6 Risk Trends that Matter to Your Mission

By Melanie Lockwood Herman

Yesterday I read with interest Kate Barr’s new blog post titled 8 Trends in the Nonprofit Sector. Kate is the President & CEO of Propel Nonprofits, an organization that supports nonprofits in Minnesota and adjacent states. Propel’s finance factsheets, worksheets and other resources are top notch, and I recommend them. Kate’s piece led me to reflect on some of the risk trends my team is encountering in our work with Affiliate Members and consulting clients.

Trend #1: Managing succession risk is a necessity, not a luxury. Leaders wondering whether increasing rates of turnover will subside in the months ahead should think again. The charitable sector is experiencing an unprecedented degree of turnover as baby boomers deservedly begin their retirement years. When I ask workshop audiences whether their organizations have a written CEO Succession Plan, approximately half of the audience raises their hand. Yet I continue to get questions that suggest a fundamental misunderstanding of the importance of a succession plan, such as, “Aren’t we too small to have a succession plan? Or, “Our CEO is relatively new; do we really need a plan?” A CEO Succession Plan outlines how the board will respond upon learning (or deciding) that the CEO is leaving the organization. Truly resilient and risk-savvy organizations understand that succession planning and cross-training go hand-in-hand. See our most popular resources on this important topic:

• “Avoid Transition Trauma with a CEO Succession Plan”
• “Succession Planning for [NOT] the CEO”

Trend #2: Reckoning with reputation risk is fundamental. The issue of reputation risk often arises in the early stage of a Risk Assessment facilitated by our team. Some clients refer to it as a separate category of risk, while others see reputation as a fickle and unpredictable cloud that hangs over their vision, mission, and operations. What is reputation and why is it a risk to a nonprofit? The authors of Rethinking Reputation Risk explain that “Your reputation is the sum total of how your stakeholders perceive you.” Later in the book, they remind readers, “Without stakeholders you could have no reputation, only self-esteem.” The book contains many helpful prompts to inspire conversations about reputation and risk. Some of my favorite questions to consider are:

• Who are your stakeholders? Which of them may be only fair-weather friends?
• To what extent does your organization deserve its reputation? What worries you?
• Which of your stakeholders might desert you in a crisis? Why?
• What would an intelligent but skeptical journalist write about the history and track record of your organization and its leaders if a crisis made it relevant?

Trend #3: Data privacy risk is real. Nonprofit organizations collect reams of personal information every day. The collection and possession of certain client, donor, employee, and volunteer data may trigger compliance requirements related to the protection of data. Worrying about privacy breaches without taking action is a disservice to your mission and your stakeholders. Consider the following questions as you evaluate the magnitude of data privacy risk and the adequacy of your readiness to respond:

• What protected information—Personally Identifiable Information (PII) and Protected Health Information (PHI)—do we collect? How are these terms defined in relevant laws that apply to our organization?
• From whom do we collect PII or PHI?
• Are we collecting PII or PHI that we can’t or don’t use?
• What steps are we taking to guard and protect the PII or PHI we collect?
• Are we aware of instances when these protections have proven inadequate?
• What are we required to do in the event of a data breach?
• Are we equipped to act quickly and in accordance with legal and contractual requirements upon discovering a data breach?
• Have we conducted training to equip every employee with the information, skills and comfort they need to promptly report breaches?

To learn more about the history of data breaches, see “The History of Data Breaches.”

For additional tips and insights on data privacy and social engineering risks, see:

• “Surviving and Thriving in the Wake of a Data Breach”
• “Social Engineering: Why People with Passwords are the Biggest Threat to Your Mission”
• “Technology Mishaps: Planning for IT and Communications Disasters”

Trend #4: Tension is an asset and a threat. Tension exists across the nonprofit sector and appears in various forms and forums. I’ve seen very productive tension—passionate views about very different approaches to addressing complex challenges—fill the air at board meetings. I’ve observed a healthy give and take between members of Risk Management Committees and Audit and Risk Oversight Committees. But I’ve also been a witness to unproductive tension between a CEO and her board, as well as taut tension between leaders of a national entity and leaders of the entity’s chapters and affiliates, or between the HQ and field offices of an international nonprofit. Productive tension makes both parties stronger and more resilient. Unproductive tension erodes trust and dilutes transparency and true accountability. To reckon with unproductive tension, ask:

• What are the causes or sources of tension?
• When is the next opportunity to discuss ways of turning tension into creative focus?
• Are we truly open to contrary views, or wedded to ways of doing things?

Trend #5: Keeping the board in the dark is not an option. Over the years I’ve heard many sorry tales about the costly consequences of keeping the board in the dark about the mission threats. CEOs are hardwired to brag about the organization’s impact in the community, growing fan club of stakeholders, and its talented staff. I’ve never seen it in a CEO position description, but an important responsibility of every executive is to “keep the board apprised of threats to the organization’s health and well-being.” The good news is that a strong, supportive and engaged board will be eager and able to help. The danger is that when a board believes it’s shielded from difficult news it can quickly lose trust in its CEO. And that trust may be impossible to rebuild. If you’re not talking to your board about the risks that threaten the viability, survival, fiscal well-being and ultimate success of your organization, consider the potential consequences of an unheralded catastrophe making its way to the board.

Trend #6: Coping with risk is a duty for all. In her book The Fearless Organization: Creating Psychological Safety in the Workplace for Learning, Innovation, and Growth, author Amy Edmondson writes: “Knowledgeable, skilled, well-meaning people cannot always contribute what they know at that critical moment on the job when it is needed. Sometimes this is because they fail to recognize the need for their knowledge. More often, it’s because they’re reluctant to stand out, be wrong, or offend the boss. For knowledge work to flourish, the workplace must be one where people feel able to share their knowledge!” Edmondson reminds readers that playing not to lose is not playing to win; it’s just playing it safe. In fact, we need to take more risks to achieve an ambitious nonprofit mission. To do that we need clarity of purpose, and trust up and down the org chart, just as we need stable finances and financial capital for big bets.

Edmondson acknowledges the instinct to fit in and avoid being perceived as a disruptive nuisance, poor team player, or worse. She cautions, “Self-protection remains a hollow victory compared to the fulfillment that comes from actively serving an inspiring purpose and being a part of a team that’s able to accomplish an ambitious goal.” Finally, Edmondson suggests “a few simple, uncommon, powerful phrases that anyone can utter to make the workplace feel a tiny bit more psychologically safe: “I don’t know; I need help; I made a mistake; I’m sorry.” In high-performing organizations team members on all rungs of the staff and governing ladders recognize the power of these humble expressions of vulnerability.

If all that is meant by psychological safety is job protection for our obedience, we are seriously missing the point. Psychological safety within an ambitious organization means the freedom and confidence to dissent, to pose difficult, risky, or controversial ideas without the fear of being silenced or punished. Think of the potential and power of an organization where speaking up is one’s duty, and where the expression of vulnerability is seen as team building. A confident leader will find risk champions by supporting engagement while allowing for the free exchange of knowledge, ideas, and opinions that are most germane to the mission.

Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. She welcomes your questions and comments about the risk trends in your nonprofit’s orbit, or questions about the mission, programs and services of NRMC. Contact Melanie at 703.777.3504 or Melanie@nonprofitrisk.org.