to identify possible goals and opportunities related to ERM. Use an online survey tool to gather information and collect anonymous (or self-identified) feedback on topics related to ERM. Adapt and supplement the following list of exploratory questions for your survey.
Step 2: Distribute and share the survey results at an informational meeting. Compile the results from the survey into a short report. Create a slide deck noting common aspirations for ERM, concerns, comments about the organization’s risk appetite, and a top risks ranking. Invite attendees to volunteer to attend the next gathering; let invitees know that options for evolving risk management will be the focus of the meeting.
Step 3: Convene an organizing meeting to brainstorm ERM strategies. Remind attendees about the key takeaways from the survey. Divide the group into smaller subgroups of 4 staff members. Ideally, each group of 4 will have team members from different departments, or colleagues who don’t customarily work side-by-side. Possible prompts for the subgroup discussions include:
Bring the small groups back together for sharing during the final 30 minutes of the meeting. Go around the room and ask each participant to indicate if they’d like to continue supporting the process. Invite participants to identify a colleague they believe should be involved in the program.
Step 4: Compile the results from the organizing meeting. Schedule a follow-up meeting to present and discuss the results. At the four-month mark of your Measured Start, you’re ready to hone the ideas that were generated at the organizing meeting. As you review the results from the prior session, look for areas of overlap or consistency. List each strategy or activity on a separate page followed by prompts to spark conversation about the strategies. Divide into smaller groups and assign 1, 2 or 3 strategies to each subgroup.
Possible prompts for the small groups include:
Step 5: Brief the board. At month 5 in the ERM Measured Start you’re ready to seek feedback and invite questions from the team with ultimate authority for the well-being of your organization: the board. If the management team or senior staff team hasn’t been involved in the meetings held thus far, conduct a dress rehearsal preview for that team, before presenting to the board. Here’s one possible structure for your presentation.
Step 6: Create an implementation plan. Now that you’ve collected insights and ideas from multiple groups of internal stakeholders, it’s time to create a plan to sustain your ERM work in the months and years ahead. Consider developing a simple implementation plan that will serve as a roadmap for your efforts. Some of the key questions you’ll want to answer in your plan include:
If you’re determined to introduce ERM to your organization but believe that easing into it is a best bet, consider our Ease Into ERM approach, described below. This approach can be implemented over a 12- month period; complete each step every three months.
Step 1: Assess risk management capabilities. Conduct a survey to identify current risk management activity in your organization. Don’t limit participation to the individuals you believe have the greatest awareness of risk management; invite the entire staff to participate in this process. Possible items for the survey include:
Step 2: Identify opportunities to evolve risk management. Use data and insights from your survey to plan a facilitated meeting to discuss compelling opportunities to strengthen and broaden risk management practice. Invite anyone who’s interested in this work to attend the facilitated workshop. Some of the question prompts that could be useful in planning and conducting the workshop include:
Step 3: Draft an implementation plan and seek feedback. Using the data from the survey and notes from the facilitated workshop, draft a plan to evolve risk management capabilities in your organization. Distribute the draft plan to everyone who participated in the facilitated workshop and invite feedback. Encourage reviewers to share their ideas that will increase the plan’s thoroughness and ultimate success. If some of the feedback is inconsistent, meet with the individuals providing contrary feedback to discuss those ideas further. Some of the key questions you’ll want to answer in your plan include:
Step 4: Implement the plan and track your progress. ERM growth is a highly rewarding but gradual process. To meet your goals, it will be important to keep the program energized and productive for years to come. Break long-term goals into short-term milestones so that the board and staff leadership teams can see progress and maintain their enthusiasm for the next step. Invite feedback and periodically revisit progress and goals to keep the momentum going.
Over the last ten years the NRMC team has worked with a variety of diverse teams intent on implementing Enterprise Risk Management in their organizations. During those engagements we’ve counseled leaders who have faced brick walls and powerful pushback, and we’ve celebrated with leaders who’ve experienced powerful wins in their risk journeys. Our takeaways from these experiences are encapsulated in the following ERM reminders:
Whether you are inclined to slowly broaden and strengthen risk management capabilities or you’re ready to run, there are many different ways to inculcate risk-aware thinking and decision making in a nonprofit. And for some organizations, a narrow, operational-focused approach to risk management is just fine. Wherever you are on your risk management journey, remember that reaching out for help is a sign of strength. We hope you will consider the Nonprofit Risk Management Center to be a valuable resource in your journey, wherever it takes you! Call us at 703.777.3504 or contact me at Melanie@nonprofitrisk.org to share your ERM stories, nightmares, bold ambitions, or short-term wish list. We look forward to supporting your efforts!
Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. Melanie welcomes your questions about Enterprise Risk Management programs and strategies at 703.777.3504 or Melanie@nonprofitrisk.org.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!