Who’s on First? Getting the Players in Place for ERM

By Christy Grano

In a famous 1930s skit “Who’s on First,” comedian Lou Costello tries hopelessly to learn the names of players on a fictional baseball team as his straight man Bud Abbott explains that the basemen are named “Who,” “What,” and “I don’t know.” The two nearly come to blows in the mounting confusion and the audience cannot help but laugh as Lou asks repeatedly “Who’s on first?” and Bud repeats “Yes, that’s it!”

The “Who’s on First” routine is not a far cry from the confusion that sometimes accompanies discussions about who should play what role in an Enterprise Risk Management (ERM) program. Delegating new responsibilities is a natural step in any organization’s growth toward a mature ERM program.

It’s exciting to see a new holistic ERM plan unfold that encompasses value creation (advancing the nonprofit’s mission) as well as loss prevention and asset protection (cornerstones of traditional risk management). However, as consultants, we have seen great aspirations nearly die on the vine due to unclear risk roles. We’ve also seen leadership teams make great strides in ERM and later clash over whether to hire a full-time risk champion to lead the program.

Identifying ERM Roles that Make Mission Sense 

In World-Class Risk Management for Nonprofits, authors Norman Marks and Melanie Lockwood Herman explain how nonprofits of any size can customize ERM to fortify a bold mission, equip staff and volunteer leaders, and build resilience that help the organization flex with a dynamic, complex risk landscape. Growing ERM capabilities takes time as team members in all areas of the organization increase risk awareness and develop a common language about risk. (For helpful resources on ERM see the Resources section of www.https://nonprofitrisk.org/ and two NRMC articles: “Enterprise Risk Management: The Final Frontier,” and “Egalitarian Risk Leadership: Flatten or Fatten?”)

New tasks, roles, and responsibilities that propel your mission will be identified and tackled as the ERM program matures. Keep in mind that ERM frameworks and accountability strategies should be customized to reflect the culture, structure, priorities, and resources of the organization. One nonprofit may choose to hire a dedicated ERM Manager early on, while a peer organization may elect to distribute risk roles to existing staff members and risk oversight responsibility to a standing committee of the board.

In many cases, an ERM process will expose tasks that may not fall to an obvious person or department. Here are a few examples of important responsibilities we’ve seen over the years that may not have an obvious face for the job:

  • creating a risk appetite statement
  • designing, administering and compiling the results of risk surveys
  • monitoring the nonprofit’s changing risk landscape
  • creating risk dashboards
  • briefing oversight teams
  • evaluating the adequacy of an insurance portfolio
  • creating educational materials on risk topics and organizational policies
  • monitoring progress related to ERM maturity or goals
  • facilitating workshops on risk assessment and risk appetite

These tasks and roles are just a few we’ve seen that can be important for ERM growth but sometimes lack an obvious go-to person.

What are Your Top Risks Telling You?

No matter where you are in your journey toward robust ERM, we have a hunch you’re already discussing and cataloging top risks. Sorting through risks can feel a bit overwhelming at times, depending on your approach. A thoughtfully-curated group of risks can provide helpful clues about key risk roles. Do some or most of the top risks identified by your team point toward a certain department or existing team?

What is motivating you to build ERM capabilities and broaden your approach to risk management? For example, if strengthening diversity, equity and inclusion in your workplace and improving the vetting of prospective hires are top priorities, the HR director may be a good choice to lead or co-lead the ERM effort. If the loss of a key donor due to donor dissatisfaction is a prevailing worry, the chief development officer should be involved, possibly in a lead role. If risks related to leaky or inconsistent internal controls sit high on your top risks list, make sure the finance team is part of the ERM program. In recent years we have witnessed the expansion of general counsel and compliance officer roles to include responsibility for championing the evolution of risk management to encompass strategy-level and enterprise-wide risks.

Here are some subject areas where we’ve seen risk management roles “cluster” early in the game.

  • Financial Risk Management: “After a series of discussions about top risks and our risk appetite, we’ve decided that our business model and financial health represent our biggest threats and our biggest opportunities. We’ve decided to apply our resources to bolstering our finance team and we’re asking our CFO to serve as our principal risk champion.”
  • Insurance Management: “Our ERM work revealed that we aren’t as fluent with our current insurance coverage as we need to be. We’re also uncertain about the wisdom of purchasing new coverages, such as cyber liability, or how our organization is perceived by carriers. We’ve had our confidence shaken in our broker after she took the carrier’s side when a recent claim was denied. Several members of the board have asked whether we have the talent we need to oversee the relationship with the broker.”
  • Communications Risk Management: “We were somewhat surprised to learn that social media risks are a top concern for almost every member of management as well as multiple members of the board. In a unanimous decision we chose to allocate additional resources to our communications department; we want to ensure that we’re doing everything we can to handle rogue online comments quickly and gracefully.”
  • Human Resources Risk Management: “Recent feedback from a staff engagement survey revealed that our internal culture is one of the biggest risks facing our mission. Some employees stated that our outward facing mission is out of sync with how we treat staff. To create the workplace culture our mission and employees deserve, we’re doubling down on training and support to effect change. This work is being championed by our HR Director.”
  • Compliance Risk Management:Changing legal requirements and regulations, as well as strict requirements imposed by international institutional funders, have led us to identify compliance risks and gaps as top concerns. Until recently, compliance tasks were parceled out to various team members and we only occasionally reached out to legal counsel. Our board supports the staff proposal to create a full-time Ethics and Compliance Manager position who will champion compliance activities across the organization.”

