mission Matters Understanding Risk in a Not-for-Profit Organization January 07, 2014 The five key steps to a risk management program. Businesses cannot operate free from risk and not-for-profit organizations are no different. Some risk is unavoidable and the key to success is to recognize risk and manage it effectively. Large businesses employ a risk management team whose job it is to identify and analyze risks throughout the organization and institute policies and procedures whose aim it is to minimize the potentially negative impacts associated with the identified risks. Managing risk in the not-for-profit organization starts at the board level with the recognition that operational risk exists and that it must be addressed thus, it is part of the board’s governance and responsibility. The primary goal is to create a well-informed, risk-aware culture throughout the organization. Next, the organization should define its tolerance for risk, knowing that zero risk is not achievable nor is it a worthy goal given the costs involved. The board should then take steps to assure that risk management techniques are consistently applied and that risk management is fully integrated into the decision making process. As with most business objectives, the tone at the top – executive management – is the starting point for creating a risk-averse, risk-conscious culture at the organization. Given the mission oriented objectives of the not-for-profit organization risk management should be incorporated into the mission statement to ensure that achieving the mission is not derailed by unforeseen issues. Central to this process is the Code of Conduct to which all employees and executives must subscribe. Performance evaluations should include risk management factors and top management must continually demonstrate the desired risk management behaviors to all employees. A tolerance for risk might at first appear contradictory to a risk management program. However, once one acknowledges that all risk cannot be avoided then a risk tolerance statement that is clearly articulated and communicated to all parties throughout the organization will appear to be as logical a policy as any other. Such a statement will help employees understand the specific risks that an organization is willing and not willing to take. The result should be an organization whose risk-taking is consistent with its risk-taking capacity. There are five steps to a risk management program:IdentificationAssessment TreatmentMonitoringReportingRisk identification is conducted organization-wide. It includes identifying the type of risk – operational, legal, reputational – and who (what department or person) is the owner of each identified risk. Risk assessment includes relating each risk to the key objectives of the organization. Analyze each risk from a qualitative and quantitative viewpoint and then consider multiple forward-looking scenarios of the potential outcomes. The most common treatment of identified risks includes the following responses:Avoidance – stop the activity or behavior; get out of that businessAcceptance – recognize the risk; monitor activities to quickly identify and minimize the impactMitigation – institute internal controls designed to minimize the riskTransference – purchase insurance or contractually move the risk to someone elseRegardless of how the risk has been treated, risk monitoring is an ongoing responsibility and ingredient of a risk management program. Obviously the risk monitoring program is dictated by the types of risks identified in the risk assessment process. Also, higher priority risks will be monitored more thoroughly and actively than lower priority risks. You should try to identify key risk indicators. These are critical to the early identification of conditions that could lead to the manifestation of risks. Once again, these risk indicators should be forward-looking, what activity today is potentially indicative of a risk becoming an issue in the future?Risk reporting should be part of the normal reporting to the board. Senior management should highlight key risks and propose recommendations in reaction to those risks. Reports of early key risk indicators should also be brought to the board’s attention as well as a process for the reporting of these up to senior management from the organization in general. Risk management must be integrated into the decision-making process. This starts with everyone who makes decisions realizing that they are risk managers. Risk management should be part of the documented decision process. Discussions about what could go wrong should be encouraged. If your organization is operating efficiently, it is involved in (some) risky behavior. Identifying this is not part of the financial audit process, but we can help your organization establish a risk management process and culture. Happy New Year! Resolve to Improve in 2014.