What we know about risk
Risk and uncertainty are forces that are part of everyday life. Consider the painter propping up a ladder to paint the side of a house: once the ladder has been spread open and placed in the right position, the painter will give it a good shake from side to side.
By bombarding the ladder with physical forces, the painter is simulating how stable the ladder will be when he climbs up to paint the house. The same is true in business. Check some of your stable business platforms and give them a good shake: are there any new risks that fall out?
There is more to risk than what you can see. The notion of enterprise risk is that it occurs at each of your organization's touch points. This would include: Strategic, compliance, financial, operation, environmental and reputation.
How do you view risk?
The term risk has a complex history. Taken from a European context, before the nineteenth century, the term was inherently neutral and could be applied to both positive and negative situations.
The two main formal definitions of risk are from Standards Australia (Australia) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO, USA). They are very similar in intent, and can help you focus on the strategic upside of risk, rather than the potential for loss.
For example, the Australian/New Zealand Standard AS/NZS 4360/2004 defines risk management as:
“The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects”
In many organizations today, risk has been separated from all positive connotations. When asked to define risk, it's not uncommon to hear any one of the following:
"Risk is something negative that happens to our organization."
"With risk comes the potential for loss."
"Risk is often correlated with fraud and a loss of confidence."
Take one more step and we can cross over into an even more dire understanding of risk:
"Risk management is something we are forced to carry out."
"Risk is a compliance issue."
"Risk has no bearing on our day to day work."
If risk is viewed purely as negative, the management of risk is limited to controlling its adverse effects. If your environment or marketplace is peppered with legitimate risk, it's quite likely therein lies untapped opportunities.
Choosing to approach risk management as nothing more than an expenditure of time, money or resources-better-spent-elsewhere, shuts down a more creative approach to managing risk.
Consider risk as opportunity
What if risk didn't just mean a negative deviation from the expected result? What if risk was actually hidden opportunity – perhaps even the source of your next innovation?
If your organization chooses to take a positive point of view on risk, or at least a more constructive viewpoint, how would staff then begin to manage risk in their own areas of responsibilities ─ even in the face of complete uncertainty?
Let’s take a common risk many organizations face: loss of government funding due to a change in policy.
In this example, the potential to occur is often high due to the nature of political cycles. In the event a loss of government funding does occur, the impact is typically high as well due to the dollar value of contracts. This is compounded if the controls currently in place are inadequate or non-existent.
Firstly, how do you minimize the potential for a loss of government funding to occur?
Some ideas you may consider:
Inform the relevant government departments of your achievements beyond the stipulations of the contract. Convey your sincere gratitude for the opportunity to run your programs due to this government assistance, highlighting the positive impact (the small and big wins) it is already having.
Provide very clear metrics to show the impact this program is having and provide these on a more than required basis.
Gather community evidence (anecdotes, stories, formal assessment by community etc) that highlight the parts of the program that are working really well and share this with government
All the above will assist in minimizing the potential for government funding to be cut.
How do you create opportunity from the process of minimizing the chance of a loss in Government funding?
Opportunity:
Leverage the creation of a stronger working relationship with the relevant Government department
Manage the perception of the Government department so they view us as a high performing organization that gets their policy imperatives
As a result, the Government is more likely to come to you for advice, or to run a trial or pilot program if and when required
Secondly, how do you minimize the impact if you do lose your Government funding?
Some ideas to consider:
Prepare your staff with a cross section of relevant skills, allowing them to move around areas of the organization if restructuring is required
Ensure staff have access to the skills that will provide flexibility if moving to a new contract base
Diversify your funding streams so you are not reliant on one or two lone sources on income
How do you create opportunity from the process of minimizing the impact of a loss in Government funding to your organization:
Opportunity:
Potentially increased revenue streams, leaving the organization less vulnerable in the future
Greater flexibility in the workforce – this could help generate more innovative programs
Seen as an employer of choice
Reputation for innovation and flexibility (which in turn attracts other forms of funding)
Uncovering your organization's attitude toward risk
A culture of risk aversion is not uncommon, particularly within small organizations. Understand how your organization interprets risk with the following questions:
How do our staff view risk?
How does our leadership team view risk?
How does the chief executive view risk?
How does the Board view risk?
What would it take for all organizational risk stakeholders to view risk as strategic advantage?
Introducing Risk Management 2.0
Effective risk management involves awareness. Consider the risks at work in your organization, the potential opportunities they bring and the ease with which these risks can be managed.
In the matrix below, the left-hand column identifies a typical risk management process: stimulus and response. The column on the right challenges the rigid definition of risk, includes the treatment of risk in everyday activities and places risk management in the hands of all employees.
This highlights that risk is not just about compliance. It's about the way we look at our organization and the work we do to unlock potential opportunities and innovation.
The key questions that the CEO and the board need to be aware of regarding risk include:
What are the potential risks from the points of view of those people who know our organization (including stakeholders)?
Are the risks higher or lower than in the past, what has changed and do we have to do anything about it?
What would it take for our organization to reduce or avoid the occurrence of the identified risks, and how can we turn this to our strategic advantage?
Are the risks being monitored on an ongoing basis?
