Say Something!

By Melanie Lockwood Herman

As an advisor to nonprofits striving to better understand and cope with myriad risks, I spend a lot of time trying to come up with practical solutions to complex problems. As anyone who’s worked with the Center knows, we don’t offer “systems” ready-made for installation. We try to understand an organization’s context and capabilities before saying a word about what might work. Yesterday during a meeting with a group of dedicated leaders, I began to mull over two common mistakes in risk management practice:

  1. Oversimplifying risk issues in order to pave the way for the simplest possible “solution”; and
  2. Overcomplicating risk management strategies, making them harder to understand and follow (e.g., a whistleblower protection policy written in legalese, or a handbook of convoluted policies instead of a clear code of conduct).

I’m convinced we need to be thoughtful and vigilant to avoid committing either error. With respect to the first error, we need to acknowledge that many of the risk issues facing nonprofits simply cannot be quickly understood or resolved. Far too many agency leaders have learned the hard way that conducting pre-hire/pre-service and periodic in-service criminal history background checks does not eliminate the risk of client victimization. Every organization that screens prospective volunteers and staff must recognize that the risk of victimization remains. In addition to inherent complexity, some risk issues morph faster than even the brightest risk manager can re-issue or update a set of policies. If your nonprofit serves children who own smart phones, then you’ll know what I’m talking about.

The second error is equally troubling. If you’ve ever reviewed (or approved!) a draft policy written in legalese instead of plain English, you’ll know what I’m talking about.

Despite my worry about committing both errors, I still believe that it is possible to look for straightforward approaches to coping with uncertainty without oversimplifying our understanding of a particular risk. Recently I saw a sign that I believe does just that. The sign read, “If You See Something, Say Something™.” I’ve since learned that the phrase was originally adopted by the New York City Metropolitan Transportation Authority and was licensed to the Department of Homeland Security in July 2010. Although I didn’t know its origins at the time, I knew exactly what that phrase meant. I can’t help but think that so many of the rules nonprofits routinely adopt could be summarized in that simple statement. Whether you’re focused on protecting youth, creating an environment hostile to fraud, or working to improve the respect and consideration shown to each and every client, member, consumer or visitor, “If you see something, say something” says it all.

In any nonprofit, an effective risk management program needs far more than a handsome collection of policies approved by counsel. We need many sets of eyes and ears observing and experiencing the consequences of risk-taking and risk management practice in our real world. We need to persuade everyone in a service role, as well as participants, their parents, and advocates, that we want and need them to step forward. Tell us about anything that makes you uncomfortable, ill-at-ease, or concerned. When the people who serve and receive services join together to observe and report, you will build an unshakable foundation on which your nonprofit mission can thrive.

Melanie Lockwood Herman is Executive Director of the Nonprofit Risk Management Center. She welcomes your ideas about any risk management topic, suggestions for best-in-class risk management, and questions about the Center’s resources at or 703.777.3504. The Center provides risk management tools and resources at and offers consulting assistance to organizations unwilling to leave their missions to chance.