Managing risk doesn’t mean eliminating it. Managing risk means optimizing the benefits achieved while minimizing the chance—and the cost— of disaster.
In their Harvard Business Review article Managing Risks: A New Framework, Robert S. Kaplan and Anette Mikes provide three distinctions among the types of risk organizations face. Two of these categories are internal to the organization and generally within the control of the leadership. The third category includes risks from external sources; leadership may not control the risks, but they can prepare for them. I encourage you (and your audit committee) to read the full article, but for now, consider the three kinds of risk that attack your nonprofit:
Preventable risks are both internal to the organization and undesirable. They may be illegal, immoral, or simply ill-conceived activities or circumstances. These are at the core of what Carver’s Policy Governance® model describes as the board’s responsibility to help the organization “achieve what it should while avoiding what is unacceptable.” The board creates Ends policies that define what the organization is to achieve, and Executive Limitations policies that define what the CEO may not do to achieve it. This rules-based approach works well for preventable risks.
External risks are rarely either preventable or desirable. While their occurrence is beyond your control, they are not beyond your response or preparation. The timing of economic recessions, political and regulatory shifts, or natural disasters may be unpredictable, but you may still prepare for them. Kaplan and Mikes suggest using organizational stress testing, scenario planning, and “war games” to develop contingency plans for external risks.
Strategy risks may be the most interesting of the group. These risk factors are internal and are often desirable. These are risks that go hand-in-hand with the activities your nonprofit undertakes in pursuit of its mission. These are the risks you take so that great things happen. They give you the chance to achieve far more for those you serve than you ever could otherwise. The only way to eliminate these risks is to eliminate thesource — althoughthat may be something that is key to advancing your mission. Kaplan and Mikes note that “strategy risks cannot be managed through a rules-based control model.” Managing strategy risks means 1) understanding what levels of the risk are acceptable, and 2) designing communicating and contingency plans to minimize the likelihood of occurrence at unacceptable levels. Both the identification of and planning for strategy risks requires ongoing conversation among all quarters of the organization.
A Warning on Managing Risk
In addition to this three-part framework for categorizing risk, Kaplan and Mikes also provide a warning to leaders:
Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. . . Risk management is nonintuitive; it runs counter to many individual and organizational biases. Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.
10-Minute Board Discussion
What risks are we choosing to take that will advance our organization’s intended results?
Image courtesy of iStockphoto.com/shironosov
Disclosure of Material Connection: I have not received any compensation for writing this post. I have no material connection to the brands, products, or services that I have mentioned. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”