5 Questions to Re-Focus Your Risk Function

By Melanie Lockwood Herman

A colleague recently sent me a copy of “The Five Most Important Questions You Will Ever Ask About Your Organization,” a book organized around a short list of simple but provocative and powerful questions. In a series of essays authored by familiar management luminaries, the book offers a straightforward way to focus on the most important considerations related to the success and sustainability of a nonprofit mission.

My team used the ‘five questions’ framework for a mission, vision and goals check-up at a Center board meeting held this week. If you’re trying to help your board stay above the fray of operations, or you’re seeking affirmation for the new or evolving direction in which your team is headed, consider using the ‘five questions’ as a guide.

Now that our board exercise has wrapped, I’ve been thinking about how to apply the ‘five questions’ to the discipline of risk management. In my experience, some teams become bogged down in the risk function’s confounding details, such as:

  • reducing the number and frequency of recurring accidents, mishaps and near-misses
  • improving the timeliness and thoroughness of incident reporting
  • answering questions posed by an underwriter that may be holding up coverage renewal pricing and terms
  • implementing policies that may appear to address operational risks, but that don’t take into account related factors such as employee buy-in, training effectiveness, and general risk awareness

While these tasks are important, when you’re buried in the details you may miss or tune out the essential purpose and goals of your risk management program. Be sure to take a step back and re-focus on the big picture of your risk function before you get tangled in the weeds.

Start with a Question

The five questions are:

  • What is our Mission?
  • Who is our Customer?
  • What does the Customer Value?
  • What are our Results?
  • What is our Plan?

Here’s my take on how risk leaders can apply these questions to planning and self-assessment activity related to the risk function in an organization.

  • What is the Mission (purpose) of our risk management program? This question often leads to overly simple, quick answers, such as ‘protect people from harm,’ ‘reduce losses,’ or ‘minimize the cost of insurance.’ Instead of a knee-jerk reaction to simple questions, take the time to think bigger and broader about the role of risk management in your nonprofit. For example, is it possible that the true purpose of risk management is to inspire confidence to take bold, mission-advancing risks? Or to free-up resources for mission-advancing new initiatives? Reflect on the big picture impact that an effective risk management function could have on your organization.
  • Who is our Customer? A common mistake in risk practice is to limit risk responsibility to a few usual suspects: the CFO, the general counsel, the director of volunteers, and so forth. These leaders are the ‘heavies’ who draft and issue policies, coordinate insurance buying, and prepare dry reports for the Audit or Finance Committee. In “The Five Most Important Questions,” the authors distinguish between a ‘primary customer’–someone whose life is changed by your work, and ‘secondary customers’–others who must be satisfied. Whose life is truly changed by your risk management function? Who simply ‘must be satisfied’ as part of that work?
  • What does the Customer Value? This is a very intriguing question when it comes to the risk function in a nonprofit. Some clients of the Center have told me that their boards want assurance that various contingencies have been considered. Others tell me that people in the organization simply want to understand what they must and must not do to be safe and keep others safe to the best of their ability. Still other clients possess their own awareness of what could go wrong, and they prefer to focus on how risk management can act as a springboard for them to vet and leverage opportunities (the very purpose of risk-taking!). Generally there seems to be growing interest on the part of the senior teams we consult with in visual depictions of the gap between exposures and the organization’s risk readiness–a refreshing change from the more simplistic risk registers and heat maps that have become all too common. Focus your analysis of customer values on the primary customer that you identified.
  • What are our Results? We’re increasingly hearing from consulting clients that evidence of activity is insufficient to prove the value of risk management. I remember my first boss explaining the importance of looking busy at work. It sounds funny today, but there was a time when appearing to be busy mattered just as much as your actual results. “We’re providing safety workshops!” just won’t cut it. How can you demonstrate the real impact of those safety workshops? For example, how did participating in a safety workshop lead to behavioral changes that truly make employees safer at your workplace? Accountability–doing what you promised to do–isn’t optional when you’re spending someone else’s money (donor, funder, customer). What risk metrics matter in your nonprofit? How are you tracking them? What happens when you fall short? A growing number of Center risk engagements now include a segment focused on developing ‘key risk indicators’ and dashboards that support the tracking of risk results over time, to ensure that risk management efforts produce the change they promise. Of course if you find that your risk function is not producing results, you’ll still have data to help you devise a new plan for moving forward.
  • What is our Plan? As I neared the completion of “The Five Most Important Questions,” I was reminded that ‘more’ does not equal ‘better.’ The authors remind readers that an overly complicated list of goals and initiatives fails to impress. And worse, the longer the list, the more likely many items will never be accomplished. While preparing for our board meeting, my team developed four simple goals that guide our work each and every day. We won’t be etching those goals on stone tablets, because they may and should change over time. But we are constantly reminding ourselves to ask whether this project or that task is related to one or more of those overarching goals.

If you haven’t already read, or recently re-read “The Five Most Important Questions You Will Ever Ask About Your Organization,” I urge you to do so. And if you’re wondering whether your risk management program is all that your mission deserves, I hope my thoughts will help you stop and reflect on these questions and the answers. I want to thank my colleague Kirk Adams, the new CEO of American Foundation for the Blind, for starting me on the process of re-thinking these questions on behalf of the organizations where I serve as a leader, volunteer and advisor.

Melanie Lockwood Herman is the Executive Director of the Nonprofit Risk Management Center. Melanie welcomes your feedback about this article and ways to re-focus the risk management function at your nonprofit, at Melanie@nonprofitrisk.org or 703.777.3504.