Tremendous challenges and opportunities exist for all organizations during these times, but in particular for non-profit organizations. While most organizations have response plans to address their most common risks, such as decreased cash flow, resignation of the CEO or the termination of a contract, many have not considered the “enterprise” risks that could seriously impact an organization’s survival or have a significant impact on the organization’s ability to achieve the goals and objectives necessary to fulfill their missions.
With the challenges already on the shoulders of non-profit leaders, why spend time now considering an ERM program? The goal is to identify, assess and respond to the organization’s most significant risks. Additionally, an ERM program will implement a continuous process that allows the organization to monitor its risks, including unlikely but high-impact risks. ERM also leads the organization to develop communication and response plans to become nimble and flexible to quickly respond to new and emerging risks. The implementation process includes education and development of a common foundation among the various departments of the organization to achieve these goals.
Throughout the ERM process, an organization creates consensus, sharing of ideas and new ways to address risks by viewing them through a new lens. This new lens allows the organization to see opportunities in the challenges it faces and identify risk management efforts that are working well and those which need change.
For example, consider a non-profit organization that faces a steep decrease in the number of key volunteers needed to fulfill its mission and objectives. Through analysis, it is determined that the organization has not reached out to a particular generation that gets involved in volunteering for reasons different than the non-profit’s typical volunteers. It is determined that this risk has a high probability and high impact due to the reality of retiring volunteers. Therefore, the non-profit is willing to allocate resources and efforts to address this gap in volunteers. The organization creates an action plan for a new advertising campaign to reach the generation in a manner different from its previous approach. The new risk response then draws a three-fold increase in volunteers from the generation it could not previously reach. Without looking at the risk through this new enterprise-wide lens, it may have taken many years for the organization to respond to the risk and identify the window of opportunity they saw clearly with an ERM viewpoint.
There are several ERM steps critical to understand and respond to a risk facing the entire organization:
1. Identification of the risk (i.e., not enough volunteers in the long-term to support the cause)
2. Assessment of the risk (i.e., determined this risk has a high probability of occurring and a high impact to the organization if it does)
3. Developing a new risk response plan and taking action through executive support, allocation of funds and establishing a risk owner (i.e., a revised advertising campaign to appeal to the specific generation that was not participating)
4. Monitoring (i.e., as the revised advertising campaign evolved, the response also drew more donations, new ways to develop services appealing to this generation, and brought in emerging leaders to support and sustain the mission, vision and goals of the organization. The organization would continue to expand their strategic objectives to include this initiative in their yearly objectives.)
In this case, the organization looked at the risk in a new way—through a new lens—across the enterprise. It determined the potential adverse impact of this risk to the entire organization for the long-term. The organization tapped into its best practices of structuring an advertising campaign for its mission, specifically designed to draw the attention of the generation it was trying to attract.
The ERM process consists of the following steps:
1. Establish the foundation
2. Identify the enterprise risks
3. Assess the risk to the entire organization
4. Develop a risk response plan for the desired change and/or outcome
5. Take action on the plan
6. Monitor the plan so it has the support and resources needed to link it to the strategic objectives for the organization’s success and growth
While this is a broad example of how ERM can identify high impact, high probability risks, it can also help to understand the high impact, low probability risks. This type of risk is what the general public is responding to with the present economic challenges. It seemed impossible that the economy could be negatively impacted so quickly, so dramatically and across so many industries. Many individuals were not prepared for the “perfect storm” of risks impacting their incomes, retirement plans and general security of their professions. By understanding and preparing for events such as these, better decisions can be made with more confidence and less risk to organizations.
As the participants from our enterprise risk management webinar mentioned, board members are looking at how new and emerging risks can be addressed to align with their organizations’ strategies. They discovered that ERM is a vehicle with a new lens to bring non-profits’ risks into focus.
