By Melanie Lockwood Herman
What is a Stakeholder?
One way to define the concept of “stakeholder” is a party who has a “stake” in control of the nonprofit because he or she is in position to exercise influence over the organization’s conduct. Another definition is individuals and groups who can affect and are affected by the realization of the organization’s mission. Stakeholder views are important to the success of the nonprofit and should therefore help shape the nonprofit’s leaders understanding of risk. In Chapter 8 of our book Ready…or Not, we explore various aspects of risk with respect to five key stakeholder groups: the board of directors, volunteers, funders, clients/service recipients and regulators. This article discusses the intersection of risk and the nonprofit board.
The Board of Directors
The integral role of the Board of Directors in risk management oversight is slowly gaining acceptance in the U.S. nonprofit sector. Few would disagree that the Board of a nonprofit is a key stakeholder group, but many leaders—board members included—continue to view risk management activities as the exclusive domain of staff. As one board chair told me years ago, “We view risk management as an administrative responsibility and have therefore delegated risk management to our staff.” His dismissive comment was in response to my inquiry about the board’s role in risk management. As it turned out, that nonprofit’s staff had further delegated risk management to an accounting/audit firm, whose senior partner confidently proclaimed that the nonprofit had “no unaddressed risks.” Upon learning of this approach I was immediately struck by the absurdity of the result: in my experience having “no unaddressed risks” is an impossibility. By refusing to engage in a candid discussion of risks and risk management strategies and naively delegating responsibility to a third party, the board of this particular nonprofit missed the critical benefits that risk awareness and thoughtful risk-taking offer.
The reluctance to view risk management as an important governance issue contrasts dramatically with the view of regulators and nonprofit leaders in other parts of the world. One need only visit the United Kingdom, Australia or even our close neighbor Canada to see evidence of boards actively embracing their role in risk management.
A nonprofit board chair in Australia once told me, “Risk Management is the board’s most important responsibility. We cannot protect the mission of our organization without a commitment to understanding and managing its risks.” This enlightened approach—recognizing the board’s role and responsibilities—offers the opportunity to provide a far greater measure of protection than the common practice of treating risk management as an administrative “chore” that should be delegated to the staff.
Despite intensive review and consideration of “best practices” in nonprofit governance in recent years, the risk management responsibilities of the board remain under the radar screen. Given the unprecedented scrutiny of nonprofit boards and need for every board to be proactive in discharging the “duty of care,” ignoring risk management is ill-advised.
The approach taken by the Charity Commission, the regulatory agency for charities in the United Kingdom, is both instructive and worthy of review.
The Commission requires that registered charities submit a “Summary Information Return of Aims, Activities and Achievements.” The form asks several questions that point to the risk management responsibilities of the board, including:
- Question 6: “How would you describe your charity’s financial health at the end of the period?” and
- Question 8: “How does the charity ensure that its governance arrangements are appropriate and effective?”
In the report submitted by one charity the following response was provided to Question 8:
“Clearly defined and robust internal control procedures ensure Trustees can be confident that governance, internal control and risk management arrangements are reviewed regularly and are appropriate and efficient. Committee structures ensure appropriate delegation of responsibilities. [The] Charity Commission Risk Management Checklist [is] considered by the Board.”
Risk management is, and should be within the nonprofit board’s domain. The risks facing the organization affect its ability to pursue the nonprofit’s mission as well as the overall health and sustainability of the organization. As stewards of the nonprofit’s mission and trustees of its financial and other assets, the board has a vital role to play in making certain that risks are identified, considered and acted upon. There is no single ideal way in which to integrate risk management into board operations. For start-up, active boards the topic of risk management may arise throughout the year as the board reviews and acts on proposals to expand programs and services to the nonprofit’s clientele. In more mature organizations where the board avoids involvement in day to day issues and focuses its attention on matters of policy, the consideration of risks and risk management interventions may be more structured, perhaps similar to the board’s role in the nonprofit’s strategic planning process.
Regardless of a particular board’s philosophy concerning governance or the age and maturity of the nonprofit, the subject of risk and consideration of risk management goals and strategy fall squarely within the oversight role of the nonprofit board. A nonprofit board cannot discharge its duty of care without considering events and circumstances that could derail the organization’s mission. Nonprofit boards in the U.S. have a lot to learn from their counterparts in the U.K., Canada and Australia, where risk awareness and risk management strategy are welcome topics on the board’s agenda.
The author welcomes your comments and feedback on the subject of boards and risk management at Melanie@nonprofitrisk.org.