In Part 1 of this article, we looked at changing our view on risk from one of compliance to one of opportunity. This part of the article provides practical steps to create a risk management plan that actually works.
The key steps in creating such a risk management plan is:
1. Identify all potential risks
2. Rank from the potential of occurring, including its possible impact
3. Determine the quality of existing controls on the risks
4. Develop new controls and strategies for the risks
5. Monitor these new controls
6. Extract strategic advantage
Identifying risk: You have to start somewhere!
Identifying risks involves you not having a fixed point of view of what constitutes risk, and involving others who have different points of view about the organisation, and therefore different points of view about risk. If you involve only staff in identifying risk, they will do a great job, but will only identify what they know, i.e operational risk.
Who has points of view about your organisation that matter to you?
You may want to include:
- Staff who are responsible for relevant areas
- Sessional staff, contractors, others who conduct programs on your behalf
- People affected by your services: clients, volunteers, members
- Union or staff representative groups such as safety committee
- Funding bodies such as banks, government agency, grant giver
- Regulatory entities
- Politicians who may have an electoral or portfolio interest
Also, identify the risks that are identified with your:
- Classes of assets in your asset register
- Profit & loss statement line items
- Strategic and business plan
- Health and safety reports
- Benchmark against other organisations (swap risk registers/plans).
After the relevant stakeholders have been identified, decide whether to send them a Risk Identification Survey, or conduct a short telephone interview, focus group or other mechanism aimed at identifying these risks. (Use a spreadsheet so you can sort, add and compile!!)
The risk survey should be short, easy to fill in and not daunting!! Point out that you are collecting their views about the risks they perceive the organisation faces, from their point of view.
List all major activities/projects you are involved in relevant to the organisation. For each activity/project:– Describe perceived Risk and how it might occur- Your Rating – Potential to occur (High-Medium-Low)- Your Rating – Impact if it does occur (High-Medium-Low)- How do we turn this to strategic advantage?
Compile the returns into a spreadsheet. Don\’t be surprised if most of these risks are rated as high from those who submit the risks. This is because, from their point of view, they are high. Which is why we need to have a Board approved set of definitions of levels of risk. Agree the definitions to be used. The level of risk is determined by the relationship between the potential (frequency or probability of the risk occurring) and the consequence (impact or magnitude of the effect) and the robustness of the existing control mechanisms for that risk.
Each risk identification in the Risk Library should be analysed for its potential to occur, and simultaneously be analysed for its impact on the organisation if it does occur, and the quality of the existing controls for that risk. The best way to ensure that everyone is on the same page is to create a list of agreed definitions for each of the potential, impact and control components. An example of these definitions can be found here
It is probably best if the Board\’s risk management committee (or equivalent eg Finance and Audit) sign off on these definitions, as they form the basis of identifying the key risks, and therefore the focus of the Board. Identifying those risks that will have the greatest impact on the ability of your nonprofit to deliver against your strategic objectives then becomes much simpler. They are those risks with the highest scores, ie high potential to occur, high impact if they do occur, and ineffective existing controls. And, you have agreed on the definitions of all these aspects! These risks are then put into a risk system (most common is a spreadsheet), which in risk management terms is called a risk Library (all the identified risks and their ratings).
From there, each key risk needs to have a “treatment” plan (terminology used in risk management to mean what you are going to do about the risk). Most treatment plans we have seen miss the point of risk management. Most plans focus on reducing the risk. However, if risk is “anything that will impact on your ability to deliver against your strategic objectives”, therefore risk management should not be about reduction, but about how we can derive strategic advantage from understanding and managing that risk, not just trying to reduce it.
The risk committee (or equivalent) can then develop treatment plans for each of the identified risks, starting with the highest rated risks. A risk treatment plan should follow the principles of good project management.. what, who, when, success measures etc. The one thing that will make your risk management plan create true value for your nonprofit organisation is if you also include a section for each risk in the plan that explores “Strategic Advantage”. The question to ask here is “How can we turn this risk and our treatment of it, into strategic advantage”. Each key risk is in fact something that will impact on your ability to deliver against your strategic objectives, therefore key risks will have key strategic impacts, furthermore will have major strategic advantages if managed well. Your job is to identify these advantages and leverage off them.
“And what is the non-profit board’s role in all of this?”
- The Board’s role is to agree on and monitor the 3 or 4 critical risks facing the organisation. Regular Board reports that analyse these critical risks, their monitoring and treatment provide the Board with strategic information regarding the key drivers of the business. The Boards role in monitoring these risks is not to ensure they don’t occur, but to turn these risks into strategic advantage
- The Board is responsible for approving and monitoring the risk management policy. This responsibility is among one of the Board’s most important, as it commits the Board and the organisation to best practice risk management.
- Establish key performance indicators (KPIs) for the Chief Executive Officer. One of the most effective ways to ensure that staff, especially the CEO, treat risk as the strategic advantage it can be, is to establish one or two KPI’s for the CEO that reflect the risk monitoring and management responsibility of that position.
- Embed risk into the strategic discussions and analysis of the Board.
- Risk awareness can best be embedded in the organisation if some simple guidelines are followed:
4a When conducting strategic planning, conduct a SWOR (not a SWOT) analysis ie Strengths, Weaknesses, Opportunities and Risks. These risks can then be added to your risk library, and provide further opportunities for identifying strategic advantage.
4b Only accept project plans or action plans if a risk element has been added to the project plan. For example, an action plan might have the headings of: Scope, start date, finish date, project manager, resources, success measures, ethical implications, and risk.
“Once the risk has been identified, the management of that risk is quite easy.”
When deliberating on decisions at the Board meeting, ask the risk question: “What are the risks inherent in this proposal, and how can we turn these risks into strategic advantage?”
All of these ensure that risk is an ongoing strategic process, not a compliance issue.
Global Nonprofit Advisor
For more details and examples of risk and strategic plans, view Conscious Governance latest e-books and blended-learning programs available for download online.