By Melanie Lockwood Herman
Although a growing number of nonprofit leaders profess to be ready for Enterprise Risk Management, a far greater number admit that their operational risk management programs are far from adequate. What is operational risk management? The term refers to risk identification, risk assessment and risk management activity focused on day-to-day activities and functions. There are various ways to organize and reflect on ORM work. Two common approaches within nonprofits are:
- by department or unit within a nonprofit, such as finance, development, volunteer relations, etc.
- by critical risks or risk management activity, such as aquatics, youth protection, internal controls
To help understand the key challenges and “musts” in operational risk management, I’ve reached out to two experienced, wise consultants: Diana Del Be Belluz from Risk Wise Inc., and Michael Gurtler from Safe-Wise Consulting. Both consultants boast long track records of coaching and advising nonprofit organizations. We are fortunate at the Center to be able to lean on and turn to Diana and Mike for practical advice and timely wisdom on a wide range of risk topics.
Q. What are the key activities or components of effective operational risk management?
Diana. The first component is establishing clarity around objectives, roles, and responsibilities. To achieve the goals of any important activity— including risk management—every team member needs toknow exactly how he or she is expected to contribute. The second component is to deliver excellent performance. This includes identifying the right resources (including people, processes and systems) and managing those resources according to an agreed-upon strategy. The third component is to develop capabilities to handle unexpected or uncontrollable factors.
Mike. I think Diana hits the nail on the head with her response. I’d add two things to compliment her suggestions. I see many organizations struggle with risk management because it is not part of their culture. They think of it as this BIG thing and cannot get everyone to be part of it. So, I strongly suggest that after we establish clarity around objectives, roles, and responsibilities as Diana points out, we must train our staff and volunteers early and often. Risk management should be part of the on-boarding and orientation process. Make sure people know what they need to do and why they need to do it. It’s not just good practice but there is a reason to do things; that way they’ll get a better understanding of managing risks. Our culture at nonprofits is driven by our staff and volunteers; they must be our risk management champions. For example, we don’t just put yellow ‘caution wet floor’ signs out when it rains or when we mop; we do it for a reason — to help prevent slips and falls, a leading cause of injuries at nonprofits. Secondly, I’d add that we must be constantly reevaluating our risks, processes, and strategies. Nonprofits are moving in many different directions and continuously evolving. Our risks frequently change too. How we manage them and what we learn from monitoring our successes is critical information we can use to grow with these changes.
Q. What advice would you offer the leaders of a nonprofit to cope with circumstances outside their control?
Diana. Effective nonprofits must be ready and resilient because there will always be surprises and events will unfold that are different from what they expect. The three strategies for dealing with the unexpected include:
- Cultivating awareness of factors and trends in the external environment. This is the best way to anticipate new or evolving risks.
- Building relationships with external stakeholders, including key players in the community your nonprofit serves, your donors and other funders, and any third party that assists your organization to deliver on its mission. Positive relationships are invaluable to a nonprofit and play a key role in helping the organization survive negative scrutiny or a crisis.
- Developing response capabilities. This includes the development of crisis management, disaster recovery, and business continuity plans and skills to enable you to quickly realign resources in the wake of a crisis.
Mike. Two parts of risk management are prevention and control. Obviously prevention is keeping bad stuff from happening. Most organizations understand that part better and can generally figure out how to prevent common risks from causing harm. The control part seems a bit more fluid for some organizations and can be more difficult to understand. Control involves how we react to incidents to reduce negative outcomes. I also think it involves getting back to “normal” asquickly as possible. Certainly, accidents do happen and many times we cannot do much to prevent them. Take the example of a severe weather event. We cannot keep the weather from damaging our building but we can plan ahead and be ready to cope with the damage to lessen its impact on our mission. We can “batten down the hatches” so to speak, we can keep abreast of oncoming events (cultivating awareness as Diana suggests), and we can be ready to react when bad things happen by establishing protocols for response, repair and resumption of operations. Most of all I think we must remember that many incidents that we cannot control are not the end of the world. We need to stay calm, follow our plan with cautious optimism, and move through the tough times.
Q. What are some key strategies or considerations for evaluating operational risks, particularly in a nonprofit organization where everything seems to be changing all of the time?
Diana. Most operational environments in the nonprofit sector are characterized by change. Of course, some changes are within an organization’s control (such as a restructuring), while others fall outside the entity’s control (such as new regulatory requirements, changing demographics, etc.). Scenario planning can be an effective tool for anticipating how this will turn out. Nonprofit leaders should adopt the good practice of considering a range of potential outcomes rather than focusing on a single scenario or potential outcome. A simple way to do this is to imagine both the extreme, worst-case scenario as well as a typical or expected case, and then a third outcome somewhere in between. Based on these three possibilities the risk team can identify what steps it will take today to prepare for all three possibilities, and what changes or action will be required if one of the three outcomes becomes reality.
