Risk Management Guide 2017: How’s Your Appetite?
August 1, 2017 Melanie Herman
Engaging The Board In Risk Oversight
Nonprofit missions are potentially bolstered — and threatened — by risk. When you decide to take a mission-advancing risk, wonderful outcomes as well as costly unintended consequences are possible.
A growing number of nonprofit leaders are comfortable and accustomed to weighing the potential “what ifs” that lurk in the background of routine decisions as well as bold moves. But as a staff leader, should you bear the burden of risk alone? If it makes sense to divulge your risk worries with the board, are you inadvertently inviting board involvement in day-to-day operations? Is there an appropriate, governance-level risk role for your board that will keep it focused on the direction of the organization and its strategies priorities and opportunities?
There is a dramatic evolution of board interest in risk, accompanied by a sincere desire to provide proper oversight of risk-taking and risk management. Today’s nonprofit board members are keen to talk about the implications of risk to a charitable mission.
One possible reason for the growing interest in risk is the presence of senior business leaders on nonprofit boards who often bring professional experience in risk management from financial services, healthcare and other highly regulated industries. Another motivation for board interest is the sense that the world in which nonprofits operate is increasingly complex and dangerous.
From the risk of a privacy breach, to the risk of serious harm suffered by staff working at remote locations across the globe, savvy and supportive board members recognize that poorly understood or mismanaged risks have the potential to erode a potent reputation built over many decades of service to the community.
When Interest Meets Governance
- Risk oversight refers to the responsibility for overseeing an organization’s approach to identifying and responding to critical risks. The familiar term “management” refers to the process of controlling things, processes or people. “Oversight” refers to ensuring that appropriate things, processes and people are in place. Oversight is the better descriptive term for a governing board committed to keeping its “noses in” and “fingers out.”
- Risk oversight activities by your board might include:
- Discussing everyone’s appetite for risk taking. For example, board members might agree that the risk of failure or deficit spending is worth the potential learning to be gained by expanding services to a broader clientele or new geographic area. Those same board members might decide that the risk of offending the principal funders of the organization is not worth the potential benefit of weighing in on policy issues that are distant from your core mission.
- Reviewing the fundamental assumptions that inspire the key objectives of the nonprofit. For example, as they review the update to a strategic plan, the board members might conclude that the threats to mission advancement perceived during the plan’s drafting have worsened or lessened over time. The assumptions underlying those objectives should be updated to reflect that new awareness about the risk landscape.
- Contributing to a shared understanding of your nonprofit’s risk landscape. “Risk landscape” is aspects of your external environment that cause risk events to be more or less likely, or substantially or less impactful. Providing services in a war-torn region might be necessary to advance your mission; the nature of that landscape is in some ways the backdrop for risk-taking and risk management. Members of a diverse board should be invited to share perspectives on your always changing risk landscape. What do board members see and know from their unique vantage points? Are there hazards or opportunities that are obscured from the staff’s view? Or, perhaps there are other reasons staff leaders cling tightly to their operational plans, resisting the notion that certain factors or risks could make those plans impossible to achieve.
In their thoughtful article, “Managing Risks: A New Framework” featured in the Harvard Business Review, Robert Kaplan and Anette Mikes explained that “Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.”
Risk Oversight Inspiration
- Once your board members show interest and embrace the risk oversight role, how do you turn the commitment into action? What information do you need? What steps can you take to help board members discharge their duties and perform risk oversight responsibilities with skill and confidence? How can you support and guide the board into the less familiar territory of strategic risks? Board members should consider the following questions as part of an evolving process to embrace and exercise risk oversight. Remember to adapt the questions to suit the culture and mission of your nonprofit, and also the style of governing adopted by your board.
- What is our risk appetite? Do recent decisions suggest that we are honoring that risk appetite? In what ways have we dishonored our risk appetite by being too tentative, or by acting without first completing the due diligence warranted by the potential consequences of the decision?
- Are we taking enough risk, and in the right areas to advance the mission and achieve the core objectives of the organization?
- Do recent decisions reflect the commitment to balance short-term performance with long-term sustainability? Have you taken any risks recently that sacrifice one for the other?
- Historically, what opportunities and risks — those that we took and those that we didn’t take — got us to where we are now as an organization? How can those lessons help inform our decisions about the uncertain future?
- Do we openly and candidly discuss upside and downside risks when considering important board decisions related to organizational structure and future direction?
- Is the board-staff relationship one of respectful interdependence, or do we sometimes engage in unproductive power struggles?
- Is there clarity about where responsibility for risk monitoring and action lies, based on the type, complexity or source of risks? For example, the board may be responsible for managing risks related to the governance function, while staff teams bear responsibility for risk management around operational risks.
- Do discussions about risk at the board level focus on strategic risks — threats and opportunities related to our direction and key objectives?
- What are the key assumptions in each major strategy, and what if they are wrong?
- What are the potential risks arising from or impact by the core strategies of the organization? What factors could cause each core strategy to fail? (e.g., people, process, systems, external events)
- What could cause major disruptions or discontinuities to how our organization exists today, such as changes in technology, business models and demographics?
- Is there a process by which the board supports risk management by sharing its unique perspectives on the changing risk landscape?
- Does the diversity of the board ensure that we’re seeing the world around us from multiple vantage points?
- What perspective(s) is/are missing when we discuss the impact of the world around us on the key objectives and strategies of the organization? Inviting your board into your recurring nightmares and nagging worries might feel a bit risky. But the truth is that protecting the priceless assets of your nonprofit — its mission, reputation, financial health, people and sustainability — is a sacred, shared responsibility of staff leaders and governing teams. Instead of handing your list of worries over to the board for its “management,” reflect on how to define and shape risk oversight as an important, evolving governance responsibility. When the board has your back through thoughtful risk oversight, you can embrace and manage the bold risks necessary to take your mission safely into the future.
Melanie Lockwood Herman is executive director at the Nonprofit Risk Management Center. Her email is firstname.lastname@example.org.
UC ASSURE is sponsoring this article in order to make available to you at no charge. UC ASSURE did not have anything to do with research, production or development of this article, and cannot be liable for its contents, but providing for soley educational purposes.
To see the full PDF version of this report: click here.