Oh! The Places We Will Go with ERM

By Katharine Nesslage

Nonprofit teams that resolve to strengthen risk capabilities by embracing Enterprise Risk Management should integrate an evaluation component from the start. Why? Early supporters of your ERM program will want to see and understand how the program is changing the organization for the better. And as a risk champion, you’ll want to assess what’s working and also identify aspects of the program that may require tweaking or a different approach altogether.

Start by gathering information about what you’ve learned related to your process and approach. For example, did everyone you invited to participate in ERM workshops and meetings actually attend? If key people were missing or disengaged, why was this the case? Have you received positive, negative or mixed feedback about the goals or activities of the program? Has the board and management team’s interest in ERM grown or declined since the program began? If interest has waxed or waned, why might that be the case? This rich information should inspire ideas about possible adjustments to your program’s design.


Tune In to Unsolicited Feedback

Several years ago, the NRMC team worked with an international organization to develop custom risk policies which were subsequently published on the organization’s website. The organization received pushback after the policies were made public; some international participants were offended by new, rigorous screening requirements. Rather than ignore the complaints or engage in a battle with key stakeholders, the organization agreed to revisit the wording of the policies and emphasize the ‘why’ behind the ‘what’ and ‘how.’ The revised policies were published within weeks of the initial feedback and no further concerns were expressed.


Learn as You Go

Like any empirically based practice, effective risk management is a learn as you go function. Ask yourself from time to time: What’s going well? What needs to be improved? Do the stakeholders who matter to the success of this program understand its purpose and key elements? What are some of the lessons learned from the program design and implementation phases?

Demonstrate Value

Evaluating your ERM program is an opportunity to further demonstrate its benefits and positive impacts on your organization. Resources are scarce in any nonprofit. There are always programs or initiatives that the organization would like to undertake but are costly or unaffordable. Leaders of functions, activities, and departments need to be cognizant that others are looking at them, and may be wondering: Is this worthwhile? Is the investment in the program advantageous? As a leader you must be mindful of the scrutiny you may receive about whether an investment will benefit the mission.

This brings to mind the responsibility of stewardship. In his book Finance Fundamentals for Nonprofits, thought leader Woods Bowman writes that, “The risks of a nonprofit are borne by the people it serves (its clients), who have neither a voice in selecting the organization’s leadership nor the ability to manage the risks.” Risk leaders have a heavy responsibility to ruminate on risks and respond with care, compassion and thoughtfulness. The ultimate goal is to develop viable risk management strategies that enable client and community serving programs to thrive. Your ERM program should be sustainable, durable, practical, and address the key risks of your organization.

Traditional operational risk management programs are often evaluated based on outcomes: claim frequency (number of claims going up or down), whether the claim type is changing, the total cost of risk (including insurance premiums), and the availability of coverage your nonprofit wants to purchase. ERM is a different animal: it encompasses risks that can’t be easily measured (think reputation vulnerabilities or security breaches) and outcomes that are challenging to quantify (like confidence in stakeholder loyalty).

Another important way that ERM programs add value is by increasing decision-making capabilities; nonprofits considering ERM often lift up improved decision-making as an important goal. For example, are best and worst possible outcomes discussed in the lead up to a decision? Are team members proposing a risky move asked about contingency plans?

Use More than One Lens for the Best View

There is no one way to evaluate your progress or rate the success of your Enterprise Risk Management program. The NRMC team recommends that you consider using multiple lenses, just as you would adjust the focus on your binoculars to see many features of a landscape. NRMC has identified five possible focal points for evaluating your ERM program.

  • A Trajectory View is where you look at what has happened to the risk management program over time. Risk information should become richer over time. This means you’ll get a deeper look and comparable understanding of risk information your nonprofit is sourcing, whether it’s through risk assessments involving staff and volunteer participation, incident claims, policies, or other sources. Questions to ask yourself include: Do our risk assessments yield new information or simply validate past results? Is there greater clarity and a shared understanding of what risk management means across the entire organization?

Are you achieving your goals regarding risk culture? It is vital to have a risk aware culture and to remember that the success of risk management depends on people. Does your current workplace culture support effective risk management or does it create barriers? To what degree are staff across the organization risk aware? Do staff feel they are an important part of the risk management goals of the nonprofit?

A final prompt to think about when utilizing a trajectory view is, are incidents, near misses and claims reported in a timely fashion? How is the reporting process changing as you increase awareness of your ERM program in the organization? Intuitively, you may think an increase in claims means a situation is worsening. However, it may be the opposite, where people are feeling more comfortable speaking up, rather than ignoring something that could be hazardous or interfere with the objectives of the nonprofit.

