By Melanie Lockwood Herman
If you’ve been hearing references to Enterprise Risk Management or ERM frameworks you’re probably wondering whether this particular incarnation of risk management is relevant to your organization. You may also be wondering whether transforming a perfectly good risk management function into an ERM program is worth the time, effort, and expense.
ERM sometimes feels out of reach. The sentiment, “we can’t afford ERM” is expressed by teams from small, nimble organizations as well as teams working in larger, better-resourced nonprofits. The NRMC team believes that ERM fundamentals should not be elusive or out of reach for any mission driven nonprofit. In this article we explain three ways to broaden your approach to risk management.
ERM is Broadly-Based, Holistic and Builds Resilience
When asked “What is ERM?” by nonprofit leaders, I often cite the explanation provided by Michael Power, in his book, Organized Uncertainty. Power writes that, “. . . ERM should be understood as referring to any broadly-based conception of risk management . . .” I’m also drawn to the definition of ERM found in Rick Nason and Leslie Fleming’s book, Essentials of Enterprise Risk Management. Nason and Fleming write that, “Simply put, enterprise risk management (ERM) is an integrated and holistic approach to risk management within an organization.” Nason and Fleming continue by explaining that, “The overarching goal of ERM should be on making an organization more effective and efficient.”
My colleague Diana Del Bel Belluz explains that, “For me ERM is focused on the strategic objectives of the organization and therefore more closely linked to the value-creation chain. Traditional risk management tends to focus on value protection, usually in operational or functional silos.
Inspired by the work and writing of former NRMC board member H. Felix Kloman, we would add “resilience” as both a worthy goal and expected consequence of the commitment to broader, more holistic risk management. Mission fortifying risk management strategies should build resilience. Leaders of a nonprofit that embraces ERM should be confident in their ability to seize opportunities and counter calamities that would bring an unprepared nonprofit to its knees.
Your Nonprofit Mission Deserves ERM
Given the myriad ways that nonprofit missions are changing the world and the lack of a sure-fire way to accurately predict mission-disrupting events, every organization stands to benefit from evolving risk-taking and risk management capabilities. Whether you want to improve risk identification, build risk understanding across diverse and interdisciplinary teams, or inject greater creativity and buy-in into your risk management strategies, taking a broader, ERM approach can be helpful.
Choose and Customize: Three Approaches to Getting Underway with ERM
In the section below, we explore three contrasting approaches to getting an ERM program underway at a nonprofit. Does one approach feel like a good fit? Can you “sell” ERM based on the scope described in one of these options? With all three approaches, keep in mind that although it may be easy to generate some initial curiosity and excitement, sustaining a commitment to ERM is a perennial challenge. To sustain your ERM efforts you’ll need to secure the buy-in and support of the executive team and also demonstrate how new ERM capabilities and activities yield a worthwhile pay-off. Remember to link risks to the strategic priorities of the organization and your nonprofit’s goals related to growth or improved results.
ERM Quick Start
I recently heard from a newly anointed risk leader who has been tasked to “implement ERM” in short order. A long lead-up or pensive planning period prior to getting underway won’t work for this newly-minted risk champion. If you need to quickly test the waters and also demonstrate the potential of ERM, consider a three-step ERM Quick Start.
Step 1: Invite staff at your organization to attend a 90-minute ERM organizing and information session. Although you may be inclined to hand select invitees, consider opening up the opportunity to anyone who’s interested with an invitation similar to the one below.
“Join me next Wednesday from 10-11:30 a.m. in the conference room to discuss Enterprise Risk Management, a holistic approach to risk management. We’ll discuss how ERM could be helpful in advancing our mission. Bring your risk-taking and risk management ideas, as well as your worries and pet peeves related to risk. Come prepared to learn and share!”
Step 2: Convene the ERM organizing and information session. Use a simple agenda to guide and facilitate discussion, such as:
- 20 minutes – Introductions: go around the table for introductions: my name, my tenure, my role, one top-of-mind concern about risk-taking or risk management in the organization, and one strength in our current approach to understanding and managing risk.
- 30 minutes – Why and How our Mission Would Benefit from ERM: invite participants to discuss why and how a more holistic approach to risk management could build confidence (by various stakeholder groups), and increase resilience (in the wake of unavoidable events).