Draft Time: When to Hire a Power Hitter

Notice that none of the examples above included “hiring an ERM specialist” as the first order of business. Hiring a full-time risk professional is a wonderful move for some organizations, but for the majority of nonprofits, it’s not the logical first step. And in some cases, hiring a risk leader may not make sense in the long term; some leadership teams opt to integrate risk roles into existing job descriptions.

For those who are creating new position descriptions or tweaking existing ones, consider the following questions:

  • Are risk roles clearly defined? Simply sneaking “ERM” or “risk management” into a job title or job description doesn’t guarantee that you’ve got things covered. What are the key risk responsibilities? What deliverables are expected? How should the risk leader collaborate with internal and external subject matter experts and resources? While clarity is a key characteristic of any job description, it is especially vital in a risk role. Why? Because risk positions are less familiar than other roles in a nonprofit, such as accountant, development associate or membership manager. Even the most tenacious employees can and will become distracted or sidetracked with other priorities if risk management expectations are not clearly defined with goals, milestones, and effective feedback loops.
  • Are you looking for the right qualities? The perfect risk management teammate may not be who you expect. As noted by two experienced risk leaders, creativity, curiosity, and the ability to create value may be especially important:
    • “Risk managers must have a natural curiosity. I also look for people who have really good time-management and prioritization skills and who are good listeners.” —Pamela Rogers, Weight Watchers International
    • “Too many RMs are still viewed as brakes; they must transform themselves into value creators. We must also get more comfortable entering the boardroom since our expertise will be increasingly needed there.” —Erwann Michel-Kerjan, Managing Director, Wharton Risk Management and Decision Processes Center
  • Are you considering your existing staff? In our experience, nonprofit leaders are frequently surprised to learn how many of their own staff members are interested in taking on risk management roles and responsibilities. Sometimes those closest to the front lines are the most aware of how risk management can bring positive effects and are therefore the most eager to wrangle risks. At NRMC we have learned to encourage a quick poll of staff to gauge enthusiasm, even when leadership feels certain that no one is interested.

If you’re looking outside your organization because you feel that you simply don’t have the relevant expertise in house, consider training your existing staff. Remember that there are lots of great resources available to support ERM learners. For example, NRMC offers the Risk Leadership Certificate Program (RLCP), an intensive learning opportunity for risk leaders. RLCP is held annually over three weekends; graduates of the first two cohorts of RLCP report significant positive changes in the confidence they bring to their risk roles.

  • Have you considered a board committee? Risk management committees are becoming familiar elements in the governance landscape of the nonprofit sector. A growing number of nonprofits have broadened the oversight role of the Audit Committee to include risk oversight, while others have created new ERM Committees.

On Deck: Everyone has a Risk Management Role

As you examine potential roles, don’t fall into the trap of believing that ERM maturity should be measured by staff headcount. The top indicator of a mature ERM system is when risk management has become “baked in” at every level of the organization. Every member of your staff and governing teams should play a role in supporting ERM. Anyone who feels they are exempt from noticing, reporting, and acting on hazards of any kind is a costly claim or lawsuit in the making. Team members who hold back instead of sharing their ideas for growing the organization are robbing the nonprofit of ideas that could make a difference to the mission.

According to NRMC Executive Director, Melanie Lockwood Herman, “When you walk into an organization you can tell very little about the ERM program from the number of staff members that have risk management in their title; the true sign of ERM maturity is when every person you meet from the receptionist to the Board Chair feels comfortable sharing their concerns about risk.” Staff teams that embrace risk roles and recognize the importance of working together on ERM are poised to make a real difference in the readiness of the organization, and to respond to unexpected events.

Fielding Your Team 

Few nonprofit sector leaders will enjoy the luxury of a flush budget that supports a multi-member ERM team led by an experienced risk management professional. In most cases, interest in ERM arises in the wake of a crisis or potentially catastrophic near miss. In other cases, the prodding of a board member leads to the exploration of ERM as a potential mission-fortifying asset. Creating, sustaining, and growing ERM capabilities takes time, patience, commitment, and people. Look for expertise and insights wherever they exist in your nonprofit, invite staff members across the organization to be part of the journey, and remember that your perspective on what the function or capabilities should look like will change over time. Today’s top priority may be a succinct crisis management plan, or it could be improving the structure of your insurance program. Will this year be a winning season? Only time will tell. Hang on to the lessons learned, keep an open mind, and recognize risk as something mission minded organizations must bravely face to succeed.