By Melanie Lockwood Herman
In their terrific book, Risk: A User’s Guide, authors McChrystal and Butrico describe “structure” as one of 10 dimensions of building a “Risk Immune System.” But they caution readers that changing the structure of a function may not necessarily mean the function is improving.
Experienced nonprofit leaders know the illusion and confusion of so-called structural changes. Many years ago, I worked at an association that frequently made structural changes because our CEO couldn’t bear to fire someone. Instead of letting someone go, our CEO would announce that due to an important “structural” change, so-and-so’s position had been eliminated.
Examples of productive goals for a nonprofit risk function include:
- Transform risk briefings to oversight teams from monologues into engaging conversations
- Save time, energy and stop kidding ourselves by removing references to risk likelihood; focus on readiness to respond, instead of odds
- Replace a run-on list of vague ‘risks’ with a clear Risk Action Plan. McChrystal and Butrico remind us that:
- “…we can’t live life inside a spreadsheet trying to tabulate the countless risks that we encounter every day. Even if we were to determine mathematically what the best move is, we can’t ever account for all factors, and in a fast-moving, complex environment, such an approach would likely increase risk by giving an illusion of completeness impossible to attain.”
- Revamp an uninspired incident reporting process with an approach that generates insights on trends and creative ideas to bolster reporting (See “How to Build and Fortify a Critical Incident Process,” in the Fall 2022 edition of Risk Management Essentials.)
- Identify 3 to 5 most concerning vulnerabilities and implement reasonable plans to reduce those vulnerabilities
- Develop flexible contingency plans for 3 possible scenarios (for example, sudden disruptions to teams, facilities, client needs or demand, supply chain, funding streams, etc.)
- Teach 3 front-line teams to ‘unpack’ and act in the face of risks that could disrupt their top priorities
In his book The One Thing, Gary Keller writes that “While to-dos serve as a useful collection of our best intentions, they also tyrannize us with trivial, unimportant stuff that we feel obliged to get done—because it’s on our list.” Is the work plan for your risk function a tyrannical, trivial to-do list? Keller urges his reader to divide our work lives into two distinct areas: 1. what matters most, and 2. everything else.
As you prepare for a new year of possibilities, surprises, and inevitable uncertainty, consider choosing clear statements of purpose and intent instead of lengthy lists of busy work. Fill in the blanks to describe what will matter most.
What Matters Most List
In the coming year, the #1 goal of our risk function will be _____________________________
One thing we will finally START doing is _________________________________________
We will practice ________________________________ until we get the hang of it and learn from the experience
One experiment we will try next year is __________________________________________
Instead of ignoring or discounting naysayers, we will _________________________________
Everything Else List
One thing we will NOT do next year is ____________________________________________
Another thing we will NOT do next year is _________________________________________
An unrealistic goal I’m going to put aside is ________________________________________
McChrystal and Butrico remind us that we have “far more control than we think we do.” And with that control comes responsibility, often more than we may want to accept. They urge us to focus on what we can do in the face of risk, instead of wasting time guessing about probabilities.
The authors urge leaders to:
- Detect threats.
- Assess the risk they represent, based on our own vulnerabilities.
- Respond to avoid or mitigate any negative effects of the risk.
- Learn so that we are well prepared if the risk reappears.
Their insights inspired some additional priorities for me:
- Detect a small number of potential threats and promising opportunities.
- Ponder the range of risks (what if events—positive and negative), due to your nonprofit’s current vulnerabilities.
- Draft simple, straightforward, practical plans to reduce vulnerabilities and increase readiness.
- Document what you’ve learned so you’ll be better prepared if the risk remains OR disappears and reappears.
If you’ve ever watched a classic film set in a desert, you’ve likely seen the desperate look on a thirsty traveler’s face when they experience a mirage; an optical illusion that occurs when the ground is very hot, the air is cool, and light is refracted (bent). The traveler’s brain imagines the light coming from the ground, instead of bending in a u-shape. Many risk leaders set their sights on goals that seem straightforward, only to discover, over time, that goals and plans are refracted and out of reach. Certainty is a mirage. But clear risk action planning can help your team identify an attainable destination and map an approach, no matter what surprises emerge.
Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. She invites you to reach out to share how you’re making real progress and embracing reachable goals in your risk function at Melanie@nonprofitrisk.org or 703-777-3504.
Looking for More Inspiration?
“Risk Leadership Life Hacks,” RISK eNews