Estimated Reading Time: 7 minutes
By Melanie Lockwood Herman
One of the most common risk management tools is a detailed list or inventory of ‘threats’ facing an organization. Many risk leaders refer to their ever-expanding, sometimes colossal spreadsheet as a “risk register.” During our 25 years of guiding risk teams through risk analysis, we’ve discovered that risk inventories and registers are often an unfortunate waste of time. And at their worst, risk registers are a dangerous sinkhole from which an earnest risk team never emerges.
The first dangerous premise behind an inventory or risk register is the belief that jotting down threats, worries, or concerns is somehow ‘managing’ risks. Another problematic supposition is that scoring risks (based on wild guesses by an insular team asked to predict likelihood and impact) is the best way to prioritize risk action.
As assiduous effort is applied to the register construction project, it grows longer, wider, and less useful. Additional columns are added, making the register impossible to print. When a plethora of ‘activities’ is added, the font size is often reduced, making the register impossible to read. But worse, as the register grows, it loses any semblance of being a plan or call to action. Filled with notations about ‘owners,’ nonsensical scores, and endless lists of activities, they convey busywork instead of top priorities or intended results.
Unprintable, unreadable, and uninspired, the risk register becomes something that risk champions are shackled to rather than a North Star that guides teams to a purposeful destination. Successful risk teams, programs, and functions focus on a handful of initiatives that will make a real difference.
If you want to make one meaningful change to your risk management program this year, resolve to dispense with inventories and registers in favor of OKRs or a Risk Action Plan. While these are certainly not the only practical alternatives to the risk register, both are worth considering!
OKRs—Objectives and Key Results—were the brainchild of Andy Grove. Grove was a Hungarian-born American businessman, engineer, and author who served as President, then CEO, and finally Chairman of the Board of Intuit, before his retirement in 2005. Using OKRs is a way to inject purpose and measurable results into your risk program.
A second alternative to the risk register is a Risk Action Plan—a printable, readable document—that explains the mission, specific goals, and measurable or time-bound priorities of the risk team this year. The Risk Plan could also include a forecast or sneak peek of future risk priorities, a visual our team sometimes calls a Risk Maturity Model.
An objective is what you are trying to achieve. In the book Measure What Matters, John Doer writes that “By definition, objectives are significant, concrete, action oriented, and (ideally) inspirational.”
What is the fundamental purpose or objective of your risk program this year?
For example:
Key results are specific, measurable, time-bound, realistic, and aggressive. They describe how you will get to the objective. Key results are either met or not met. In organizations with a large risk function or department, there may be multiple objectives per quarter or half-year, with key results that cascade from each objective.
Below are examples of OKRs for two hypothetical nonprofit risk teams.
Fewer than 25% of ABC Nonprofit’s team members believe that the organization is poised and capable of expanding its service area by 50% safely and effectively. Top worries include the inability to adequately staff programs and challenges developing lasting relationships with funders in the new service expansion areas.
Objective:
Create a risk-aware frame for decision making that supports the expansion of our service area by 50%.
Key Results:
During the past three years, accidents/injuries, lost work time, and turnover have increased at PDQ. Additionally, the latest engagement survey shows declining morale and engagement.
Objective:
Identify the root causes for an increase in accidents/injuries, lost work time, and turnover to inspire action to reverse the trend in all three areas.
Key Results:
As Peter Drucker observed, “Without an action plan, the executive becomes a prisoner of events. And without check-ins to reexamine the plan as events unfold, the executive has no way of knowing which events really matter and which are only noise.”
Below is an example of a Risk Action Plan for a hypothetical nonprofit.
Risk Action Plan for Noble Nonprofit
FY 2021
WHO: The risk function at Noble consists of a full-time Risk Manager and a committee of staff volunteers called the Risk Task Force. Every staff member at Noble brings the risk function to life by sharing their creative ideas, expertise, and first-hand experience delivering client services or providing back-office support.
WHAT: The purpose of the risk function is to inspire and support the bold action necessary to achieve our mission.
HOW: During 2021, the top 4 priorities of the risk function are:
Action is at the heart of these two methods for reimagining your risk practice. We urge you to start focusing on what your team can do about risks to bold decisions and actions and how to measure your results and progress. To do so, you need to stop throwing proverbial darts at targets for likelihood and probability and stop wishing and hoping that your risk register will inspire action and confidence. Give yourself—and your risk team—permission to step back and focus on an overarching purpose and a short list of meaningful, achievable key results or impacts that will make a difference to your mission this year.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!