Special to Philanthropy Journal
"Well, it will never happen!" is an underlying rationale when nonprofits fail to engage in risk management practices.
When "it" does happen, leadership's first question often is "Can we (translated: ‘me') be sued?"
At this point their question is neither timely nor relevant. The relevant question is whether the party harmed can recover from the nonprofit. The answer often confirms the "ounce of prevention" principle. To prevent harm and to minimize its impact requires an effective risk management strategy.
Risk management may be described as "the identification, assessment, and prioritization of risks (defined ... as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities."
Risk is both inherent and necessary for a nonprofit striving to meet its mission. In their Harvard Business Review article Managing Risks: A New Framework, the authors identify three categories of risk to an organization - strategic, preventable, and environmental.
Applied to a nonprofit, strategic risk occurs when engaging in activities seeking to fulfill the nonprofit's mission. This may encompass a decision to engage in substantive program or fund raising initiatives. The underlying risks of these activities may be minimized or ignored because of enthusiasm for the project and its perceived gain. However, if unsuccessful, these risks emerge clearly to pose significant and public harm to the nonprofit's mission.
Even when the organization has quantified the risk, there may not the ability to insure against loss arising from a strategic risk failure.
Preventable risks arise through the organization's normal activities and operations. These risks serve no strategic purpose and generally are harmful when they occur, e.g. accidents, ignoring donor requirements, or employee embezzlement. They generally are foreseeable and, therefore, within the nonprofit's direct control to affect or prevent through management practices. Such practices should be a focus for ongoing review by the board.
Finally, environmental risks arise from external factors typically beyond a nonprofit's direct control, e.g natural disasters like tornadoes or floods or legislative changes. While a nonprofit may recognize their potential for harm, there is limited opportunity or ability to avoid their adverse impacts when they do occur. The challenge is to identify and limit their financial harm typically through purchasing insurance. Yet, a board may not review their insurance needs frequently to update for changes in their risk profile or may consider it too expensive to purchase.
Purchasing insurance is not the same as managing risk. It serves only as financial mitigation when harm occurs. However, financial loss may not be the only loss which occurs. Loss of key personnel, organizational reputation, and intellectual capital may result in significant, if not irreparable, harm for which insurance could never adequately compensate a nonprofit.
A board of directors has direct responsibility to establish, monitor, review, and upgrade their nonprofit's risk management practices. Yet, there are many well recognized reasons why they don't:
- ineffective board management oversight;
- conflict avoidance;
- confirmation bias;
- group think;
- overconfidence in their forecasts;
- inaccuracy when estimating risk;
- underestimating outcomes;
- ignoring early warning signs; and
- escalating commitments for a failing course of action.
To counteract these well-known social phenomena, a nonprofit's board and management should engage in active and intentional decision making processes to counteract them. These practices might include:
- application of mission and core values;
- annual reviews;
- using "what if" and scenario planning;
- creating and acting on early warning triggers;
- encouraging authentic dissent;
- use of an institutionalized "devil's advocate", and
- employment of outside expertise.
These practices can help a nonprofit's leadership to engage in systematic and rigorous identification, analysis and mitigation from the risk of harm.
Nonprofits can’t avoid risk. Instead, they must learn to manage their risk. Creating a culture which addresses risk appropriately without creating an unwarranted risk averse environment is a board responsibility. Thoughtful nonprofits will engage all who are affected -- board, management and staff, clients, volunteers and other stakeholders -- in effective risk management practices.
They act with a common goal to maximize their opportunities and minimize harm through effective prevention, early recognition and intervention, and timely mitigation through effective risk management practices.
Comment on this article
Marty Martin is a Raleigh attorney whose practice focuses on providing legal and training services related to nonprofit and tax-exempt organizations. His recent Philanthropy Journal webinar, "How to Start a Nonprofit: A Step-by-Step Guide," is available for download here.