Mike. As much as we like to think we are extremely unique, I usually find that many nonprofit organizations have more in common then they recognize. I think it is key to using our resources around us when we’re trying to identify and manage risks. As a consultant I do not know all the answers (yeah, really) but I usually know where to find them. Each organization has a network for professional contacts and peers that have probably been down the road before. Good riskmanagers keep their ears open, read a lot, and seek out other’s experiences to complement their own. A strategy in identifying and evaluating risks is seeking out information. This information is readily available from peers, other organizations, insurance agents, insurance companies, consultants, and professional publications. Oh, and go to the Risk Summit every year to learn from others and fill your risk management tank with fuel.
Q. What are some of the most common challenges in operational risk management?
Diana. One challenge is finding the level of responsible risk-taking that avoids the extreme positions of reckless gambling and risk aversion. Taking responsible risks, after all, is a necessary part of nonprofit life. A second challenge is the fact that risk cannot be measured directly. Risk must, therefore, be estimated, and involves judgment. A risk that is perceived as potentially significant to a nonprofit warrants a greater commitment to information-gathering and analysis and perhaps even the construction of a risk model. For smaller risks, leaders are more likely to rely on past experience and judgment.
Mike. A common challenge in dealing with the day-to-day is turnover in leadership. Many organizations experience turnover in the “boots on the ground” sector of their operation on a fairly regular basis. Keeping people up-to-date and current on the risk management plan is difficult when they are still learning their jobs. I also think that sometimes we can get complacent about things when we go through a period of what I call “incident prosperity.” In other words, during a long stretch when downside risks haven’t materialized, we back off on practices and procedures that were once considered minimum standards. The “it doesn’t happen here” or “hasn’t happened here in ages” attitude starts to take over. Besides, it’s always easy to say that our mission and budget are far more important. Why spend all that time on stuff that “never” happens!?! Those thoughts, no matter how common, are a recipe for disaster… so says Mr. Murphy.
Q. Are there additional tips and suggestions you want to offer nonprofit leaders who are trying to strengthen their operational risk management programs?
Diana. All nonprofits manage operational risk to some degree, or they would not survive! However, the most common weakness in risk management is that risk practice is often ad hoc, rather than thoughtful and systematic. It’s important to remember that strong operational risk management programs place equal emphasis on: identifying risks related to the delivery of services and key functions in the organization, and evaluating whether steps taken to date areadequate to help the nonprofit respond and rebound. Making an inventory of top risk concerns and current risk management steps, strategies and policies is a good way to start the process. Also, it’s incredibly important to learn from risk events. Any crisis, loss, or failure offers potentially invaluable lessons. But to learn from these experiences it’s vital to ask:
- What gaps in our policies, practices, or management system led to this negative outcome?
- What organizational blind spots prevented us from seeing this coming?
- How can we avoid a similar loss in the future?
Finally, the importance of a culture that supports risk management is key.
Nonprofit leaders can encourage a culture of risk management by taking three steps.
- Model good risk management behavior. Codes of conduct and statements of core values are meaningless in an instant when leaders act in a way that contradicts espoused values.
- Articulate expectations for risk management behavior. Leaders must communicate what constitutes good risk management behavior versus poor behavior. And rather than pushing risk management expectations on direct reports, leaders should “pull” desired behavior from them. How? By asking staff how they are meeting risk-related expectations such as:
- How are you integrating risk thinking into the key decisions you make?
- What are the significant risks in your area of responsibility?
- What risk indicators are you monitoring to ensure that you’re prepared to respond if these risks materialize?
- Be clear about the consequences and follow through. Human beings are motivated to act because they want to realize positive consequences and avoid negative ones. Make certain you’re absolutely clear about consequences, both good and bad. And keep in mind that when poor risk management is ignored, the nonprofit pays twice: first by exposing the organization to unnecessary risk, and second, by demotivating individuals who are making a genuine effort to meet risk management expectations.
Mike. Get help when you’re in over your head or maybe even when you feel like your risk management “water wings” are beginning to deflate. There are lots of sources you can turn to for help. One resource can be a risk management committee that has a clear directive, is led by an effective volunteer and actively meets goals; this is a great asset to any organization. They can help provide the view from 30,000 feet that operational risk management sometimes misses. Updating and fortifying your operational risk management program starts with acknowledging that your nonprofit is already doing a lot to understand and manage the risks that arise from operations. And by taking the sage advice offered by Diana and Mike, you can avoid the mistakes and false starts that others have experienced. Finally, don’t hesitate to reach out to our team at the Nonprofit Risk Management Center for advice and support on your journey.
Melanie Herman is Executive Director at the Nonprofit Risk Management Center. She welcomes your feedback and questions about any risk management topic at Melanie@nonprofitrisk.org or 703.777.3504.