Managing risk doesn’t mean eliminating it. Managing risk means maximizing the benefit achieved while minimizing the chance—and the cost— of disaster. Some risks are within the control of the organization, while others are not. In their Harvard Business Review article Managing Risks: A New Framework, Robert S. Kaplan and Anette Mikes provide three qualitative distinctions among the types of risk organizations face. Two of these categories, preventable risks and strategy risks, are internal to the organization and so are within the control of the leadership. The third category includes risks from external sources; leadership may not control the risks, but they can prepare for them. I encourage you to read the full article, but for now, consider the three kinds of risk nonprofit leaders face:
Preventable risks are both internal to the organization and undesirable. They may be illegal, immoral, or simply ill-conceived activities or circumstances. These are at the core of what Carver’s Policy Governance® model describes as the board’s responsibility to help the organization “achieve what it should while avoiding what is unacceptable.” The board creates Ends policies that define what the organization is to achieve, and Executive Limitations policies that define what the CEO may not do to achieve it. This rules-based approach works well for preventable risks.
Strategy risks are internal and are often desirable. These are risks that come with the activities a nonprofit undertakes in pursuit of its mission. These are the risks you take so that great things happen. They give you the chance to achieve far more for those you serve than you ever could otherwise. Kaplan and Mikes note that “strategy risks cannot be managed through a rules-based control model.” Managing strategy risks means 1) taking steps to reduce the likelihood that risks become reality, and 2) designing contingency plans to minimize the negative impact if they do. Both the identification of and planning for strategy risks requires ongoing conversation among all quarters of the organization. An outside observer or consultant can often be helpful in avoiding the organizational bias and groupthink that may underestimate the likelihood or severity of risk events.
External risks are rarely either preventable or desirable. While their occurrence is beyond your nonprofit leadership’s control, they are not beyond your response. The timing of economic recessions, political and regulatory shifts, or natural disasters may be unpredictable, but you may still prepare for them. Kaplan and Mikes suggest using organizational stress testing, scenario planning, and “war games” to develop contingency plans for external risks.
In addition to the framework for categorizing risk, Kaplan and Mikes also provide a warning to leaders:
Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. . . Risk management is nonintuitive; it runs counter to many individual and organizational biases. Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.
10-Minute Board Discussion
What risks are we choosing to take in expectation of advancing our organization’s intended results?
Image courtesy of iStockphoto.com/shironosov
Disclosure of Material Connection: I have not received any compensation for writing this post. I have no material connection to the brands, products, or services that I have mentioned. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”