The first time I encountered the concept of risk management was as the office manager for an international relief organization. They staffed over 100 people at their Canadian office, and thousands more internationally. My position reported to the director of operations, who was part of an 11-person executive team (each with their own large departments), who reported to the executive director, who of course reported to the board of directors, who themselves reported to the board of directors for the parent organization in the United States.
In short, I was but one very small cog within a much larger machine.
One day, at the end of one of our monthly check-ins on workload and priorities, my director asked me to add the creation of a risk management plan to my list. The organization’s board of directors had recently completed their plan, and now the executive director had tasked the executive team to complete plans for each of their respective departments. Since my role gave oversight to the three main aspects of our operations – reception, facilities, and warehouse/shipping & receiving – developing this plan for our department was to be a priority of mine for the coming year. My director promised me it would be something he would assist me with, but ultimately it was on me to move things forward.
So there it sat. Risk Management. Glaring at me on my to-do list.
I wasn’t entirely sure what a risk management plan should entail, much less how to start building one from a blank slate. I didn’t know who else in the organization had been assigned the same task in their respective departments, what process they would be using to structure their plans, or which risks and potential events they were prioritizing first. Quite honestly, I was more than a little lost in the dark.
Eventually, after weeding through some confusing exercises and long articles that came up in my searches online, I found some good resources that helped me document the critical functions and workflows for myself and my staff, and to create contingency plans for things I hadn’t considered before. My director and I had a few helpful conversations about certain risk exposures we needed to give more attention to, and I learned to incorporate planning for the “what-ifs” in my areas of responsibility.
This work was valuable, but I was building a risk management plan in a silo while my areas of work and responsibility were so interconnected with other departments. My days were filled working alongside the IT department and multiple supervising managers to make sure their staff had the right devices and data access and security to do their jobs, ensuring our facilities were safe, maintained and secure, enforcing policies for the safe and appropriate use of organizational assets, and facilitating good processes and communication across departments for critical functions of the organization. Though there would have been many points of connection and overlap between my planning and that of other managers, I was never able to explore synergies or blind spots to the risk analysis we were undertaking individually.
While risk management planning had been prioritized at multiple levels of our organization, the culture that guided the process was primarily focused on documentation; doing it so that we could say it was done, and reporting the “completion” of our plans back up the chain. Despite significant effort and resources expended, we never reached the point of a comprehensive risk management plan coordinated across departments, that could be collectively and collaboratively implemented when needed.
The next time I was tasked with building a risk management plan, I was working for a much smaller organization and had a partner-in-crime with business continuity and risk management experience. This time the process before me felt clearer and the scope was more manageable, but again it was a task to be completed by the two of us and unconnected from any collective efforts to identify, prioritize, and mitigate risks. We had to laugh as we went through the heat-map exercises, rating the likelihood of a flood versus a tornado versus a terrorist attack. It was fun to pretend we had a crystal ball, but at the end of the day, the practical and meaningful ways to increase the organization’s risk preparedness for any of those scenarios were similar, and our time could have been better spent. Not to mention that there were very real and pressing strategic risks facing the organization that weren’t being captured in our process at all; we simply didn’t see them from our vantage point as program managers. Our perspectives were confined to our own functions, and the plan we turned in reflected those limitations.
As part of the team developing IntegralOrg’s suite of Risk Management tools, resources and training programs that will be launched early 2021, these experiences keep sticking with me because I know I can’t be the only one who has experienced frustration with the process and I think it’s possible to move past the usual roadblocks that stifle the impact of our efforts. Our goal is to help organizations of all sizes to think critically and proactively about risk, without some of the traditional approaches that keep staff and boards in silos and prevent a truly accessible, ongoing and dynamic culture around risk management.
We would love to hear from you as we develop our suite of Risk Management supports for nonprofits and charities. If you would be interested in sharing your thoughts on risk management with us, please email me at email@example.com to contribute your insights and experience to our work.
Julia has almost a decade of experience with program and administration management, working in the nonprofit sector as a freelance consultant, as a staff member with international NGOs, capacity building and advocacy organizations, and community/human services organizations. She specializes in project management, program analysis and sustainability, governance, and policy and grant writing - and is a key member of IntegralOrg's Risk Management tool development team. This blog cpatures her experience as a mid-level manager tasked with developing Risk Management plans.