Designing a Durable, Doable Risk Management Function & Capabilities

By Melanie Lockwood Herman and Eric Henkel

Integrating risk-aware thinking and decision-making into day-to-day operations and strategic planning processes has become a priority for nonprofit organizations. Although many organizations demonstrate expertise managing risks related to programs, facilities, and clientele, the always-changing risk landscape in which nonprofit missions exist invites a broader and deeper approach to risk management.

How is the risk landscape changing? According to a recent State of Risk Oversight report from the Enterprise Risk Management Initiative at NC State, nearly 60% of the respondents indicated that the “volume and complexity of risks have increased ‘mostly’ or ‘extensively’ in the last five years.” This increase is one of the factors driving leadership teams to strengthen or formalize risk practice. The desire to evolve risk management is simple on its face, but a bit more complicated in its execution. Although many leaders ask the NRMC team members what they ‘should’ do to strengthen risk management, we often respond by turning the question back to the questioner: what might make sense for your nonprofit, at this point in its history?

One of the goals we’ve heard client teams reiterate time and time again, is to evolve risk management in a way that makes risk management skills—or the function itself— ‘baked-in,’ rather than ‘bolted-on.’ One possible motivator for a ‘baked-in’ risk function is the recognition that creating a new department of risk professionals is impractical and costly. Few leaders of ambitious nonprofit organizations have extra dollars or people available to support and fully-staff a new risk management function.

So how does an organization go about developing or evolving its risk management capabilities? Unfortunately, there is no simple step-by-step linear process that can be followed by every organization. In fact, it may be useful to think of structure design like juggling many objects of different sizes, types and weights. In the section below we offer guiding questions and principles to consider in creating a fit-to-suit or ‘one-size-fits-one’ risk management function and corresponding capabilities for your nonprofit.

Function with a Purpose

Before getting carried away with drafting new risk policies, cancelling too-risky activities, or adding risk responsibilities to existing job descriptions, ponder the purpose of your more intentional focus on risk management.

  • Consider the Catalyst – Consider whether there are external or internal catalysts for the effort. Common external catalysts include costly claims and lawsuits, fear of a breach of privacy event, changing requirements of accrediting agencies, or even regulatory changes. Familiar internal catalysts include a board member’s experience with risk management in another organization, recognition that the nonprofit lacks the nimbleness necessary to seize opportunities, or recognition of ineffective safety protocols in the wake of an accident, incident or near-miss. Fully assessing the catalyst(s) will position you to develop risk management capabilities that achieve your desired outcomes.
  • Evaluate the Skills Gap – What new skills or capabilities are needed to effectively anticipate risk events, develop contingency plans, and encourage risk-aware thinking across the organization? In which areas do we deserve high marks, such as risk assessment, accident investigation, or inclusive problem-solving? How will new skills be shared and leveraged across the organization, such as by contributing to other goals such as improved teamwork, transparent information sharing, and more efficient decision-making? Are we capable and confident or ill-prepared with respect to handling unexpected outcomes and events? Some leadership teams resolve to strengthen risk management capabilities to better anticipate events and actions that could take the organization off course. Others strive to build resilience across the organization, helping fortify programs, staffing, fundraising, operations and even strategy setting against the inevitable bumps in the road and surprises.
  • Connect Risk to Mission – Understanding the catalysts for improved risk management and the strengths and skill deficits are key to framing your efforts with a purpose. But whatever you discover in those areas, don’t forget to connect what you’re trying to do in risk management to the mission of your nonprofit. For example, “By reducing the number of accidents our volunteers suffer, we will be able to increase the breadth and volume of support we provide to our clients,” versus “We need to reduce accidents to keep our insurers happy.”

Measure by Measure

Although it is important to evolve a risk management function without losing sight of its purpose, it is equally important to conceptualize an end point and interim milestones. Ask: how will we know we have made progress, or achieved goals for the function? What does success look like?

Another important consideration is scope, especially with respect to the breadth of risks you hope to understand and address. In some cases, formalized risk management means addressing a wider, more comprehensive range of operational risks. In other cases, evolving risk management capabilities might focus on improving the analysis of incidents, accidents and near-misses through the use of disciplines such as root cause analysis.

