Rethinking Risk Management: Lessons Learned and a Need for a New Approach

SEPTEMBER 22 / Leslie Tamagi

 

 

We are living in unprecedented, challenging times. We hear it over and over again, and perhaps even fall into a state of inaction in response to the overwhelming sensations that statement evokes. However, the COVID-19 pandemic and its impact on our organizations and our communities is not the first crisis that we have experienced; and unfortunately, it won’t be our last. Yes, it has materialized into something bigger than most of us imagined. But should we have seen it coming? Could we have been better prepared?

The reality is our world is changing. We are facing more complex and potentially more devastating events and they are coming at us faster and more frequently than ever before. While nonprofit-specific statistics are limited, a 2015 survey of Canadian organizations found that 80% of organizations indicated that they face increasing, more complex risk issues, and yet 35% or fewer organizations had formal risk management plans developed.1

In a recent Alberta nonprofit survey conducted by CCVO in June, only 40% indicated they had an emergency plan for health emergencies or natural disasters before COVID-19; 14% indicated they developed a plan due to COVID-19, and; 46% are creating a plan or still do not have a plan in place. Every day we are presented with a rolling list of new risks and threats to consider. How does one prepare for something that comes without precedent?

As we shift from a period of immediate response to the most current crisis and into the next phase of adaptation and recovery, we all face questions of how to prepare our organizations for an uncertain future, and are left wondering what the next disruption will be. The time for paying attention to your organization’s risk management practices is now.  

Risk management, most simply put, is about preparing for uncertainties. I think we have somehow made risk management into this overwhelming, complicated process that we believe will consume excessive time and resources.  

Let’s step back. Let’s rethink risk management. What if we took a different approach? Can we reframe this conversation in a way that prepares us for whatever good or bad may come our way? Can we get rid of some of the old thinking about risk management that keeps the process from being truly worthwhile?  

With more than 25 years experience as CEO of diverse organizations, I understand firsthand the complex challenges facing staff and Boards in our sector. I am very grateful for the sabbatical provided to me through the Muttart Foundation's Fellowship program where I had the opportunity to immerse myself in learning about risk management in the nonprofit sector. Over the last decade I have worked with numerous nonprofit organizations, providing training and supporting them through their risk management journeys. Along the way I have learned some valuable lessons that have me rethinking our approach to risk management, and I am sharing them below.

Lesson Learned #1: Nonprofits need to embrace risk  

We often hear that nonprofit organizations and their boards are risk-adverse. I would argue that by their very existence nonprofit organizations have to take risks in order to achieve their mission and vision, and are always embracing risk to some degree whether they recognize it or not. Most nonprofit organizations exist to meet a compelling need in the community, delivering important services, typically with scarce resources, and often serving vulnerable populations. No nonprofit can advance without taking some risks. While there may be a general tendency for nonprofits to be risk-adverse as this is considered “safer,” nonprofits should assess whether they are taking the most appropriate risks in order to fulfill their mission and serve their clients.  

According to David Renz, the dimension of risk is more complex, multidimensional, and dynamic for nonprofits because they exist for the purpose of social impact and must be attuned to the competing interests and expectations of different stakeholders. The environment in which nonprofits operate is increasingly complex, more litigious, more regulated, and rapidly changing; all of which further contribute to the need for risk management. Technology is presenting a quickly growing area of risk that has previously never been encountered at current levels, including issues of access, intelligent cyber-attacks, knowledge management, and knowledge security. 1

Risk management is a framework for identifying, assessing, planning for, and responding to risks related to finances, people, assets, and reputation. Moving well beyond insurance, it includes the culture, processes, and structures required to effectively manage potential opportunities and threats. Let’s embrace the concept of risk and change the story from risk-adverse to risk-aware.

Lesson Learned #2: Risk management is more than checklists and policies  

While these tools can address certain types of risks, (e.g. tracking that we remembered to submit all our CRA paperwork, or ensuring expectations are documented and communicated), they can also give us a false sense of security. In order to be truly effective, risk management must be an ongoing process that is embedded in the culture of our organizations. It’s about behaviour – and empowering people to think and act.  

I joined an organization that boasted an impressive safety record to its stakeholders, only to find out that the numbers reflected a culture issue more than the facts; staff were being threatened with potential disciplinary action if they reported any negative issues. As we worked hard to change the attitude around accidents and encouraged staff to report so we could all learn together, the board was aghast at the sudden increase in incidents! Let’s never forget the fatal Challenger space shuttle that blew apart 73 seconds after launch, tragically killing all seven astronauts on board while millions watched. Engineers had warned management-level staff at NASA of the likely malfunction, and still they failed to act. One can imagine the number of checklists that were passed prior to the Challenger’s launch.    

