Why perform risk management?
Risk management is the conscious awareness of all the risks involved in the organisation, the strategic advantage of these risks and the ease with which these risks can be managed. Though risk is inherent within all business opportunities, many leaders prefer to be risk averse. This can lead to missed opportunities.
To identify risk the conscious leader must not have a fixed point of view of what constitutes risk but rather involve others who have different points of view about the organisation, and therefore different points of view about risk.
Being the question
‘Being the question’ means using questions to bypass the limited answers that your mind provides. A question creates the possibilities of things and allows you to see beyond conventional concepts. This is particularly important in risk management as it is tempting to just minimise a risk without looking at all the strategic opportunities and innovations that are possible once the risk has been identified.
If your questions are infinite – not looking for one right answer, but rather many possibilities – you set the stage for previously unthinkable leaps of awareness; the infinite creative possibilities of the unknown. This is what we term strategic opportunity.
Key risk questions to ask:
Have an open mind as to what constitutes risk. Involve others who have different points of view about the organisation, including staff and those with an external perspective.
Be sure to identify risks that are associated with your asset register, profit and loss statement line items, strategic and business plan, and health and safety reports.
Send stakeholders a Risk Identification Survey or conduct a short telephone interview or focus group. Don’t be surprised if your stakeholders rate some of these risks as ‘high’ – from
their point of view they are high. This is why a Board-approved set of definitions of risk levels are important.
Define, analyse, rank
Agree on the definitions of risk. Each risk should be analysed and scored according to its potential to occur, for its impact on the organisation if it does occur, and the quality of the controls that exist to mitigate that risk.
You will then be able to easily identify the risks that will have the greatest impact on the ability of your not-for-profit (NFP) to deliver against your strategic objectives, i.e. the risks with the highest scores.
Create a Risk Library to systemise these risks. This is easily done by entering each risk and its rating into a spreadsheet.
Risk ‘treatment’ plan
Each key risk needs to have a ‘treatment’ plan. Most treatment plans miss the point of risk management by focusing on reducing the risk rather than on deriving the strategic advantage that comes from understanding and managing that risk.
A treatment plan should be developed for each of the identified risks and should follow the principles of good project management – what, who, when and success measures.
Your risk management plan will create true value for your NFP if you also include a section for each risk that explores its ‘strategic advantage’. The question to ask here is ‘How can we turn this risk and our treatment of it into strategic advantage?’
Continual monitoring and strategic advantage
The Board’s role in risk management:
Following these simple steps ensures that risk is an ongoing strategic process, not a compliance issue.
How to create a risk management plan that actually works:
1. Identify risks
2. Rank risks
3. Analyse existing controls
4. Develop a new ‘treatment’ plan
5. Continuously monitor variables that could affect your organisation
6. Extract strategic advantage from the whole process.
7. Identify risks that will have the greatest impact on the ability of your NFP to deliver against your strategic objectives.