Estimated Reading Time: 10 minutes
Executive Director
Although a growing number of nonprofit leaders profess to be ready for Enterprise Risk Management, a far greater number admit that their operational risk management programs are far from adequate. What is operational risk management? The term refers to risk identification, risk assessment and risk management activity focused on day-to-day activities and functions. There are various ways to organize and reflect on ORM work. Two common approaches within nonprofits are:
To help understand the key challenges and “musts” in operational risk management, I’ve reached out to two experienced, wise consultants: Diana Del Be Belluz from Risk Wise Inc., and Michael Gurtler from Safe-Wise Consulting. Both consultants boast long track records of coaching and advising nonprofit organizations. We are fortunate at the Center to be able to lean on and turn to Diana and Mike for practical advice and timely wisdom on a wide range of risk topics.
Diana. The first component is establishing clarity around objectives, roles, and responsibilities. To achieve the goals of any important activity— including risk management—every team member needs to know exactly how he or she is expected to contribute. The second component is to deliver excellent performance. This includes identifying the right resources (including people, processes and systems) and managing those resources according to an agreed-upon strategy. The third component is to develop capabilities to handle unexpected or uncontrollable factors.
Mike. I think Diana hits the nail on the head with her response. I’d add two things to compliment her suggestions. I see many organizations struggle with risk management because it is not part of their culture. They think of it as this BIG thing and cannot get everyone to be part of it. So, I strongly suggest that after we establish clarity around objectives, roles and responsibilities as Diana points out, we must train our staff and volunteers early and often. Risk management should be part of the onboarding and orientation process. Make sure people know what they need to do and why they need to do it. It’s not just good practice but there is a reason to do things; that way they’ll get a better understanding of managing risks. Our culture at nonprofits is driven by our staff and volunteers; they must be our risk management champions. For example, we don’t just put yellow ‘caution wet floor’ signs out when it rains or when we mop; we do it for a reason — to help prevent slips and falls, a leading cause of injuries at nonprofits. Secondly, I’d add that we must be constantly reevaluating our risks, processes and strategies. Nonprofits are moving in many different directions and continuously evolving. Our risks frequently change too. How we manage them and what we learn from monitoring our successes is critical information we can use to grow with these changes.
“Effective nonprofits must be ready and resilient, because there will always be surprises and events will unfold that are different from what they expect.”
Diana Del Bel Belluz
Diana. Effective nonprofits must be ready and resilient, because there will always be surprises and events will unfold that are different from what they expect. The three strategies for dealing with the unexpected include:
Mike. Two parts of risk management are prevention and control. Obviously prevention is keeping bad stuff from happening. Most organizations understand that part better and can generally figure out how to prevent common risks from causing harm. The control part seems a bit more fluid for some organizations and can be more difficult to understand. Control involves how we react to incidents to reduce negative outcomes. I also think it involves getting back to “normal” as quickly as possible. Certainly accidents do happen and many times we cannot do much to prevent them. Take the example of a severe weather event. We cannot keep the weather from damaging our building but we can plan ahead and be ready to cope with the damage to lessen its impact on our mission. We can “batten down the hatches” so to speak, we can keep abreast of oncoming events (cultivating awareness as Diana suggests), and we can be ready to react when bad things happen by establishing protocols for response, repair and resumption of operations. Most of all I think we must remember that many incidents that we cannot control are not the end of the world. We need to stay calm, follow our plan with cautious optimism and move through the tough times.
“We need to stay calm, follow our plan with cautious optimism and move through the tough times.” Mike Gurtler”
Diana. Most operational environments in the nonprofit sector are characterized by change. Of course some changes are within an organization’s control (such as a restructuring), while others fall outside the entity’s control (such as new regulatory requirements, changing demographics, etc.). Scenario planning can be an effective tool for anticipating how this will turn out. Nonprofit leaders should adopt the good practice of considering a range of potential outcomes rather than focusing on a single scenario or potential outcome. A simple way to do this is to imagine both the extreme, worst case scenario as well as a typical or expected case, and then a third outcome somewhere in between. Based on these three possibilities the risk team can identify what steps it will take today to prepare for all three possibilities, and what changes or action will be required if one of the three outcomes becomes reality.
