Make Progress in Your Risk Program Real, Not a Mirage

By Melanie Lockwood Herman

In their terrific book, Risk: A User’s Guide, authors McChrystal and Butrico describe “structure” as one of 10 dimensions of building a “Risk Immune System.” But they caution readers that changing the structure of a function may not necessarily mean the function is improving.

Experienced nonprofit leaders know the illusion and confusion of so-called structural changes. Many years ago, I worked at an association that frequently made structural changes because our CEO couldn’t bear to fire someone. Instead of letting someone go, our CEO would announce that due to an important “structural” change, so-and-so’s position had been eliminated.

Productive Progress

Examples of productive goals for a nonprofit risk function include:

  • Transform risk briefings to oversight teams from monologues into engaging conversations
  • Save time, energy and stop kidding ourselves by removing references to risk likelihood; focus on readiness to respond, instead of odds
  • Replace a run-on list of vague ‘risks’ with a clear Risk Action Plan. McChrystal and Butrico remind us that:
    • “…we can’t live life inside a spreadsheet trying to tabulate the countless risks that we encounter every day. Even if we were to determine mathematically what the best move is, we can’t ever account for all factors, and in a fast-moving, complex environment, such an approach would likely increase risk by giving an illusion of completeness impossible to attain.”
  • Revamp an uninspired incident reporting process with an approach that generates insights on trends and creative ideas to bolster reporting (See “How to Build and Fortify a Critical Incident Process,” in the Fall 2022 edition of Risk Management Essentials.)
  • Identify 3 to 5 most concerning vulnerabilities and implement reasonable plans to reduce those vulnerabilities
  • Develop flexible contingency plans for 3 possible scenarios (for example, sudden disruptions to teams, facilities, client needs or demand, supply chain, funding streams, etc.)
  • Teach 3 front-line teams to ‘unpack’ and act in the face of risks that could disrupt their top priorities

Singular Sensation

In his book The One Thing, Gary Keller writes that “While to-dos serve as a useful collection of our best intentions, they also tyrannize us with trivial, unimportant stuff that we feel obliged to get done—because it’s on our list.” Is the work plan for your risk function a tyrannical, trivial to-do list? Keller urges his reader to divide our work lives into two distinct areas: 1. what matters most, and 2. everything else.

As you prepare for a new year of possibilities, surprises, and inevitable uncertainty, consider choosing clear statements of purpose and intent instead of lengthy lists of busy work. Fill in the blanks to describe what will matter most.

What Matters Most List

In the coming year, the #1 goal of our risk function will be _____________________________

One thing we will finally START doing is _________________________________________

We will practice ________________________________ until we get the hang of it and learn from the experience

One experiment we will try next year is __________________________________________

Instead of ignoring or discounting naysayers, we will _________________________________


Everything Else List

One thing we will NOT do next year is ____________________________________________

Another thing we will NOT do next year is _________________________________________

An unrealistic goal I’m going to put aside is ________________________________________


McChrystal and Butrico remind us that we have “far more control than we think we do.” And with that control comes responsibility, often more than we may want to accept. They urge us to focus on what we can do in the face of risk, instead of wasting time guessing about probabilities.

The authors urge leaders to:

  • Detect threats.
  • Assess the risk they represent, based on our own vulnerabilities.
  • Respond to avoid or mitigate any negative effects of the risk.
  • Learn so that we are well prepared if the risk reappears.

Their insights inspired some additional priorities for me:

  • Detect a small number of potential threats and promising opportunities.
  • Ponder the range of risks (what if events—positive and negative), due to your nonprofit’s current vulnerabilities.
  • Draft simple, straightforward, practical plans to reduce vulnerabilities and increase readiness.
  • Document what you’ve learned so you’ll be better prepared if the risk remains OR disappears and reappears.

If you’ve ever watched a classic film set in a desert, you’ve likely seen the desperate look on a thirsty traveler’s face when they experience a mirage; an optical illusion that occurs when the ground is very hot, the air is cool, and light is refracted (bent). The traveler’s brain imagines the light coming from the ground, instead of bending in a u-shape. Many risk leaders set their sights on goals that seem straightforward, only to discover, over time, that goals and plans are refracted and out of reach. Certainty is a mirage. But clear risk action planning can help your team identify an attainable destination and map an approach, no matter what surprises emerge.


Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. She invites you to reach out to share how you’re making real progress and embracing reachable goals in your risk function at or 703-777-3504.


Looking for More Inspiration?

“Take Action on Risk: Make a Plan, Not a List,” RISK eNews

“Risk Leadership Life Hacks,” RISK eNews

“Keep it Real: Choose Rational Risk Resolutions,” RISK eNews