writing a risk manual for a non-profit

the challenge

A non-profit organization's board of directors is tasked with governing that organization's performance. This differs from management in that the board is in an oversight capacity meant to be focused on the long term and detached from the day-to-day. If management directs the activities that realize the organization's goals, it's the role of the board to evaluate the job that management is doing and to direct management when it seems that the organization's goals are either falling out of reach or are themselves not appropriate for the organization.

One of the mechanisms that's meant to assist with this oversight capacity is a formal risk management process. These have been popular for years, supposedly identifying and managing "risks" and listing in them in registers for pondering as discrete things in of themselves. This abstraction is meant to ensure that risks are quantified and therefor prioritized and ultimately managed in accordance with their priority.

One sees these stilted register-based mechanisms demanded by audit standards, espoused by governance models, and taken to great lengths with mathematical models.

The problems with these practices are many. To provide just a highlight:

the solution

While sitting on the board of directors for a non-profit, the governance committee decided that a formal risk management process was in order. Recognizing this opportunity to get risk on the agenda without adding unsupportable artificial structures such as risk registers, I volunteered to lead the design of the process. I wrote a manual on risk management that makes optimal use of common organization structures and avoids common risk management problems such as the creation of a risk register.

I started with the King IV Report on Corporate Governance from South Africa. This is a framework that uses appropriate language about identifying and qualifying risk in terms easy for everyone to comprehend. It explains the different types of "capital" that are at risk in an organization's operations, ranging from actual cash to "human capital".

From this I derived a statement or risk appetite that covered several key areas:

I then put the onus of identifying potential loss across these areas, including missed opportunity, on the committees that already existed within the organization. These are distinct managerial units that provide completeness of management coverage for the organization's activities, and are made up of senior staff as well as board members. The reason for this assignment duties was to ensure that the right people are doing the right work: they know what the potential losses are, and they know the potentially missed opportunities. They also know who they need to talk to across the organization to address the issues. And they already minute their discussions so areas of risk can be recorded appropriately and tracked inline with their already existing activities.

Providing an oversight to this ongoing process is an annual review of issues so recorded. This review is conducted by the board executive—the heads of the committees plus the board President.

The entire manual, including the two-page statement of risk appetite, is nine pages. I am now selling copies of this manual exclusively on werneburg.ca.