A risk-aware culture at a nonprofit is one that supports the ongoing discovery and understanding of threats to the organization’s mission, strategic goal, and valuable assets. For this culture to take hold, risk management activities must be considered worthwhile by the organization’s board of directors, the staff team, and the volunteers who support front-line service delivery.Designating a champion for the effort is a proven way to begin the process of getting everyone on board with the purpose, goals and activities of a risk management program and also sustaining the effort over time.
Yet, hiring a full-time risk manager who champions and coordinates risk management is often out of the reach for small to mid- sized nonprofits and might even be out of reach for larger organizations. And even when the position of risk manager has been created, the perspectives and support of stakeholders outside the risk management function are essential for a true organization-wide risk management program to take root and thrive.
For most organizations, the most economical, efficient and effective way to instill a risk-aware culture is to form and support a risk management committee.
A risk management committee is therefore a key component of a risk management program. The designation of a committee to “tackle” risk matters is a sound way to turn a commitment to improve risk management into a viable, sustainable action plan, given the broad, fiduciary responsibilities of a nonprofit board.
A risk management committee is the group of leaders who champion the risk management effort, encourage the involvement of others, and ensure the monitoring of critical risks and strategies for managing risk. Like any exercise in delegation, however, the formation of a committee is only a first step. Being aware of some of the potential stumbling blocks in the committee’s direct path increases the odds of success. Common challenges that impede risk management committees’ progress include:
- Lack of clarity about the committee’s authority, primary tasks and relationship to other committees and the board as a whole;
- Uncertainty about whether to focus the committee’s attention on pressing operational risks or bigger picture, cross-silo “enterprise” risks; and,
- Unresolved questions about committee composition, including whether to involve non-board members, outside experts or other stakeholders.
While there is no single strategy or framework for a risk management committee that will suit every nonprofit’s culture, structure and needs, consider the following tips when forming or re-tooling a risk management committee.
Draft a Charter – A committee “charter” sets out the purpose, authority, function and responsibilities of the risk management committee. Unless the committee’s direction has already been cast in stone by board edict, the development of a draft charter is an ideal goal for the first committee meeting. Make certain the charter is approved by the board before the committee begins the hard work of identifying top risks and practical responses.
Be Inclusive – Resist the instinct to fill all committee slots with the “usual suspects” from the world of risk: lawyers, CPAs and insurance professionals. Tap stakeholders (internal and external) who have varying perspectives on the risks facing the organization, including staff directly involved in two or more core business units, senior managers and at least one independent member. The committee’s ranks should include representatives of the board. Ideally, the committee chair should be a board member who can represent and report on committee work at board meetings.
Keep the Board in the Loop – An active and effective risk management committee doesn’t eliminate the need for “risk oversight” by the board. The board retains ultimate responsibility for protecting the organization’s mission and assets. Board members should receive periodic reports from the risk management committee and schedule at least annual conversations regarding the top risk issues facing the nonprofit.
Strive to be Risk Aware Rather Than All Knowing – A common misstep made by newly formed risk management committees is to begin work by trying to identify “all of our risks.” Beginning with this arguably impossible task might lead some members to feel overwhelmed and wonder: how can we possibly come up with practical risk management approaches in response to each of these issues? A better approach is to begin by discussing the environment or “context” and note factors that are shaping, influencing and changing the nature of risk in the nonprofit’s world. Ask: what changes or developments heighten or relieve the risks we face?
Define Categories of Risk in a Way that Suits the Nonprofit – Many risk management committees struggle trying to group or categorize risks into easy-to-label “buckets.” Four or five categories of risk might feel a bit more manageable than a list of 89 pressing issues. Yet trying to force fit risk issues into ill-fitting categories suited to a for-profit can be a time-consuming task that offers little benefit.
A better approach is to group-identify risk issues into categories that are uniquely suited to mission, programming and strategic priorities. Risk management committees are a potentially useful, if not invaluable component of a risk management program. By being aware of common challenges and considering the tips suggested above, you will help your committee get off to a great start or enable it to refocus on the truly critical risk issues facing your organization. E
Melanie Lockwood Herman is executive director of the Nonprofit Risk Management Center in Leesburg, Va. She welcomes your questions, comments and feedback about the subject of this article at Melanie@nonprofitrisk.org