This post is one in a series written by leaders who are presenting sessions at the 2015 BoardSource Leadership Forum taking place on November 9 & 10 in New Orleans. We invite you to join us.
Should risk management for the nonprofit focus externally or internally? Although nonprofits often think of risk management as dealing with potential outside forces, the best risk management focuses first on what’s going on inside.
It’s understandable why many nonprofits believe risk management focuses mostly on what goes on outside the organization’s offices. Natural disasters loom, economic trends buffet, crooks and scam artists wile, hackers hack, donor and client demands press in. No doubt, effective risk management must account for outside threats and opportunities. The principal focus of effective risk management, however, is internal.
Why? Because internal threats predominate. Consider the following sobering facts:
- Waste. Experts like Carlos Venegas (in his book Flow in the Office) estimate that up to 95 percent of activities in the average office add no value to the ultimate customer. Nor is this phenomenon new: nearly 40 years ago, management expert Peter Drucker had reached the same conclusion.
- Disputes. Six out of ten employers have faced an employee lawsuit during the past five years; in other words, internal dispute spill outward to the courts.
- Fraud. Similarly, smaller organizations (including nonprofits) face a greater threat from internal frauds like embezzlement than larger firms.
Those examples are only the beginning. Even for the best nonprofits, most threats are within the organization itself.
That conclusion, however, is no cause for dismay. To the contrary, if problems are internal, solutions and opportunities for improvement are usually also within the organization’s control. Thus, effective risk management does not contend chiefly with Shakespeare’s “slings and arrows of outrageous fortune.” Instead, risk management develops processes that reduce waste, uncertainty, and unforced errors.
Build a Better Organization
When helping nonprofits create risk management programs, it is useful to draw upon continuous process improvement tools popularized by the “Lean Management” movement. Lean Management preaches that even the best organization generates substantial waste, which it systematically identifies and eliminates. Risk management practitioners agree. In fact, many of the basic principles of Lean Management inform effective risk management:
- Emphasize a culture of improvement. Lean Management advocates empowering team members to identify threats and opportunities, admit mistakes, and challenge established practices. Risk management similarly emphasizes a continuous cycle. Risk management is not a once and for all event. It is a process.
- Make processes visible, so that waste can be identified and addressed. Lean Management emphasizes that if you don’t know all the steps in a process, you can’t tell whether a change would be for the better. Risk management likewise emphasizes performing a risk inventory, to increase awareness of threats and opportunities across all functional areas of the nonprofit.
- Make it measurable. Lean Management preaches adopting metrics to measure the effectiveness of each process. Correspondingly, risk management emphasizes accountability: Key performance indicators and key risk indicators should be used to measure whether the nonprofit is performing within acceptable ranges.
- For each process, make it repeatable, scalable, and optimized. Lean practitioners maintain that if a process is performed differently each time, it’s not a “process” at all. Likewise, risk management emphasizes that clear processes and procedures permit frontline personnel to take ownership of issues without smothering supervision, freeing senior personnel for other efforts.
- Reduce complexity. Once core processes are identified, the Lean practitioner tries to reduce them to their essentials, so that team members can perform each process easily and effectively. In the same way, risk management suggests simplification to reduce errors and waste.
- Make changes incrementally. Lean Management has a bias in favor of action. Rather than trying to change an entire process at once, Lean practitioners prefer small actionable steps that can be tested along the way. Risk management similarly emphasizes a cycle: Identify threats and opportunities, take steps to deal with them, assess the results, then repeat that process.
- Focus on problem solving. Under Lean Management, problems are not ignored, but rather welcomed as opportunities for change and improvement. In the same manner, risk management emphasizes awareness and activity, and seeks to develop learning organizations in which people have the humility to identify and address personal and organizational challenges.
In short, the best risk management programs start first with what’s inside — what’s within a nonprofit’s control. By emphasizing and focusing internal threats and opportunities, an effective risk management program can help leadership create a more nimble, resilient organization. Armed with that resilience, the nonprofit is better prepared to thrive in an unpredictable business context, maximize stakeholder value, and ensure delivery of essential services and programs for years to come.