Talking Cures: Authentic Risk Management

By Melanie Lockwood Herman

Inspiration for RISK eNews often comes from the work we do answering day-to-day RISK HELP questions from our Affiliate Members. It also comes from the more cerebral work of helping our consulting clients build durable risk management frameworks, resources, and plans. RISK HELP is almost-always delivered through one or more brief conversations with a member, while guidance from our consulting team is typically delivered in the pages of a report.

This month, for example, we’ve been working to help a nonprofit with incredibly complex challenges build its Enterprise Risk Management capabilities. Once in place, these will fortify the organization’s humanitarian mission. As part of this work we’ve been discussing—amongst ourselves and with the client’s risk champions—the difference between evidence of risk management and meaningful risk management.

In the evidence column we often unearth countless risk registers. Yet even leaders who dutifully completed these registers acknowledge that filling in the columns with labels, phrases, and numbers generally doesn’t change how staff within the organization experience or cope with inevitable risk. True, as after taking a standardized test, there’s a sense of satisfaction when every oval has been filled in with lead, a sigh of relief, but where’s the inspiration for what’s next?

As team member Erin Gloeckner explained in her recent article, Revamp Your Risk Register, “Of the conventional, commonplace risk management tools, the risk register seems to reign supreme.” If not in a risk register, where would you look for—and find—meaningful risk management?

In Beyond Management, author Mark Addleson explains why familiar, factory-inspired approaches don’t work for knowledge workers, and perhaps worse, that “The allure and illusion of tools . . . ranging from strategic plans to mission statements to IT systems and incentive bonuses, is that they make wicked problems appear tame.” In Chapter 12, titled “Conversations for aligning: openness, commitments, and accountability,” Addleson writes, “Wouldn’t it be nice if, whenever we found ourselves floundering, we could turn to a repertoire of conversations to help us move ahead—conversations that would help us negotiate through the thicket of tough problems, get unstuck and align?”

Voila! Meaningful risk management takes place across a series of thoughtful, open, and ongoing conversations. A facilitated team conversation is indeed risk management, but a risk register spreadsheet is not. Of course, a conventional (or not so) risk register and other tools can help plan for and document results of a facilitated conversation, but teams that are truly committed to acquiring and strengthening actual risk management capabilities must be careful not to conflate the use of risk tools with the development of actual risk management capabilities.

Make a List

Our brains love a good list. According to neuroscientist Walter Kintsch, the human brain processes lists more readily than narrative. Risk managers are human, too, and favorite lists include: risk process steps, risk categories (financial, facilities, fundraising, and so forth), and risk committee rosters. Recently, I’ve started using a mnemonic to help me recall different types of list.

Here are my 3Ms of risk conversation:

  • Risk moments: These are the ad hoc risk management activities, the judgment calls, and the informal conversations teams engage in to identify, monitor, and manage risks on the fly. For example, when a public health programming team begins designing a new health education program, and the team considers program-related safety risks to its field staff and clients. No formal risk management activity takes place, but the team members know from experience to safeguard the wellbeing of program participants and facilitators.
  • Risk meanings: Are the risk management activities that require skill-building, dedicated attention by a team of stakeholders, or formalized/structured meetings to make weightier risk-aware decisions and to address risk-related challenges (e.g., structured risk assessment exercises, risk appetite reconciliations, etc.). For example, a workshop to discuss the underlying conditions that impact the likelihood and timing of a future risk event, including its potential beneficial and concerning circumstances.
  • Risk movements: Are the long-term, aspirational risk-inspired initiatives that an organization strives to achieve, such as reaching milestones of risk management maturity and realizing an enterprise-wide culture of risk-aware decision-making. For example, during the next year we will train 50% of our staff to apply risk-aware thinking when making everyday decisions. We’ll gauge how and when the training has been applied at the end of the year, and use the results of that review to consider whether this approach is helping our team members optimize decisions in the face of uncertainty.

Risk Resolutions

To get “unstuck” and begin the transformation of your risk program from “list management” to authentic risk management, try these 3 tips:

  • Talk sooner, not later: When perceptions of risk pop into your brain, resolve to tell someone about it. Gather colleagues in the hallway or a huddle room to begin a conversation about today’s top of mind risk. Just as with exercise, Risk Moments bear repeating and become more comfortable with practice (muscle memory). You’re not going to solve a wicked problem in an informal Risk Moment, but you’ll get the conversation started, and that will lead you to next steps.
  • Don’t wait for complete information because it doesn’t exist: Many risk practitioners hold off on decisions, citing incomplete or insufficient data or evidence. It reminds me of a former client’s Controller who refused to wrap up a six-month-old accounting period because “there’s $1.26 I can’t account for in the bank reconciliation.” According to NRMC’s virtual CFO, decision paralysis in the accounting function isn’t terribly uncommon. Turning to the risk realm, our team often hears about risk brainstorming going according to plan, until it doesn’t. The process often gets stuck in a risk ranking or scoring rut. Diverse teams agree that a particular risk should be on the list, and even what some of the mitigating activities might be. But they often cannot agree on the numeric scores for “likelihood” and “impact.” Time is better spent on implementing risk management activities than on refining arbitrary risk scores.
  • Fine-tune your forecasts by ferreting out assumptions: In addition to his “game-changing question,” I once heard author Hal Gregersen ask, “How many things am I dead wrong about?” Remember to ask: “What future projections or expectations could I be dead wrong about?” When we conceptualize risk, we often forget that the one constant of risk is uncertainty. Risks often arise in unexpected ways, but people only plan for risk to arise the way they expect it to. We must continuously question our own assumptions about how risk will come to life.

As with any dialogic therapy, talk brings insight, identification, and catharsis. Nonprofit risk managers aren’t satisfied with just the evidence of risk management; meaning inspires them, and meaningful risk management inspires us.

Let’s talk.

Continue the Conversation

Melanie Herman is Executive Director of the Nonprofit Risk Management Center. She welcomes your stories and insights about meaningful risk management, candid conversations about risk, and recent revelations about what your nonprofit can and should be doing to adopt authentic risk management. Melanie can be reached at 703.777.3504 or