Organizational Risk Management
Last week, I examined essential inquiry around assessing Strategic Risk Management in a complex nonprofit. It’s equally important for senior leadership to assess and establish a protocol for managing day-to-day Organizational Risk Management. Successful organizational risk management requires its own set of analysis as described below.
1. Do we have an integrated, firm-wide, risk management process?
Effective risk management is achieved through comprehensive risk reporting, governance policies and limits, escalation procedures, action triggers, and dynamic and integrated firm-wide processes. As a pre-requisite to all of these issues, nonprofits must possess an analytical system capable of properly identifying, measuring, and aggregating all risks across the enterprise.
Equally importantly, an appropriate, “risk mindset” must be adopted throughout the organization. The goal should be that every employee feels they are a risk manager and are responsible to manage the risks that occur on their jobs every day. Once this mindset is in place, risk exposures and the risk analysis of key business initiatives must be routinely and intentionally discussed. Senior Management must also ensure that relevant risk measures are among the key metrics monitored by program managers on a daily basis. Finally, senior management must ensure that risk issues are handled proactively, and communications across program units are open and effective. Red flags to be watched and immediately addressed include 1) excuses that specific risks do not lend themselves to quantitative measurement, 2) that certain risks are the “nature of the business” and therefore should not be monitored or managed, and 3) phrases like “don’t worry,” “this is a low probability event,” or “local managers have it all under control,” need to be stricken from the organization’s vocabulary. Instituting a rigorous firm-wide risk process also ensures that directors do not start questioning senior managers about risks that the corporation has undertaken only after it is too late.
2. Are professionals at all levels empowered and expected to manage risk?
For the risk management of a large, complex nonprofit to be effective, it must be built not only into every part of the decision-making process, but also every into control mechanism throughout the organization. Common risk management language must be established throughout the organization, along with clearly delegated responsibilities for managing risk at all levels. Finally, leadership and risk management structures must be correctly aligned with the not-for-profit’s business model, and the right balance established between competing priorities and constituencies.
3. Do we have an appropriate risk management culture?
There are specific signs that we are on the right track, and that risk management has become part and parcel of a nonprofit’s DNA. First, leadership must assume the ultimate responsibility for risk oversight responsibility, clear measures of success, using well-understood metrics for risk appetite, and risk limits.
Risk training and awareness programs must also be in place throughout an organization, with senior line managers and risk professionals responsible for formal postmortems of major mistakes. Senior management ensure that management incentives encourage responsible and value-added risk taking, and emphasize the importance of embedded risk management processes in the organization’s decision-making and communications.
With such a risk culture in place, silos will be broken down, open communication will be encouraged, and risk successes will be publicized and imitated. And when this happens, employees will make better decisions, keep their not-for-profit out of harm’s way, and reduce potential legal liabilities and reputational risks.
What is your protocol for both strategic and organizational risk? As always, I welcome your comments.