From Risk Management to Risk Leadership

From Risk Management to Risk Leadership

Almost daily we hear of new cyber security lapses, which are increasingly dangerous in our digital age and may affect all aspects of our operations from finances to employee records.  For this reason, it is imperative “to embrace risk leadership rather than just risk management,” said David O. Renz, in an article in Nonprofit Quarterly. Renz is the director of the Midwest Center for Nonprofit Leadership at the Department of Public Affairs in the Henry W. Bloch School of Management at the University of Missouri-Kansas City.

At an Institute of Risk Management (IRM) seminar this past June, various experts met to discuss just how “the role of the Chief Information Security Officer is evolving.” According to IRM, “risk management involves understanding, analyzing, and addressing risk to make sure organizations achieve their objectives.  It must be proportionate to the complexity and type of organization involved.”  They also point out that “risk is inherent in everything we do,” so the type of roles undertaken by risk professionals are incredibly diverse. They include insurance, business continuity, health and safety, corporate governance, engineering, planning and financial services.”  In other words, all aspects of our operations.

At The Fedcap Group we schedule regular, in-depth discussions about risk working to fully understand the nature and make up of our organizations’ risk profile.  Every discussion is intended to raise awareness and sensitivity to the potential risks in all areas of operations.  We have even devoted an entire module or our Leadership Academy to the concept of Risk Management with board members serving as guest faculty.

Our staff is the first line of defense, so risk awareness training means that with their daily dilligence, they are helping to protect the entire operation.  Our mantra has become “If you see something, do something or say something!”  Just as every person within the organization is a leader—every person plays a pivotal role in understanding and managing risk. 

MITRE CORP has developed a detailed risk management plan of “21 Musts” including a management culture that must encourage and reward identifying risk by staff at all levels of program contribution that I found very helpful.  (See link below).  In it the authors stress, and I agree, that risk considerations must be a central focus of program reviews, risk management must never be outsourced, and technology maturity and its future readiness must be understood.

As pointed out by David Renz, “delay or failure in responding to risk, positions an organization for an even riskier course.”

Organizational Risk Management

Organizational Risk Management


Last week, I examined essential inquiry around assessing Strategic Risk Management in a complex nonprofit. It’s equally important for senior leadership to assess and establish a protocol for managing day-to-day Organizational Risk Management. Successful organizational risk management requires its own set of analysis as described below.

1. Do we have an integrated, firm-wide, risk management process?

Effective risk management is achieved through comprehensive risk reporting, governance policies and limits, escalation procedures, action triggers, and dynamic and integrated firm-wide processes.  As a pre-requisite to all of these issues, nonprofits must possess an analytical system capable of properly identifying, measuring, and aggregating all risks across the enterprise.

Equally importantly, an appropriate, “risk mindset” must be adopted throughout the organization. The goal should be that every employee feels they are a risk manager and are responsible to manage the risks that occur on their jobs every day. Once this mindset is in place, risk exposures and the risk analysis of key business initiatives must be routinely and intentionally discussed. Senior Management must also ensure that relevant risk measures are among the key metrics monitored by program managers on a daily basis. Finally, senior management must ensure that risk issues are handled proactively, and communications across program units are open and effective. Red flags to be watched and immediately addressed include 1) excuses that specific risks do not lend themselves to quantitative measurement, 2) that certain risks are the “nature of the business” and therefore should not be monitored or managed, and 3) phrases like “don’t worry,” “this is a low probability event,” or “local managers have it all under control,” need to be stricken from the organization’s vocabulary.  Instituting a rigorous firm-wide risk process also ensures that directors do not start questioning senior managers about risks that the corporation has undertaken only after it is too late.


2. Are professionals at all levels empowered and expected to manage risk?

 For the risk management of a large, complex nonprofit to be effective, it must be built not only into every part of the decision-making process, but also every into control mechanism throughout the organization. Common risk management language must be established throughout the organization, along with clearly delegated responsibilities for managing risk at all levels. Finally, leadership and risk management structures must be correctly aligned with the not-for-profit’s business model, and the right balance established between competing priorities and constituencies.


3. Do we have an appropriate risk management culture?

There are specific signs that we are on the right track, and that risk management has become part and parcel of a nonprofit’s DNA.  First, leadership must assume the ultimate responsibility for risk oversight responsibility, clear measures of success, using well-understood metrics for risk appetite, and risk limits.

Risk training and awareness programs must also be in place throughout an organization, with senior line managers and risk professionals responsible for formal postmortems of major mistakes. Senior management ensure that management incentives encourage responsible and value-added risk taking, and emphasize the importance of embedded risk management processes in the organization’s decision-making and communications.

With such a risk culture in place, silos will be broken down, open communication will be encouraged, and risk successes will be publicized and imitated. And when this happens, employees will make better decisions, keep their not-for-profit out of harm’s way, and reduce potential legal liabilities and reputational risks.

