Going Up? Elevator Talk, Risk Management and the Nonprofit Board

By Melanie Lockwood Herman

The Board of Directors sits atop the organizational chart of a nonprofit organization. Board issues are either self-initiated or are “elevated” by staff for board consideration. Both approaches are inherently necessary to the board’s governance role. And while there are myriad definitions, governance is essentially the “means in which the leading authority, often the board of directors…guides and monitors the values and goals of its organization through policy and procedures.” Source: Philanthropic Foundations Canada.

Yet despite the clarity in the board-staff reporting relationship (the staff report to the board and never vice versa) many organizations struggle with creating a workable and appropriate division of labor. Others settle on a division of labor that becomes stale as the organization faces new challenges, including significant growth in good times or the need to cut back in a difficult economic climate. The respective roles and responsibilities of the board and staff should be “on the table” for discussion and periodic review. Newcomers in both camps need to know “who’s on first” and how the organization holds key personnel accountable. And veteran members of the board and staff need periodic reminders about their commitments and roles, as well as an occasional refresher course. By taking these steps the leaders of a nonprofit can avoid the fallout and unnecessary pain and suffering that result from role confusion.

One area where there is infrequently a tug of war is the oversight of enterprise risk (see sidebar on page 3 for a definition of “enterprise risk management”). In NRMC’s experience, both boards and staff are often happy to defer responsibility for managing risk to their colleagues across the aisle.

But like other key oversight areas, risk oversight belongs in both camps. It is without question a critical responsibility of the body charged with “monitoring the values and goals of the organization.” But it also falls within the scope of responsibility of the staff who lead others, manage assets, experience the daily activities that give rise to operational as well as enterprise risk, and bring board policies to life each and every day. A survey of risk in action in the U.S. nonprofit sector would likely reveal that the lion’s share of effort for both forecasting and addressing risk falls on staff. We believe that a figurative elevator ride is in order to correct this imbalance in the division of labor.

Determining the organization’s appetite for risk, policies on risk-taking and overarching strategies for managing risk are essential to discharging the board of directors’ duty of care. Effective monitoring of values and goals cannot take place without appreciation for risk and risk-taking. And, as an outwardly focused stakeholder group, a board is in an ideal position to see and report back on risks with which hard-working, internally focused staff may be unable to see clearly or likely to overlook. Effective board service then must include active involvement in discussions and decisions regarding the assessment and the management of risk for the nonprofit.

So the question becomes how does it happen? What information is needed and what type of discussion is required to help board members discharge their duties and perform at the highest possible level? And what steps should staff take to guide the board into the elevator and safely up to the top floor? How can staff effectively enable the board to accept and live up to its responsibility without appearing to be passing a thankless job up the organization chart?

The Charity Commission Model

One option is to borrow and adapt the experience of our British cousins across the Atlantic. The Charity Commission for England and Wales is an agency charged with regulating charities. The mission of the agency is to provide “the best possible regulation of the charities in order to increase charities’ efficiency and effectiveness and public confidence and trust in them.” In the annual report required by the agency, the boards of all UK charities must make a statement confirming that the “major risks to which the charity is exposed, as identified by the trustees, have been reviewed and systems have been established to manage those risks.” The trustees must confirm that they have reviewed major risks in the areas of operational performance, achievement of aims and objectives; and meeting expectations of stakeholders.

The term “major risks” is defined as follows: risks which “have a high likelihood of occurring and would, if they occurred, have a severe impact on operational performance, achievement of aims and objectives or could damage the reputation of the charity, changing the way trustees, supporters or beneficiaries might deal with the charity.” Source: www.charitycommission.gov.uk/investigations/charrisk.asp.

Experienced nonprofit leaders know that bringing items of an administrative nature (e.g., the size of the type on the disclaimer language on our volunteer application or the color of the carpeting in the conference room) to the board leads to board involvement in administrative matters and distraction from the true meaning of governance. Yet risk management is often written off as a collection of administrative matters that include taping down loose carpets and word-smithing application forms. The discipline of risk management and the environment in which nonprofits operate today require that nonprofit leaders bring a discussion of risk and risk-taking to the board room and invite the board to discuss risk as part of their role in guiding and monitoring the values and goals of the organization. One approach to doing so is by adding “risk taking and risk management” to the agenda of at least one board meeting held annually or to the agenda of the board’s annual retreat. The results of these discussions should be included in the orientation manual or packet provided to each new board member during the orientation process. We hope the questions below will stimulate your thinking about how to structure a discussion about risk at an upcoming meeting of your board.

  • What are the organization’s most important goals during the next five years?
  • What are the organization’s most significant risks during the next five years?
  • How likely is it that the organization will experience a loss in the top risk areas?
  • How likely is it that the identified risks would have severe consequences (think impact on mission) were they to materialize?
  • What are the primary risk management strategies for the key areas of risk?
  • How effective is the organization at forecasting risk, understanding and evaluating risk, and taking timely, appropriate action?
  • How does the board actively contribute to the accurate forecasting of risk?
  • Does the board have a shared vision of the organization’s risk appetite?
  • Is the identification, assessment and management of risk linked to objectives?
  • Do current risk management efforts cover all areas of critical risk?
  • Does our risk profile reflect our views about levels of acceptable risk?
  • Do we review the results of our overall risk management program?
  • Is risk management ongoing and embedded in our culture?
  • What big risk(s) could the organization take this year to advance its mission?
  • Have we recently conducted a formal risk assessment with the assistance of knowledgeable and objective professionals?

Elevating the discussion of risk by inviting the board to discuss the nonprofit’s risk-taking appetite, risk management culture, and role in forecasting offer a starting point to help your board move from a windowless first floor conference room to a rooftop offering panoramic views. To some extent the vision of the collective board will be directly related to the vision of those elected to serve. But to an even larger extent the board’s role and effectiveness as a partner in understanding and addressing critical risks depends on the staff’s willingness to invite the board along for the elevator ride to the top, to structure the process to encourage candor, and to recognize that protecting the mission of the organization is an important, if not essential shared responsibility.

Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. She welcomes your questions about the Center’s resources at Melanie@nonprofitrisk.org.