Yet another important aspect of scope is timing. Is your goal to start slowly and ramp up? Kick-off the project with a big bang? Experiment with ways to source risk information, or conduct a comprehensive survey seeking input from many stakeholders?

When considering these elements of your evolving risk function, also anticipate the myriad reactions your internal stakeholders might have to the proposed scope, timing and milestones. For a risk function to remain effective and sustainable, those directly involved must buy into it and carry it forward, and those indirectly involved or outside the risk function must respect it. Always design a risk function with the needs and desires of your team members in mind; ask your board, staff and volunteers directly to be sure you understand the scope and timeframe they are comfortable with.

Small Team or Cast of Thousands?

When pondering who should be involved in risk management in a nonprofit, the obvious, but not pragmatic, answer to this question is ‘everyone.’ Analyzing the changing risk landscape and developing seamless contingency plans may be easier with a core group, versus a cast of dozens, hundreds or thousands. But ultimately, the commitment to safety and risk-aware decision making requires the participation of staff at all levels of the organization. Staff who feel they are exempt from noticing, reporting and acting on hazards of any kind, are a costly claim or lawsuit in the making.

Consider the possible participation and vital roles of the following groups as you ponder how to strengthen risk management:

  • Executives – Many experienced risk professionals note that buy-in by the executive team is an important first step in fortifying risk management capabilities. Even if executives assure you that they are bought into the risk effort, staff members want to observe this commitment through the actions and participation of the executive team—not simply through words, which can seem like empty support.
  • Front-line staff – An important consideration in sourcing risk information and also implementing new risk strategies is engaging the perspective and support of front-line staff. The view of a risk landscape from the C-Suite is likely to differ from the view at your mission’s sea-level. Front-line staff experience your clientele and programs in real-time, and they also feel the burden and weight of complex policies, including those that may be in conflict with their own or the nonprofit’s professed values. Similarly, front-line staff members witness the effects of organizational risks on the stakeholders that you serve. Woods Bowman, professor emeritus of public service management at DePaul University in Chicago, Illinois, said that “…the risks of a nonprofit are borne by the people it serves (its clients), who have neither a voice in selecting the organization’s leadership nor ability to manage the risks” (Finance Fundamentals for Nonprofits: Building Capacity and Sustainability, by Woods Bowman). Front-line staff are positioned to sense and understand the effects of risk on your stakeholders because they interact with those clients every day.
  • Middle men and women – The ‘middle’ part of your organizational chart mustn’t be forgotten when it comes to risk function design and risk strategy implementation. Supervisors of front-line staff are likely to hear and see risk differently from others in the nonprofit. Staff in the middle of the organization are also in prime position to share and reinforce messages about the ‘why,’ ‘how’ and ‘what’ of your risk management function. This group can help to mediate or clarify interactions between front-line staff and executives whose perspectives might be so polar that risk communication is stifled or stagnant.
  • Governing teams – As described in the article “The Garden of Risk Oversight,” the board of a nonprofit has an important role to play in risk oversight. Parallel to its responsibility for fiscal oversight, risk oversight is a way for the board to ensure that upside and downside risks are considered as the board makes decisions related to the nonprofit’s mission, future direction, structure, and key objectives.
  • External advisors – Many nonprofit missions benefit from independent advice provided by paid or pro bono advisors. These advisors, from insurance professionals to legal advisors or finance/investment experts, are often eager to weigh in on the risks facing the nonprofit, and the effectiveness of existing risk management strategies.

(Note: NRMC’s web app, My Risk Assessment, makes it easy to source risk information from a large team of internal stakeholders.)

Clarify Roles

The willing participation of internal and external stakeholders is a ‘win’ to a team trying to fortify the risk management function in a nonprofit. Don’t forget to clarify roles and set expectations early on. For example, before soliciting input from an advisor or stakeholder group, consider how that input will be weighed in making decisions. Is the group providing input empowered to make decisions and implement specific actions? Or is the group working on an advisory basis, providing information and advice to someone else who will make decisions? Knowing the answers to these questions at the start will draw people in and reduce push-back and cynicism.