Checklists and policies don’t always dictate behavior and practice. Nor do they address generative or strategic risks related to purpose and mission and why we exist, which can lead to nonprofit organizations being slow to innovate and adapt to the changing needs of their clients and environment. There is no question that the pandemic has been very tough on the nonprofit sector, but fortunately there are many wonderful examples of organizations who have been agile and adjusted their service delivery methods, formed new partnerships, and served more clients. Those that had risk management practices embedded in their organizations could more easily adapt to remote work, communicate and strategize as the situation evolved day-to-day, and withstand fluctuations in anticipated revenue.

Lesson Learned #3:  We know our business best  

I have seen many examples of nonprofit organizations paying a consultant significant money, only to end up with a “one size fits all” risk management plan that was relevant for only a moment in time and quickly began collecting dust on a shelf. Such plans may be referenced from time-to-time but seem too daunting to update without another investment in external expertise.   In actuality, risk management can be pretty simple. You and your staff know your work best; usually what it takes are the right tools and resources, and some time to think it through. Don’t do it alone! Risk management should never land on just one person’s desk. Risk management must be part of everyone’s role, so no one steps over the banana peel.  

There is no doubt that it can all be a bit overwhelming. When I first started doing risk management, we developed an extensive list of all the things that could go wrong at the organization, covering everything from tornados to terrorist attacks and It. Was. Exhausting.  

A simpler approach is to think about the potential disruptive impacts to your agency, rather than all the potential causes. For example, how would you adjust to losing a significant portion of your workforce for a period of time? This could happen due to a pandemic, a natural disaster, an HR crisis, or a loss of funding. Or how would you adapt if you didn’t have access to your office suddenly and without warning? Again, this could be due to a fire, flood, or pandemic but if we focus on the impact instead of the cause, it may help us reduce the number of scenarios we feel we need to prepare for and zero in on solutions.  We don’t need to plan for every possible thing that could go wrong, we need to figure out what would impact our ability to achieve our mission and plan accordingly.

Lesson Learned #4: Investing time now will pay off in the future  

I willingly admit that I have done more than my share of “just in time” fixes, dealing with crises on the fly as they suddenly became the priority. How many of us were writing remote work policies in April or May, after staff had already been working from home for weeks?  

But if the pandemic has taught us anything (and I know it has!), we have learned how quickly a potential risk can become a reality that requires decision and action even before we fully understand its nature.

The consequences of not attending to risk may be catastrophic, as organizations may not have the resources to recover at a time when their stakeholders need them the most. Given that Alberta can boast seven out of the top ten most expensive natural disasters in Canada in recent history, it is not a matter of if but when we will be faced with disruptions.3  To be truly effective, risk management has to be an ongoing process, a continuous cycle of identify, prioritize, respond, and evaluate/improve. Unfortunately, we don’t get to cross it off our “to do” list as done. Risk management is a journey, taken one step at a time, not a destination.  

So, how do we prepare more effectively for our future? How do we build risk awareness at every level of our organization, and ensure we are resilient when the next crisis hits and potentially even prevent some from occurring?  

With funding from The Calgary Foundation, IntegralOrg will be supporting charities and nonprofits in the development of effective and sustainable risk management systems by creating a suite of tools, resources, and training programs. Our goal is to help organizations of all sizes understand and engage in risk management in an accessible, ongoing, and dynamic manner. We want organizations to start thinking critically and proactively about risk and will provide the resources and support you’ll need to integrate risk management into your decision-making and planning processes.   

Let’s learn from the past and make risk management a part of our culture, embedding it in our everyday work, so we can fulfill our missions and serve our clients in the best ways possible. Let’s start a conversation about the need to rethink risk management. We hope you will join in – follow us on social media, subscribe to our newsletter, and stay tuned for more information on upcoming training, resources, and tools.  

1. CGMA Report: Global State of Enterprise Risk Oversite, 2015.

2. From Risk Managment to Risk Leadership: A Governance Conversation with David O. Renz in Nonprofit Quarterly

3. Seafirst Insurance Brokers: Top 5 Most Expensive Natural  Disasters in Canada 

Leslie Tamagi has more than 25 years experience as CEO of diverse organizations and understands firsthand the complex challenges facing management, staff, and boards in the nonprofit sector. In 2007, she received a Muttart Foundation Fellowship to study risk management in the sector. For more than a decade she has worked with nonprofit organizations, providing training and supporting them through their risk management journeys. She is passionate about supporting leaders to be successful and is currently consults in the nonprofit sector in many aspects of leadership, including risk management.