Risk Categorization: Learning from the Risk Leadership Certificate Program

By Erin Gloeckner

Our Risk Leadership Certificate Program (RLCP) is underway. With our RLCP cohort, we’ve enjoyed productive generative discussions about core competencies for risk professionals, including risk assessment, risk culture, risk function design, and insurance program oversight. With each conversation, we challenged our understanding of risk management best practices, like risk categorization.

Prior to each RLCP session, the NRMC team has shared thought-provoking pre-reads with our cohort to get everyone revved up for dialogue. Thirsty for risk management knowledge, the risk leaders in the first cohort have absorbed and analyzed the content of the pre-reads, journeying to NRMC headquarters in Leesburg, VA, primed to articulate how what they have read applies to their own organizations—and the nonprofit sector in general. One of our favorite pre-reads thus far is ‘Managing Risks: A New Framework,’ an oldie-but-goodie article by Robert Kaplan and Anette Mikes, published in the June 2012 issue of Harvard Business Review. One of our team’s a-ha moments related to Kaplan and Mikes’ recommendation for risk categorization.

At NRMC, we often segment risks into many categories such as existential, strategic, cultural, and an array of other buckets related to specific business functions or departments (e.g., finance, employment practices, legal, etc.). This risk categorization approach partly stems from our clients’ desires to group risks in familiar and understandable ways, and in ways that suggest risk ‘owners’ or parties with management and oversight responsibility (i.e., specific departments or functional teams). It also stems from our past experience and the fact that we’ve been doing it this way for some time… and it’s always worked well in the past. But this HBR article helped our team rethink our perspective on risk categorization.

Kaplan and Mikes argue that risk management is often prescribed through a compliance lens, and focuses too much on a “rules-based control model,” when in reality only some risks can be managed this way and others “require alternative approaches.” Preventable risks are those that offer no returns or upside, and “ought to be eliminated or avoided” through policy and compliance efforts. The authors acknowledge, however, that in all organizations there are some errors or downside risks for which “complete avoidance would be too costly.”

With respect to strategy risks, Kaplan and Mikes believe that the focus of risk management should be activities that empower the organization to take on “higher-risk, higher-reward ventures” than is possible in an organization with ineffective or less effective risk practices. During an exercise in which RLCP leaders paired up to design a new risk function for a hypothetical nonprofit, one group’s design was based on the potential for risk management to help a nonprofit grow. The team’s proposed design and approach were a refreshing contrast to the far more typical motivation of reducing the likelihood of accidents and financial losses.

Kaplan and Mikes describe external risks as those that are beyond an organization’s “influence or control.” Recognizing these risks as unpreventable by the organization should help leaders focus their attention where it counts: on activities that will lessen the downside impacts and leverage the upsides. During another RLCP exercise our cohort discussed the fact that there are likely to be silver linings during an organization’s darkest hour. Resilient and effective nonprofit teams engage in thoughtful planning, which helps them mobilize support in the midst and aftermath of an unavoidable event or set of circumstances.

The authors’ guidance mirrors our oft-quoted favorite, The Prediction Trap, by Randy Park (a past Risk Summit keynote speaker), who urges organizational teams to develop the capacity to anticipate (but not attempt to predict) multiple possible outcomes or “alternate futures” in order to develop an adaptive capacity—no matter what the world throws at you.

Kaplan and Mikes support their approach to risk categorization by describing a handful of cognitive biases that cause people to perform poorly when anticipating future events, and even more poorly when productively discussing risks and organizational failures. They explain a related failure that our team has observed many times: the tendency to categorize risks based on functional silos within an organization, causing risk information and risk management responsibility to disperse and to lose potency. The RLCP group agreed that in order to truly develop Enterprise Risk Management capabilities, risk leaders need to view the organization and its risks from a bird’s eye perspective; only this holistic approach will enable risk leaders to understand how various risks intersect and influence the many functions in their organizations.

At NRMC we recognize that a key quality of any effective Risk Champion is the capacity to unlearn what you know and change your mind. No discipline could evolve if we continued to preach and practice the same sentiments year after year. Our perspectives on risk management transform with every moment of dialogue during our RLCP program, and we hope this will inspire you to look upon your own risk management program and your approach to risk classification with fresh eyes as well.

Keep in touch for updates on our RLCP program. Contact the NRMC team directly to inquire about future RLCP programs and Risk Champion coaching: 703.777.3504.

Erin Gloeckner is director of consulting services at the Nonprofit Risk Management Center. Erin invites you to learn more about RLCP by contacting her at 703.777.3504 or Erin@nonprofitrisk.org