What is your protocol for both strategic and organizational risk? As always, I welcome your comments.

Risk Management

In the past few decades, the business landscape for the larger, more complex, nonprofits that provide social services has changed dramatically.

In addition, the integration of social values within for-profit companies has further blurred the line between for-profit and nonprofit organizations, resulting in greater competition in the social services sector.

Equally as important, there has been a major philosophical shift away from contracts that pay for services rendered, and toward contracts that pay based on achieved goals, outcomes, or measurable impact. If, for example, your agency was once paid to provide job training skills, it is now more likely to be paid based on how many clients in your program actually secure employment. Thus, the need to achieve measurable objectives—whether those objectives are commercial or social—is now as much a requirement for nonprofit as it has long been for for-profit organizations. This, in turn, has exponentially increased not only the day-to-day risks of not-for-profits, but in some cases threatened their very survival.

As a result, senior management of nonprofits is faced with a somewhat new and daunting challenge—i.e., the need to create an infrastructure capable of synthesizing vast amounts of information, connecting the dots across myriad of programs, and simultaneously integrating business strategy, goals, and risk management. The failure to do so—at least historically—was usually due to a pervasive fear-based approach that was primarily backward-looking and focused on flat financial metrics and ratios. As a result, hidden risks were often left uncovered, problems that kept organizations from achieving their goals were not anticipated, and risk mitigation strategies, if any, were ineffective. Risk management, in fact, whether adapted to for-profit or not-for-profit enterprises, requires a forward-looking approach—one that is integrated with business strategies and goals to achieve measurable results in a continually changing environment.

Therefore, the new risk paradigm for nonprofits forces management to consider two separate aspects of risk management—the first strategic, and the second organizational. Succeeding in the former requires thinking about risks throughout the organization.  Succeeding in the latter entails the creation of a risk-centric culture, both empowering management and employees to effectively deal with risk and demanding that they execute enterprise-wide initiatives related to those risks.

Turning first to Strategic Risks, management must begin with a short inquiry:

 1. Do we fully understand our risk exposures?

Senior managers need to ensure that all risks facing the enterprise have been properly identified and measured, beginning at the business unit level where program managers intimately familiar with their individual landscapes can adopt an appropriate risk management framework and establish an ongoing risk-based dialogue with the senior management. Together they can then discuss current and emerging risks in detail, establish risk limits, and put specific action triggers into place.

From there, it is critical to establish an enterprise-wide view of risk. Once defined, the strategic implications must be contrasted with resource adequacy and availability, leading to a clear understanding of how risk can and ought to be managed.

Given the complexity of the modern world, senior management must also regularly devote time to discussing the so-called unknown unknowns—events and risks beyond the scope of traditional discovery processes and systems. For example, an acknowledged but unknowable unknown in a not-for-profit might involve apolitical or philosophical change in the way state and local governments view their funding, emerging business models, or changes in the competitive environment (including for-profit service providers).

2. Are our risk exposures appropriate to our objectives, our appetite for risk, our resource levels, and our desire for long-term sustainability?

In addition to proper risk identification and measurement, senior management must establish an explicit link between risk, resources, and strategy. To avoid surprises and ensure that a not-for-profit does not respond to pressures through blind risk and leverage, the organization’s risk appetite must be fully aligned with funding and service targets. Senior management must fully understand and approve the amount of risk required to achieve the organization’s stated objectives and goals.

3. Is our organization adequately dynamic from the viewpoint of risk management?

The lack of organizational dynamism—a company’s ability to detect coming crises and environmental changes, understand their potential impact, and develop the agility to react in a timely fashion—was a common feature of for-profit companies that failed during the recent financial crisis, and not-for-profit companies whose traditional approach no longer worked in the post-crisis environment.

Senior management can and should play an important role in ensuring that a company is well-prepared to withstand volatility, crises, disruptive technologies, and the changes in the market, and in its competitors. An integrated risk management framework, early warning systems, and comprehensive contingency plans must be continually reviewed by senior management and the board of directors and included in all strategic discussions.

4. How do risk and uncertainty factor into our strategic decisions?

Strategic decisions—again, in the public as well as the private sectors—have often been focused on business and customer strategies, new product development, and pursuit of market share, with risk management remaining an afterthought—that is, a sort of police function used to check on safety and soundness only after strategic and investment decisions had already been made. To remedy this after-the-fact approach, the role of risk in a not-for-profit’s business model must be continually reevaluated by senior management, thus making risk management an input into strategic decisions and governance.

Continually asking fundamental questions in rigorous yet practical ways vastly improves the effectiveness of senior management, helping them steer their not-for-profits through the ever more difficult conditions of the modern global environment.

Next week we will explore Organizational Risk.

As always I look forward to your comments