As written for Imagine Canada at http://www.imaginecanada.ca/blog/%E2%80%8Ble-ca-et-la-gestion-des-risques-en-3-%C3%A9tapes
Risk management is a topic that causes confusion and concern for some nonprofit board members. Some don’t understand what it means, others are afraid of legal liability and others have seen it become unwieldy.
All board members have a fiduciary duty and a duty of care regardless of the legislation the nonprofit is incorporated under. Directors of charities can personally face legal action for breach of their fiduciary duty or breach of trust in failing to adequately protect the assets of a charity from risk. Imagine Canada’s Standards Program includes risk management in standard A7 to reflect the importance of board oversight in risk management. In exploring the level of detail boards should be looking at and what should be monitored at the board level, it is important to keep in mind that risk management is not a one-time exercise. It is an ongoing process involving three key steps: (1) identify, (2) mitigate and (3) monitor.
1. Identify
Identifying the risks and creating the risk management system is best left to management but it is ultimately the board’s responsibility to ensure it is happening. There are lots of types of risks to consider: harm (to staff, volunteers and clients), reputational, financial, regulatory, governance, operational, strategic, external, technology, natural or man-made disasters, etc. Depending on the type of work the nonprofit is engaged in there will likely be industry or sector specific risks as well.
For boards that have no risk management plan in place at all there is no need to reinvent the wheel. There are many free and low cost risk management tools available, as well as the option to purchase an inexpensive tool developed specifically for nonprofits. The initial plan can be time consuming to develop. The board can assist management by setting up a task force, assigning a committee’s time or recruit experienced volunteers to help.
Risk registers can be intimidating to start. Arguments may ensue about what risks are high, medium or low but those are good discussions to have because they help define the risk appetite of the organization. Assigning dollar values and objective considerations to the definitions of high, medium and low risk can simplify the discussion. The board’s role is to oversee the process and critically analyze management’s assessment of the risks and mitigating actions.
The risk management plan does not need to be perfect the first time through. It is better to have something than nothing at all. Once risk management becomes part of the culture it will be easier to maintain and manage. For example, few would argue today that screening volunteers working with children is essential but it was not that long ago that it was seen as a cumbersome and awkward process.
2. Mitigate
Mitigating risks is the process of determining whether they can be eliminated, avoided or managed thereby reducing their potential harm to the organization. If avoidance is not an option then the board needs to ensure that training, policies, procedures and/or insurance are in place to reduce the likelihood and potential harm. The board could also decide to transfer the risk to another organization by outsourcing certain functions. One example of transferring risk would be hiring a reputable bus company to drive a group of campers instead of organizing a convoy of volunteer vehicles.
It is important to understand that there will always be some level of risk in an organization. To try and remove all risk is futile and will cripple the organization. The key is to identify the risks and minimize the amount of harm they can cause.
Insurance is an important element and one of the more essential mitigation tools. To ensure proper oversight, boards or a board committee can invite their insurance broker in annually or bi-annually to give an assessment of the organization’s coverage. Brokers see the entire industry and likely have clients in similar fields so they can provide professional guidance on the risk exposure and the type of coverage that is appropriate.
To create a progressive risk management culture, keep the mitigation message positive. It is being done to protect individuals and the organization. There are lots of creative ways to make something that could appear restrictive or cumbersome into something positive and user-friendly.
3. Monitor
To properly monitor risks, the board needs to build it in to the CEO job description, include it in the board policy manual and the board’s annual work plan, have a written crisis management plan and ensure there are adequate financial resources for risk management and training.
Whether the board chooses to monitor risk at its meetings using a spreadsheet, heat map or risk management matrix, is not as important as ensuring that it is on the agenda at regular intervals and that the board is paying close attention to the high risks. The goal with high risks is to reduce them to medium or ensure they are being managed and monitored well. For liability purposes, the board will want to ensure that it is documented in the minutes that the risk management plan was reviewed and that any concerns or action items the board discussed are noted.
Risk management is a board responsibility that does not need to cause confusion or concern. With proactive oversight and direction it can become part of the board and organization’s culture, ensuring the mission and vision of the organization can be fulfilled in a caring and safe environment.