Organizational Risk Management

Last week, I examined essential inquiry around assessing Strategic Risk Management in a complex nonprofit. It’s equally important for senior leadership to assess and establish a protocol for managing day-to-day Organizational Risk Management. Successful organizational risk management requires its own set of analysis as described below.

1. Do we have an integrated, firm-wide, risk management process?

Effective risk management is achieved through comprehensive risk reporting, governance policies and limits, escalation procedures, action triggers, and dynamic and integrated firm-wide processes.  As a pre-requisite to all of these issues, nonprofits must possess an analytical system capable of properly identifying, measuring, and aggregating all risks across the enterprise.

Equally importantly, an appropriate, “risk mindset” must be adopted throughout the organization. The goal should be that every employee feels they are a risk manager and are responsible to manage the risks that occur on their jobs every day. Once this mindset is in place, risk exposures and the risk analysis of key business initiatives must be routinely and intentionally discussed. Senior Management must also ensure that relevant risk measures are among the key metrics monitored by program managers on a daily basis. Finally, senior management must ensure that risk issues are handled proactively, and communications across program units are open and effective. Red flags to be watched and immediately addressed include 1) excuses that specific risks do not lend themselves to quantitative measurement, 2) that certain risks are the “nature of the business” and therefore should not be monitored or managed, and 3) phrases like “don’t worry,” “this is a low probability event,” or “local managers have it all under control,” need to be stricken from the organization’s vocabulary.  Instituting a rigorous firm-wide risk process also ensures that directors do not start questioning senior managers about risks that the corporation has undertaken only after it is too late.

 

2. Are professionals at all levels empowered and expected to manage risk?

 For the risk management of a large, complex nonprofit to be effective, it must be built not only into every part of the decision-making process, but also every into control mechanism throughout the organization. Common risk management language must be established throughout the organization, along with clearly delegated responsibilities for managing risk at all levels. Finally, leadership and risk management structures must be correctly aligned with the not-for-profit’s business model, and the right balance established between competing priorities and constituencies.

 

3. Do we have an appropriate risk management culture?

There are specific signs that we are on the right track, and that risk management has become part and parcel of a nonprofit’s DNA.  First, leadership must assume the ultimate responsibility for risk oversight responsibility, clear measures of success, using well-understood metrics for risk appetite, and risk limits.

Risk training and awareness programs must also be in place throughout an organization, with senior line managers and risk professionals responsible for formal postmortems of major mistakes. Senior management ensure that management incentives encourage responsible and value-added risk taking, and emphasize the importance of embedded risk management processes in the organization’s decision-making and communications.

With such a risk culture in place, silos will be broken down, open communication will be encouraged, and risk successes will be publicized and imitated. And when this happens, employees will make better decisions, keep their not-for-profit out of harm’s way, and reduce potential legal liabilities and reputational risks.

What is your protocol for both strategic and organizational risk? As always, I welcome your comments.

Balancing an organization’s immune system

I recently read an article in the Harvard Business Review by Michael Watkins, author of The First 90 Days, where he compares an organization to the human immune system. Watkins introduces the idea that an organization functions much like a human in that it has a “brain”—which translates to the senior leadership team, and an “immune system”—which translates to the “body” of the organization i.e. the staff, programs, and projects that carry out the functions of the brain. Like the brain, the senior leaders are responsible for looking at the big picture derived from the environment, input, trends, and experience and it then processes that information, looking for threats and opportunities, creating strategy and disseminating information to the rest of the “body.” The immune system is responsible for the organism’s overall health, and it is required to detect any possible threats early on and send essential messages to the brain to combat any damage that might occur to the overall system.

I like this metaphor. There is a fine line between protecting an organism—or an organization—from outside threats that could damage it. It is up to both the brain and the immune system—the leaders and the rest of the organization—to be on the lookout for possible threats. What types of threats might damage an organization and how do we mitigate these threats?

On the other hand, if an organization is too protective, it can build a wall so tight that nothing can penetrate and therefore, like an overactive immune system, it can turn on itself and cause real damage. How might we guard against a highly reactive system?

How do we stay agile and balance the need for change while not tipping the organization so far over that we lose who we are and where we are going?

The answer to these questions, I believe, lies in being clear and intentional about who we are and where we are going and in constantly assessing and being vigilant about risk management.

Being intentional means looking at an organization’s culture and the several factors that comprise it—including vision, values, practices, structure, systems, and narrative—what we say about ourselves. When we are clear about these parts of ourselves, then we are clear about what projects, programs, and people to take in and to take on. We are quick to recognize when something is not a fit with who we are. And, maybe more importantly, on the other hand, we need to be able to see when a new idea, program, project, or person will challenge us, help us grow, and expand our way of thinking.

The work of leaders and the rest of the organization is balancing the risk between protecting ourselves and staying open to new ideas, trends, people, and changes. This is a deliberate conversation I continue to have with my staff, and I welcome your thinking on it as well. When is protecting the organization too much protection? And how do we know when it is time to stay open to new ideas without risking damage to the organization?

I would love to know what you think about this topic!

To see the original article by Michael Watkins, go to:

https://hbr.org/2007/06/organizational-immunology-part-1

and

https://hbr.org/2007/06/organizational-immunology-part-2