- 30 minutes – What Next: work in groups of 3-4 people to brainstorm specific steps or activities that would improve any aspect of risk management in the organization. Ask each group to write their ideas on separate sticky notes. To prompt ideas, display a list of possible topics, such as: incident reporting, post-event/incident sharing and learning, engaging the board in conversations about risk, discussing our risk appetite, new training on specific risk topics, updating specific risk policies, creating greater psychological safety (reducing fear about speaking up), linking risk to strategic priorities, and so on. Invite the groups to display their sticky notes on a wall or whiteboard in the room. Give everyone a couple of minutes to view the notes posted by all of the subgroups.
- 10 minutes – My Commitment: wrap up the meeting by going around the table and asking each participant to identify 1) what they are ready, willing and able to do to support a more holistic approach to risk management, and 2) a valuable takeaway or “ah ha” moment from the meeting.
Step 3: Report Back and Launch. Pull together your notes from the organizing meeting. Add a “next steps” section and include a list of the specific commitments made by attendees. A possible format for the report is:
- Top-of-Mind Risk Concerns
- Risk Management Strengths and Current Capabilities
- Steps to Strengthen and Evolve ERM
- Team Member Commitments
Consider sending a pre-read to everyone who signs up for the initial organizing session. Here are three suggested pre-read and pre-watch items:
- “Egalitarian Risk Leadership: Flatten or Fatten?” – nonprofitrisk.org/resources/e-news/egalitarian-risk-leadership-flatten-fatten/
- “Risk Assessment Perspectives: Re-Lens with Three Approaches” – nonprofitrisk.org/resources/e-news/risk-assessment-perspectives/
- If your organization is an Affiliate Member of NRMC, consider using the following short webinar as a “pre-watch” for your kick off session. Enterprise Risk Management (ERM) 101 – nonprofitrisk.org/resources/webinars/enterprise-risk-management-erm-101/
ERM Measured Start
A Measured Start is appropriate for a team that is intrigued by the potential benefits of ERM but doesn’t want to over-commit or over-promise. This six-step approach involves measured steps over a period of six months.
Step 1: Conduct a survey to identify possible goals and opportunities related to ERM. Use an online survey tool to gather information and collect anonymous (or self-identified) feedback on topics related to ERM. Adapt and supplement the following list of exploratory questions for your survey.
- Enterprise Risk Management is a more holistic approach to risk management. From your perspective, what potential benefits might result from broadening our approach to risk management?
- What concerns or worries do you have about evolving our approach to risk management?
- What is your perspective on the risk appetite of this organization? Is it clear to team members throughout the organization what constitutes a “good bet” and what would be a “bad bet”?
- We’re defining risk as a future event that has the potential to substantially affect our strategic priorities. What do you believe are the top 3 critical risks we face at this time?
- From your perspective, who should be involved—at a minimum—in a project to evolve our risk management capabilities?
Step 2: Distribute and share the survey results at an informational meeting. Compile the results from the survey into a short report. Create a slide deck noting common aspirations for ERM, concerns, comments about the organization’s risk appetite, and a top risks ranking. Invite attendees to volunteer to attend the next gathering; let invitees know that options for evolving risk management will be the focus of the meeting.
Step 3: Convene an organizing meeting to brainstorm ERM strategies. Remind attendees about the key takeaways from the survey. Divide the group into smaller subgroups of 4 staff members. Ideally, each group of 4 will have team members from different departments, or colleagues who don’t customarily work side-by-side. Possible prompts for the subgroup discussions include:
- In what ways is our current risk management program fragmented or incomplete versus holistic? What do we believe are some of the reasons for that fragmentation?
- What “low hanging fruit” strategies should we consider in order to transform our risk management program into a more holistic ERM function?
- What are some longer-term strategies that we should consider as we evolve our risk management capabilities?
- Who do we think should be involved in an effort to integrate risk management practices? Does our view align with survey responses on this topic?
Bring the small groups back together for sharing during the final 30 minutes of the meeting. Go around the room and ask each participant to indicate if they’d like to continue supporting the process. Invite participants to identify a colleague they believe should be involved in the program.
Step 4: Compile the results from the organizing meeting. Schedule a follow-up meeting to present and discuss the results. At the four-month mark of your Measured Start, you’re ready to hone the ideas that were generated at the organizing meeting. As you review the results from the prior session, look for areas of overlap or consistency. List each strategy or activity on a separate page followed by prompts to spark conversation about the strategies. Divide into smaller groups and assign 1, 2 or 3 strategies to each subgroup.
Possible prompts for the small groups include:
- Does this strategy feel feasible?
- What’s an appropriate timeframe to implement this strategy?
- What is the expected cost?
- What pushback to this strategy should we anticipate?