  • A second angle to consider is a Program Maturity Lens. This is focused on the evolution of Enterprise Risk Management within your nonprofit. Ask: Is our capacity to anticipate and manage risks evolving? Are we improving or getting better at ERM? Have we increased the number of people that are trained in this area? Have we increased the number of people that can serve as back-ups to key roles within our organization in the risk function? Have we demonstrated skills that we did not have before we got underway?

When viewing ERM through a Program Maturity Lens, ask: Are capabilities and skills keeping pace with our changing risk landscape and our organization’s evolution? Are we reflecting on what is happening around us and the changes our nonprofit faces? Is our ERM program helping us optimize opportunities and cope with potential calamities?

Restructuring is a relatively common occurrence in the nonprofit sector. For example, an ERM committee may be eliminated when board committees are consolidated, and risk oversight responsibilities are transferred from one committee to another. What happens to risk reporting relationships and accountability? The risk in these circumstances is that a fundamental commitment to ERM may be lost when another committee with a different set of objectives subsumes risk responsibilities.

A risk maturity lens gives you an opportunity to tell the story of where an ERM program started, where the program is today, and where you expect it to be in the future. To learn more about risk maturity models, see the NRMC book, World-Class Risk Management for Nonprofits.

  • An Employee Awareness and Engagement Lens looks at the degree to which staff understand and embrace their role in the risk management program. Engagement surveys have become a popular tool for gauging levels of engagement and identifying opportunities to improve. Consider the following prompts to measure staff engagement with the goals of your ERM program.
    • To what degree are staff aware and engaged when it comes to Enterprise Risk Management?
    • Do employees understand the purpose and potential benefits of ERM?
    • Do staff understand the accountability structure and framework for the ERM program?
    • Do members of the staff team have confidence about the types of risks being taken by the nonprofit and the team’s readiness to address risks as they materialize?
    • Do staff feel equipped to respond to crisis events? Do employees have a sense of belonging and being a part of the ERM program, or do they see it as “not my responsibility”?
  • Another lens to consider focuses on ERM’s Reach. Are we reaching team members across the full spectrum of operations and activities in the organization? There are many different ways to visually show this in a risk dashboard. For example, you may want to compare how the top risks of your organization have changed over time. Another approach is to compare the perspectives of the board versus the perspectives of staff regarding the top risks of the organization, or contrast the top risks identified by headquarters staff against the top risks identified by field teams.
  • The Integration Lens considers the degree to which ERM has become integrated and “baked in” to the organization’s culture, processes, and planning. You will know that ERM is integrated when you start to hear references to the program in conversations involving various teams, or in discussions about key processes such as strategic planning, budgeting and hiring.

Ensuring effective feedback loops is another way to achieve integration of ERM. The Board wants to know that operational risks are being managed by the staff team, and the staff want assurance that strategy risks are being considered by the board. Communications and sharing are key to achieving a transparent and healthy ERM program.

Another issue to consider is whether there is clarity and accountability around shared expectations and responsibilities. Have you really integrated ERM practices and principles into decision-making? For example, are questions about risk-taking and risk management reflected in your performance management process?

You’ll Be Doing Great Things with ERM

There are numerous challenges that arise when implementing a new ERM program or broadening your operational risk management program to include risks related to key strategies, and risks at the intersection of functions or silos.  Taking time to evaluate your progress can boost your wins and help you better anticipate future challenges.

Remember to commit to evolving ERM capabilities without losing sight of your goals. What are you trying to achieve? Sometimes we report on outputs and don’t focus on whether we are accomplishing the goals we set out to reach. Do any of the original goals now seem unrealistic? Have events or circumstances facing your nonprofit led to the realization that new goals are needed?

Conceptualize where you want to be and create milestones and reflection points. Inevitably, you will want to make changes as you go through the process. Specific goals and aspirations may change based on new information you gather and insights along the way.

Lastly, acknowledge that the breadth and depth of your ERM program may change over time. Some nonprofit teams choose to experiment with ERM by adopting a narrow scope, such as focusing on risks related to a short list of strategic priorities. Other teams embark on ERM by identifying uncertainties in the nonprofit’s stratosphere as well as the risks that lurk in the organization’s nooks and crannies. Some leaders who champion ERM hope that the new program will enable the identification of ALL risks facing the organization and yield data that pinpoints the likelihood and severity of top risks. In some cases, events transpire (e.g., feedback from the board, a crisis occurs, something happens externally) which causes the leadership team to suggest paring back the original goals.

All organizations are dynamic. This dynamism necessitates an evolving approach to risk management over time. The management of risk must be responsive to the evolving risk landscape—to changes happening in your environment over which you have little control. Taking time to evaluate your Enterprise Risk Management program should be well worth the investment. The result of your efforts will strengthen your risk program and support your overall mission.

Resources on Evaluating ERM Progress

Katharine Nesslage is Project Manager at the Nonprofit Risk Management Center. Katharine welcomes your questions about NRMC products and services at 703.777.3504 or Katharine@nonprofitrisk.org.