No matter who you involve in risk management at your organization, remember that any individual can serve your mission as a Risk Champion—an individual who supports and progresses effective risk management practices in order to safeguard and advance your mission. The NRMC team is often asked whether nonprofit teams need a dedicated Risk Manager or Chief Risk Officer to wear the risk leadership hat. Though a dedicated, full-time risk professional is certainly an asset, it is often impractical and out of reach for a nonprofit team. Still, Risk Champions can be empowered anywhere throughout your organization. Clarifying Risk Champion roles is critical for an effective risk function. For example, determining which risk leaders have ultimate oversight and decision-making authority regarding risk management initiatives, versus which risk leaders will be asked to source and analyze information about risks that arise across the organization, or serve as liaisons to departments or peer groups that desire risk education or risk management assistance.

No risk function looks exactly the same. The NRMC team recently had the honor to work with nonprofit teams who developed the structures below to assign risk management accountability to various staff members throughout their organizations. Consider these distinct models and poll your team to learn what model could be suitable and sustainable at your organization.

Step-By-Step

Strengthening, expanding or formalizing risk management may seem like a daunting task. It is complicated by the fact that nonprofits are structured in very different ways and provide many different types of services. Here is a suggested linear process to make the design and implementation stages more manageable—this process can guide you to create a completely customized risk function.

  • Assess where your organization is now – When people start thinking about expanding risk management to touch all functions and activities in an organization, they often believe that the effort is starting from scratch. In reality, every nonprofit—from a start-up to a century-old agency—has risk management in evidence. Many examples of practical risk management are contained, however, to specific business units or silos. For example, the risk of asking prohibited questions during the hiring process may be managed by using an interview script and training interviewers. The risk of financial fraud may be managed through a system of internal controls and segregating financial duties among multiple personnel. The risk of chaotic transitions may be managed through cross-training and the use of ‘desk manuals’ explaining key tasks. Acknowledging the existence of helpful and wise risk management strengths will help everyone see that your nonprofit is working to evolve risk management, rather than begin anew. Doing so can help boost morale and support for a process that often feels imposing and overwhelming at the start.
  • Expand your knowledge base – Take the opportunity to learn more about risk management and to gauge the maturity of your efforts. Read past editions of Risk Management Essentials and the Risk eNews for inspiration on simple steps to take your risk management program from ‘here’ to ‘there.’ Resolve to customize what you discover to best suit your mission, culture and structure.
  • Look for opportunities to gain some momentum quickly – Once you have identified and acknowledged existing efforts, connect those efforts across the organization. These connections will highlight that risk management is not just a series of individual efforts in operational silos but also a combined effort that encompasses the interactions of risks across the organization. This horizontal integration of risk management will need to be accompanied by vertical integration as well. Internal stakeholders need to see that their efforts at various levels of the organization are visible and recognized by individuals at other levels. However, this involvement at all levels needs to happen without over-involvement in any one level. For example, it would be easy for the board to start focusing on operational level efforts when the main priority for the board should be strategic level concerns. Finding the appropriate level of engagement at each level early on will help maintain momentum as the integration of risk management efforts occurs.
  • Make the mission connection – Strive to align your risk management efforts with the values of the nonprofit to bring and keep people on board. When risk management’s tone is focused on compliance, penalties and punishment, few stakeholders will join the bandwagon to strengthen the function. When the function is viewed as key to mission success, team members will embrace the opportunity to make a contribution.

As the risk management function design process continues, be sure to revisit the issues of purpose and outcome to ensure progress is being made in the right direction at the appropriate pace.

What comes next?

Taking all of these things into consideration at the outset of the risk management function design process will go a long way towards creating a sustainable effort to integrate risk management in your organization. Ultimately, designing and implementing your risk management function can’t happen in isolation. A connection to overall strategy, inclusion of and support from a wide variety of stakeholders, and integration into operational efforts will see the greatest success and return on organizational investment.

Melanie Herman is Executive Director and Eric Henkel is Project Manager at the Nonprofit Risk Management Center. Melanie and Eric welcome your questions about risk capabilities and risk function design at Melanie@nonprofitrisk.org, Eric@nonprofitrisk.org or 703.777.3504.