writing a risk manual for a non-profit

2019.07.21

the challenge

A non-profit organization's board of directors is tasked with governing that organization's performance. This differs from management in that the board is in an oversight capacity meant to be focused on the long term and detached from the day-to-day. If management directs the activities that realize the organization's goals, it's the role of the board to evaluate the job that management is doing and to direct management when it seems that the organization's goals are either falling out of reach or are themselves not appropriate for the organization.

One of the mechanisms that's meant to assist with this oversight capacity is a formal risk management process. These have been popular for years, supposedly identifying and managing "risks" and listing in them in registers for pondering as discrete things in of themselves. This abstraction is meant to ensure that risks are quantified and therefor prioritized and ultimately managed in accordance with their priority.

One sees these stilted register-based mechanisms demanded by audit standards, espoused by governance models, and taken to great lengths with mathematical models.

The problems with these practices are many. To provide just a highlight:

• The use of risk registers treat risks as discrete items. These items have a limited set of listed causes, a limited set of listed outcomes, and a limited set of potential fixes attached. All three lists are typically maintained outside of normal business practices and priorities, though the fixes will all be assigned to owners who already have busy schedules. This sort of system prevents the organization from seeing risk as a total potential exposure to loss. It also reduces the likelihood that the organization will see the interaction between different components of the organization as a system.
• Someone winds up being a "risk manager", likely in addition to other duties. This person has to become a nag within the organization, dragging executives into tedious reviews of (non-)progress on "risk items" and justifying the whole thing with risk assessments that will be hotly contested by anyone asked to be subjected to oversight by a fellow executive or asked to take on additional duties in fixing the "risk manager's" list of problems.
• These practices are inflexible and non-responsive, lagging changes in the business, changes in the assignment of duties, and trailing emerging areas of increasing organizational risk. The complete unreadiness of organizations to respond to cyber-security is an excellent example of the latter. This happens because a committee of executives gathering on a quarterly basis is the wrong set of people, the wrong view on potential loss, and the wrong set of potential remedies.

the solution

While sitting on the board of directors for a non-profit, the governance committee decided that a formal risk management process was in order. Recognizing this opportunity to get risk on the agenda without adding unsupportable artificial structures such as risk registers, I volunteered to lead the design of the process. I wrote a manual on risk management that makes optimal use of common organization structures and avoids common risk management problems such as the creation of a risk register.

I started with the King IV Report on Corporate Governance from South Africa. This is a framework that uses appropriate language about identifying and qualifying risk in terms easy for everyone to comprehend. It explains the different types of "capital" that are at risk in an organization's operations, ranging from actual cash to "human capital".

From this I derived a statement or risk appetite that covered several key areas:

• Strategy/Policy/Performance
• Stakeholder and Public Perception
• Governance/Accountability/Organizational
• Legal/Contractual/Compliance
• Controllership/Accounting
• Program Workload/Utilization
• Service/Operational Risk
• Compensation Risk
• Skills/Talent Risk
• Information Technology

I then put the onus of identifying potential loss across these areas, including missed opportunity, on the committees that already existed within the organization. These are distinct managerial units that provide completeness of management coverage for the organization's activities, and are made up of senior staff as well as board members. The reason for this assignment duties was to ensure that the right people are doing the right work: they know what the potential losses are, and they know the potentially missed opportunities. They also know who they need to talk to across the organization to address the issues. And they already minute their discussions so areas of risk can be recorded appropriately and tracked inline with their already existing activities.

Providing an oversight to this ongoing process is an annual review of issues so recorded. This review is conducted by the board executive—the heads of the committees plus the board President.

The entire manual, including the two-page statement of risk appetite, is nine pages. I am now selling copies of this manual exclusively on werneburg.ca.