- What steps can we take to anticipate and manage pushback?
- How will we measure success related to this strategy?
- Who should be involved in further refining this strategy?
Step 5: Brief the board. At month 5 in the ERM Measured Start you’re ready to seek feedback and invite questions from the team with ultimate authority for the well-being of your organization: the board. If the management team or senior staff team hasn’t been involved in the meetings held thus far, conduct a dress rehearsal preview for that team, before presenting to the board. Here’s one possible structure for your presentation.
- What is ERM?
- How does ERM contrast with our current approach to risk management?
- Overview of our approach to evolving risk management capabilities
- Desired and expected benefits
- Gathering diverse perspectives through a survey and in-person meetings
- Key findings: what we’ve learned thus far (including staff perceptions of top risks)
- Preliminary strategies to evolve risk management capabilities
- The board’s role in ERM: discussion
- Overview of next steps
Step 6: Create an implementation plan. Now that you’ve collected insights and ideas from multiple groups of internal stakeholders, it’s time to create a plan to sustain your ERM work in the months and years ahead. Consider developing a simple implementation plan that will serve as a roadmap for your efforts. Some of the key questions you’ll want to answer in your plan include:
- What process will we use to continually identify new risks, and update our understanding of previously-identified risks? How frequently will we use this process?
- How will we track and report on our work?
- How will we ensure that diverse perspectives are represented in our ERM work? How will we avoid groupthink?
Ease Into ERM
If you’re determined to introduce ERM to your organization but believe that easing into it is a best bet, consider our Ease Into ERM approach, described below. This approach can be implemented over a 12- month period; complete each step every three months.
Step 1: Assess risk management capabilities. Conduct a survey to identify current risk management activity in your organization. Don’t limit participation to the individuals you believe have the greatest awareness of risk management; invite the entire staff to participate in this process. Possible items for the survey include:
- Risk management is a broad discipline that includes any activity or policy that protects the assets and resources of our organization, from financial assets to the well-being of our staff, volunteers, and service recipients. Please describe some of our risk management activities with which you’re familiar.
- Enterprise Risk Management is a more holistic, integrated approach to risk management. How might a more holistic approach be helpful here?
- Please rate your confidence in the following risk management capabilities. 1 = not confident, 3 = somewhat confident, 5 = highly confident.
- We proactively consider our risks and take timely action to reduce the likelihood and potential severity of downside risks.
- We are prepared to respond to a crisis.
- Staff throughout the organization are comfortable raising risk concerns and risk management opportunities.
- We have the right people involved in conversations about risk.
- We actively engage and involve oversight teams (the board, board committees) in conversations about risks related to strategy.
Step 2: Identify opportunities to evolve risk management. Use data and insights from your survey to plan a facilitated meeting to discuss compelling opportunities to strengthen and broaden risk management practice. Invite anyone who’s interested in this work to attend the facilitated workshop. Some of the question prompts that could be useful in planning and conducting the workshop include:
- What were the most surprising findings from the survey?
- Do the survey results suggest that we focus or double-down in one or two areas?
- What information or insights do we need to uncover and understand in order to strengthen risk management? Are there key questions that remain unanswered?
- Are there “quick win” projects we could undertake to strengthen risk management?
- What possible longer-term projects should we consider?
- Who needs to be involved in discussions about our risk landscape and risk management activities?
- How should we measure the effectiveness and impact of new risk management activities?
Step 3: Draft an implementation plan and seek feedback. Using the data from the survey and notes from the facilitated workshop, draft a plan to evolve risk management capabilities in your organization. Distribute the draft plan to everyone who participated in the facilitated workshop and invite feedback. Encourage reviewers to share their ideas that will increase the plan’s thoroughness and ultimate success. If some of the feedback is inconsistent, meet with the individuals providing contrary feedback to discuss those ideas further. Some of the key questions you’ll want to answer in your plan include:
- Goals: what are we hoping and expecting to achieve by broadening risk management capabilities?
- Process: what process will we use to identify new risks and update our understanding of previously-identified risks? How frequently will we use this process? What process will we use to track and report on our top risks?
- Culture: what changes in culture or behavior must occur for our ERM work to be successful? How will we inspire and support those changes? How will we ensure that diverse perspectives are represented in our ERM work? How will we avoid groupthink?
Step 4: Implement the plan and track your progress. ERM growth is a highly rewarding but gradual process. To meet your goals, it will be important to keep the program energized and productive for years to come. Break long-term goals into short-term milestones so that the board and staff leadership teams can see progress and maintain their enthusiasm for the next step. Invite feedback and periodically revisit progress and goals to keep the momentum going.
