In the past few decades, the business landscape for the larger, more complex, nonprofits that provide social services has changed dramatically.
In addition, the integration of social values within for-profit companies has further blurred the line between for-profit and nonprofit organizations, resulting in greater competition in the social services sector.
Equally as important, there has been a major philosophical shift away from contracts that pay for services rendered, and toward contracts that pay based on achieved goals, outcomes, or measurable impact. If, for example, your agency was once paid to provide job training skills, it is now more likely to be paid based on how many clients in your program actually secure employment. Thus, the need to achieve measurable objectives—whether those objectives are commercial or social—is now as much a requirement for nonprofit as it has long been for for-profit organizations. This, in turn, has exponentially increased not only the day-to-day risks of not-for-profits, but in some cases threatened their very survival.
As a result, senior management of nonprofits is faced with a somewhat new and daunting challenge—i.e., the need to create an infrastructure capable of synthesizing vast amounts of information, connecting the dots across myriad of programs, and simultaneously integrating business strategy, goals, and risk management. The failure to do so—at least historically—was usually due to a pervasive fear-based approach that was primarily backward-looking and focused on flat financial metrics and ratios. As a result, hidden risks were often left uncovered, problems that kept organizations from achieving their goals were not anticipated, and risk mitigation strategies, if any, were ineffective. Risk management, in fact, whether adapted to for-profit or not-for-profit enterprises, requires a forward-looking approach—one that is integrated with business strategies and goals to achieve measurable results in a continually changing environment.
Therefore, the new risk paradigm for nonprofits forces management to consider two separate aspects of risk management—the first strategic, and the second organizational. Succeeding in the former requires thinking about risks throughout the organization. Succeeding in the latter entails the creation of a risk-centric culture, both empowering management and employees to effectively deal with risk and demanding that they execute enterprise-wide initiatives related to those risks.
Turning first to Strategic Risks, management must begin with a short inquiry:
1. Do we fully understand our risk exposures?
Senior managers need to ensure that all risks facing the enterprise have been properly identified and measured, beginning at the business unit level where program managers intimately familiar with their individual landscapes can adopt an appropriate risk management framework and establish an ongoing risk-based dialogue with the senior management. Together they can then discuss current and emerging risks in detail, establish risk limits, and put specific action triggers into place.
From there, it is critical to establish an enterprise-wide view of risk. Once defined, the strategic implications must be contrasted with resource adequacy and availability, leading to a clear understanding of how risk can and ought to be managed.
Given the complexity of the modern world, senior management must also regularly devote time to discussing the so-called unknown unknowns—events and risks beyond the scope of traditional discovery processes and systems. For example, an acknowledged but unknowable unknown in a not-for-profit might involve apolitical or philosophical change in the way state and local governments view their funding, emerging business models, or changes in the competitive environment (including for-profit service providers).
In addition to proper risk identification and measurement, senior management must establish an explicit link between risk, resources, and strategy. To avoid surprises and ensure that a not-for-profit does not respond to pressures through blind risk and leverage, the organization’s risk appetite must be fully aligned with funding and service targets. Senior management must fully understand and approve the amount of risk required to achieve the organization’s stated objectives and goals.
The lack of organizational dynamism—a company’s ability to detect coming crises and environmental changes, understand their potential impact, and develop the agility to react in a timely fashion—was a common feature of for-profit companies that failed during the recent financial crisis, and not-for-profit companies whose traditional approach no longer worked in the post-crisis environment.
Senior management can and should play an important role in ensuring that a company is well-prepared to withstand volatility, crises, disruptive technologies, and the changes in the market, and in its competitors. An integrated risk management framework, early warning systems, and comprehensive contingency plans must be continually reviewed by senior management and the board of directors and included in all strategic discussions.
Strategic decisions—again, in the public as well as the private sectors—have often been focused on business and customer strategies, new product development, and pursuit of market share, with risk management remaining an afterthought—that is, a sort of police function used to check on safety and soundness only after strategic and investment decisions had already been made. To remedy this after-the-fact approach, the role of risk in a not-for-profit’s business model must be continually reevaluated by senior management, thus making risk management an input into strategic decisions and governance.
Continually asking fundamental questions in rigorous yet practical ways vastly improves the effectiveness of senior management, helping them steer their not-for-profits through the ever more difficult conditions of the modern global environment.
Next week we will explore Organizational Risk.
As always I look forward to your comments