Mike. As much as we like to think we are extremely unique, I usually find that many nonprofit organizations have more in common then they recognize. I think it is key to using our resources around us when we’re trying to identify and manage risks. As a consultant I do not know all the answers (yeah, really) but I usually know where to find them. Each organization has a network for professional contacts and peers that have probably been down the road before. Good risk managers keep their ears open, read a lot and seek out other’s experiences to complement their own. A strategy in identifying and evaluating risks is seeking out information. This information is readily available from peers, other organizations, insurance agents, insurance companies, consultants and professional publications. Oh, and go to the Risk Summit every year to learn from others and fill your risk management tank with fuel.
Go to the Risk Summit every year to learn from others and fill your risk management tank with fuel.
Diana. One challenge is finding the level of responsible risk-taking that avoids the extreme positions of reckless gambling and risk aversion. Taking responsible risks, after all, is a necessary part of nonprofit life. A second challenge is the fact that risk cannot be measured directly. Risk must therefore be estimated, and involves judgment. A risk that is perceived as potentially significant to a nonprofit warrants a greater commitment to information-gathering and analysis and perhaps even the construction of a risk model. For smaller risks, leaders are more likely to rely on past experience and judgment.
Mike. A common challenge in dealing with the day-to-day is turnover in leadership. Many organizations experience turnover in the “boots on the ground” sector of their operation on a fairly regular basis. Keeping people up-to-date and current on the risk management plan is difficult when they are still learning their jobs. I also think that sometimes we can get complacent about things when we go through a period of what I call “incident prosperity.” In other words, during a long stretch when downside risks haven’t materialized, we back off on practices and procedures that were once considered minimum standards. The “it doesn’t happen here” or “hasn’t happened here in ages” attitude starts to take over. Besides, it’s always easy to say that our mission and budget are far more important. Why spend all that time on stuff that “never” happens!?! Those thoughts, no matter how common, are a recipe for disaster… so says Mr. Murphy.
Diana. All nonprofits manage operational risk to some degree, or they would not survive! However, the most common weakness in risk management is that risk practice is often ad hoc, rather than thoughtful and systematic. It’s important to remember that strong operational risk management programs place equal emphasis on: identifying risks related to the delivery of services and key functions in the organization, and evaluating whether steps taken to date are “The most common weakness in risk management is that risk practice is often ad hoc, rather than thoughtful and systematic.”adequate to help the nonprofit respond and rebound. Making an inventory of top risk concerns and current risk management steps, strategies and policies is a good way to start the process. Also, it’s incredibly important to learn from risk events. Any crisis, loss or failure offers potentially invaluable lessons. But to learn from these experiences it’s vital to ask:
Finally, the importance of a culture that supports risk management is key.
Nonprofit leaders can encourage a culture of risk management by taking three steps.
Mike. Get help when you’re in over your head or maybe even when you feel like your risk management “water wings” are beginning to deflate. There are lots of sources you can turn to for help. One resource can be a risk management committee that has a clear directive, is led by an effective volunteer and actively meets goals; this is a great asset to any organization. They can help provide the view from 30,000 feet that operational risk management sometimes misses. Updating and fortifying your operational risk management program starts with acknowledging that your nonprofit is already doing a lot to understand and manage the risks that arise from operations. And by taking the sage advice offered by Diana and Mike, you can avoid the mistakes and false starts that others have experienced. Finally, don’t hesitate to reach out to our team at the Nonprofit Risk Management Center for advice and support on your journey.
Melanie Herman is Executive Director at the Nonprofit Risk Management Center. She welcomes your feedback and questions about any risk management topic at Melanie@nonprofitrisk.org or 703.777.3504.
Diana Del Bel Belluz (Diana.Belluz@riskwise.ca) and Michael Gurtler (mgurtler@safe-wise.com) welcome your questions as well.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of NRMC to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of NRMC. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The NRMC team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!