How to create a risk management plan that can generate revenue and Expose innovative Ideas
1. Identify all potential risks
Identifying risks involves not having a fixed point of view of what constitutes risk. To mitigate your own biases, enlist the help of internal and external stakeholders. This may include:
Board of Directors
Staff who are responsible for relevant areas
Part time staff, contractors, others who conduct programs on your behalf
People affected by your services: clients, volunteers, members
Union or staff representative groups such as the Safety Committee
Funding bodies such as banks, government agencies, grant givers
Regulatory entities
Politicians who may have an electoral or portfolio interest
Suppliers
Media
Proceed to identify the risks that are identified in your:
Classes of assets in your Asset Register
Profit & Loss statement line items
Strategic and Business Plan
Health and Safety reports
Benchmark against other organizations (swap risk registers/plans)
2. Rank risk according to its potential to occur and possible impact
After the relevant stakeholders have been identified, decide whether to send them a Risk Identification Survey, or conduct a short telephone interview, focus group or other mechanism aimed at identifying these risks. (Use a spreadsheet so you can sort, add and compile.)
The risk survey should be short and easy to fill in. Point out that you are collecting their views about the risks they perceive the organization faces. Possible questions may include:
"List all major activities/projects you are involved in relevant to the organization."
"For each activity/project: Describe Perceived Risk and how it might occur."
"How do we turn this to strategic advantage?"
Compile the returns into a spreadsheet.
Download a Risk Management Template Bundle
Including: Sample risk register, risk treatment plan and a compliance breach register
Agree on the definitions to be used. The level of risk is determined by the relationship between the potential (frequency or probability of the risk occurring) and the consequence (impact or magnitude of the effect) and the robustness of the existing control mechanisms for that risk. Which is why we need to have a Board-approved set of definitions of levels of risk.
Each risk identification in the Risk Library should be analyzed for its potential to occur, and simultaneously be analyzed for its impact to the organization if it does occur. Reference this against the quality of the existing controls for that risk. The best way to ensure that everyone is on the same page is to create a list of agreed definitions for each of the potential, impact and control components (you can see an example of this in the free download above).
It is essential for the Board's risk management committee or equivalent – (e.g. Finance and Audit committee) sign off on these definitions, as they form the basis of identifying the key risks, and therefore the focus of the Board.
Identifying those risks that will have the greatest impact on the ability of your nonprofit to deliver against your strategic objectives then becomes much simpler. They are those risks with the highest scores – i.e., high potential to occur, high impact if they do occur and ineffective existing controls.
These risks are then put into a risk system (most common is a spreadsheet or 'risk library').
3. Create a risk treatment plan
From there, each key risk needs to have a "treatment" plan (effectively meaning: what are we going to do about the risk?). Most treatment plans focus on reducing the risk. However, if risk is "anything that will impact on your ability to deliver against your strategic objectives", risk management should therefore not only be about reduction or mitigation, but how in addition strategic advantage can be derived from understanding and managing that risk.
The risk committee (or equivalent) can then develop treatment plans for each of the identified risks, starting with the highest rated risks. A risk treatment plan should follow the principles of good project management.
Taking your treatment plan to the next level
The one thing that will make your risk management plan create true value for your nonprofit organization is if you also include a section for each risk in the plan that explores "Strategic Advantage."
Ask the question: "How can we turn this risk and our treatment of it into strategic advantage?"
Each key risk is, in fact, something that will impact on your ability to deliver against your strategic objectives. Therefore, key risks will have key strategic impacts and major strategic advantages if managed well. Your job is to identify these advantages and leverage off them.
What is the nonprofit Board's role in managing risk?
1. Agree on and monitor the 3 or 4 critical risks facing the organization.
Regular Board reports that analyze these critical risks, their monitoring and treatment provide the Board with strategic information regarding the key drivers of the business. The Board’s role in monitoring these risks is not to ensure they don’t occur, but to turn these risks into strategic advantage.
2. The Board is responsible for approving and monitoring the risk management policy.
This responsibility is among one of the Board’s most important, as it commits the Board and the organization to best practice risk management.
3. Establish key performance indicators (KPIs) for the Chief Executive Officer.
One of the most effective ways to ensure that staff, especially the CEO, treats risk productively, is to establish one or two KPIs for the CEO that reflect the risk monitoring and management responsibility of that position.
4. Embed risk into the strategic discussions and analysis of the Board.
Risk awareness can best be embedded in the organization if some simple guidelines are followed.
When conducting strategic planning, conduct a SWOR (not a SWOT) analysis – i.e., Strengths, Weaknesses, Opportunities and Risks. These risks can then be added to your Risk Library, and provide further opportunities for identifying strategic advantage.
Only accept project plans or action plans if a risk element has been added to the project plan. For example, an action plan might have the headings of:
Scope
Start date
Finish date
Project Manager
Resources
Success Measures
Ethical implications
Risk
Once the risk has been identified, the management of that risk is much easier.
When deliberating on decisions at the Board meeting, ask the risk question: “What are the risks inherent in this proposal, and how can we turn these risks into strategic advantage?” It is your responsibility to ensure managing risk is an ongoing strategic process, not a compliance issue.
Was this article useful in creating a risk management strategy? Leave your comments in the fields below.
Need Help With Risk Management?
Conscious Governance is a premium provider of risk management services including formal Risk Management Plan Facilitation, Risk Management Processes Audit and In-house Board & Senior Executive workshops. Click Here To Learn More About What We Do →