Q. What are the key activities or components of effective operational risk management?
Diana. The first component is establishing clarity around objectives, roles, and responsibilities. To achieve the goals of any important activity— including risk management—every team member needs toknow exactly how he or she is expected to contribute. The second component is to deliver excellent performance. This includes identifying the right resources (including people, processes and systems) and managing those resources according to an agreed upon strategy. The third component is to develop capabilities to handle unexpected or uncontrollable factors.
Mike. I think Diana hits the nail on the head with her response. I’d add two things to compliment her suggestions. I see many organizations struggle with risk management because it is not part of their culture. They think of it as this BIG thing and cannot get everyone to be part of it. So, I strongly suggest that after we establish clarity around objectives, roles and responsibilities as Diana points out, we must train our staff and volunteers early and often. Risk management should be part of the on-boarding and orientation process. Make sure people know what they need to do and why they need to do it. It’s not just good practice but there is a reason to do things; that way they’ll get a better understanding of managing risks. Our culture at nonprofits is driven by our staff and volunteers; they must be our risk management champions. For example, we don’t just put yellow ‘caution wet floor’ signs out when it rains or when we mop; we do it for a reason — to help prevent slips and falls, a leading cause of injuries at nonprofits. Secondly, I’d add that we must be constantly reevaluating our risks, processes and strategies. Nonprofits are moving in many different directions and continuously evolving. Our risks frequently change too. How we manage them and what we learn from monitoring our successes is critical information we can use to grow with these changes.
Q. What advice would you offer the leaders of a nonprofit to cope with circumstances outside their control?
Diana. Effective nonprofits must be ready and resilient, because there will always be surprises and events will unfold that are different from what they expect. The three strategies for dealing with the unexpected include:
- Cultivating awareness of factors and trends in the external environment. This is the best way to anticipate new or evolving risks.
- Building relationships with external stakeholders, including key players in the community your nonprofit serves, your donors and other funders, and any third party that assists your organization to deliver on its mission. Positive relationships are invaluable to a nonprofit and play a key role in helping the organization survive negative scrutiny or a crisis.
- Developing response capabilities. This includes the development of crisis management, disaster recovery and business continuity plans and skills to enable you to quickly realign resources in the wake of a crisis.
Mike. Two parts of risk management are prevention and control. Obviously prevention is keeping bad stuff from happening. Most organizations understand that part better and can generally figure out how to prevent common risks from causing harm. The control part seems a bit more fluid for some organizations and can be more difficult to understand. Control involves how we react to incidents to reduce negative outcomes. I also think it involves getting back to “normal” asquickly as possible. Certainly accidents do happen and many times we cannot do much to prevent them. Take the example of a severe weather event. We cannot keep the weather from damaging our building but we can plan ahead and be ready to cope with the damage to lessen its impact on our mission. We can “batten down the hatches” so to speak, we can keep abreast of oncoming events (cultivating awareness as Diana suggests), and we can be ready to react when bad things happen by establishing protocols for response, repair and resumption of operations. Most of all I think we must remember that many incidents that we cannot control are not the end of the world. We need to stay calm, follow our plan with cautious optimism and move through the tough times.
Q. What are some key strategies or considerations for evaluating operational risks, particularly in a nonprofit organization where everything seems to be changing all of the time?
Diana. Most operational environments in the nonprofit sector are characterized by change. Of course some changes are within an organization’s control (such as a restructuring), while others fall outside the entity’s control (such as new regulatory requirements, changing demographics, etc.). Scenario planning can be an effective tool for anticipating how this will turn out. Nonprofit leaders should
Q. What are some of the most common challenges in operational risk management?
Diana. One challenge is finding the level of responsible risk-taking that avoids the extreme positions of reckless gambling and risk aversion. Taking responsible risks, after all, is a necessary part of nonprofit life.
- What gaps in our policies, practices or management system led to this negative outcome?
- What organizational blind spots prevented us from seeing this coming?
- How can we avoid a similar loss in the future?
Finally, the importance of a culture that supports risk management is key.
Nonprofit leaders can encourage a culture of risk management by taking three steps.
- Model good risk management behavior. Codes of conduct and statements of core values are meaningless in an instant when leaders act in a way that contradicts espoused values.
- Articulate expectations for risk management behavior. Leaders must communicate what constitutes good risk management behavior versus poor behavior. And rather than pushing risk management expectations on direct reports, leaders should “pull” desired behavior from them. How? By asking staff how they are meeting risk-related expectations such as:
- How are you integrating risk thinking into the key decisions you make?
- What are the significant risks in your area of responsibility?
- What risk indicators are you monitoring to ensure that you’re prepared to respond if these risks materialize?
- Be clear about the consequences and follow through. Human beings are motivated to act because they want to realize positive consequences and avoid negative ones. Make certain you’re absolutely clear about consequences, both good and bad. And keep in mind that when poor risk management is ignored, the nonprofit pays twice: first by exposing the organization to unnecessary risk, and second, by demotivating individuals who are making a genuine effort to meet risk management expectations.
Mike. Get help when you’re in over your head or maybe even when you feel like your risk management “water wings” are beginning to deflate. There are lots of sources you can turn to for help. One resource can be a risk management committee that has a clear directive, is led by an effective volunteer and actively meets goals; this is a great asset to any organization. They can help provide the view from 30,000 feet that operational risk management sometimes misses. Updating and fortifying your operational risk management program starts with acknowledging that your nonprofit is already doing a lot to understand and manage the risks that arise from operations. And by taking the sage advice offered by Diana and Mike, you can avoid the mistakes and false starts that others have experienced. Finally, don’t hesitate to reach out to our team at the Nonprofit Risk Management Center for advice and support on your journey.
Melanie Herman is Executive Director at the Nonprofit Risk Management Center. She welcomes your feedback and questions about any risk management topic at Melanie@nonprofitrisk.org or 703.777.3504.