- Float a maturity model. Consider developing a “Maturity Model” to provide a bird’s-eye view of where you’ve come from, where you are, and where you hope to be next year. For an example of a maturity model visit the RISK eNews article “Risk Management Maturity: Where Do You Stand.” Remember that no two organizations will have the same maturity goals and milestones. Be creative! A graphical representation of your progress through the maturity timeline can also make your ERM goals and milestones memorable to decision makers.
- Celebrate milestones. As your organization encounters success, it’s important to celebrate risk management accomplishments and processes that provided value along the way. Recently a visitor to NRMC jokingly said, “everyone loves a parade . . . except the risk management professional.” If this rings true for risk management at your nonprofit, think of ERM as a way to change perceptions that risk management is “the department of no.” Celebrating success and connecting milestones to the mission will solidify ERM as a positive force for good.
- Modify and update. One of the most important traits in any ERM team is humility. As your ERM program takes off, seize every opportunity to listen to feedback, and use lessons-learned to trim or revamp your approach so that your program stays nimble and effective. An ERM function is always a work in progress. As explained in the tips below, the most effective ERM program bends and adjusts to suit your changing, dynamic risk landscape. See “Oh! The Places We Will Go” in this issue of Risk Management Essentials or at nonprofitrisk.org/resources/articles for additional tips and insights on evaluating your progress.
ERM Tips from the Trenches
Over the last ten years the NRMC team has worked with a variety of diverse teams intent on implementing Enterprise Risk Management in their organizations. During those engagements we’ve counseled leaders who have faced brick walls and powerful pushback, and we’ve celebrated with leaders who’ve experienced powerful wins in their risk journeys. Our takeaways from these experiences are encapsulated in the following ERM reminders:
- Tailor ERM to suit your nonprofit’s mission, culture and risk ambitions. Trying to copy or replicate another entity’s ERM program is a false shortcut. Although you’ll be able to produce something quickly, a borrowed framework will fade and fail in time.
- Don’t be afraid to dabble and doodle. Resist the urge or inclination to show your ERM work as a fait accompli or a finished product. Let readers and reviewers know that your framework, definitions, implementation plan, and accountability strategy are a work in progress.
- Learn as you go. Learning as you go with ERM is fundamental to success. There will be many eureka moments along the way, along with a few frustrating, but temporary roadblocks. For example, an NRMC client explained recently that when he proposed adding a risk-themed value to the organization’s list of core values, the idea was “whacked down.” Baking in risk management values into core values seemed like a no brainer idea. Strive to be empathetic with colleagues who are weary and worn down by new approaches and expectations.
- Cast a wide net and remember to bang your ERM drum. Remember to involve many different stakeholders in your organization as you construct, tweak and refine your ERM program. Ask “whose perspective is missing?” as you work to identify new recruits for your effort. And keep top-of-mind the importance of linking ERM work to the most important goals and objectives in your nonprofit, such as: stewarding donors, diversifying revenue sources, launching new programs, increasing professionalism, inspiring employee engagement, demonstrating impact, and so on.
- Monitor the risk of actual or perceived organizational drag. One of the weaknesses in many risk management efforts is the perception that it creates dreaded organizational drag. Authors of the CEB report, Reducing Risk Management’s Organizational Drag cite “isolation of the risk function” as one of three key causes of organizational drag related to risk management. Not only does an isolated function result in little buy-in across the organization—it also limits your capacity to develop a holistic understanding of your nonprofit’s risk landscape. Risk management should be inclusive, inviting people with different vantage points to share their perspectives on risk. (For more on organizational drag, see the RISK eNews article Risk Management’s Unintended Consequences.)
Reach Out for Help
Whether you are inclined to slowly broaden and strengthen risk management capabilities or you’re ready to run, there are many different ways to inculcate risk-aware thinking and decision making in a nonprofit. And for some organizations, a narrow, operational-focused approach to risk management is just fine. Wherever you are on your risk management journey, remember that reaching out for help is a sign of strength. We hope you will consider the Nonprofit Risk Management Center to be a valuable resource in your journey, wherever it takes you! Call us at 703.777.3504 or contact me at Melanie@nonprofitrisk.org to share your ERM stories, nightmares, bold ambitions, or short-term wish list. We look forward to supporting your efforts!
Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. Melanie welcomes your questions about Enterprise Risk Management programs and strategies at 703.777.3504 or Melanie@nonprofitrisk.org.