For a Not for Profit, a formal risk management process is very often a pre-requisite of government funding and may also be a requirement of the Board of Directors. In the busy Not for Profit world where time is scarce, all too often, risk registers are pulled together by a CEO or a Senior Manager in a hurry by gut feel.
The purely ‘Gut feel’ approach is riddled with issues. It can turn risk management into the opinion of one person and owned by no one else. The annals of risk management are littered with tales of organisations with risk registers and no one in the organisation including the senior management knowing what was in them. A 2013 survey of 290 Australian Not-for-Profit organisations identified that close to half the respondents were not aware of their risk management plans or did not have plans at all.
The Collins English Dictionary defines Gut feeling as an instinctive feeling, as opposed to an opinion based on fact. While Gut feel has its uses in quick decision making, it can tend to have results that are inconsistent because they are based on feelings not fact.
Another issue with this approach is that many risks eventuate and are identified by the troops at the coalface not just in the Boardrooms upstairs. Gut feel could result in a one-dimensional, top down view of risk that is only one part of the puzzle. Risk needs to be a whole of enterprise affair. The troops must have input in your organisation’s risk register.
These issues of enterprise wide ownership, risk management based on fact and input in the risk management process are not insurmountable. If you have been tasked with putting a Risk Management Plan in place or reviewing your current approach to risk management, give some thought to these 5 tenets that we have found pivotal to implementing a successful risk management strategy.
Keep it Simple
One of the ways to ensure enterprise wide ownership and input to the risk management process is to keep the process simple. While this sounds like a no-brainer, there are so many risk management approaches and methodologies that it is quite easy to get lost in the theory. If it doesn’t make sense to you there is a high likelihood it wont make sense to others either. Whether you are new to risk management or are an experienced practitioner, remember that your audience may not have your risk management experience, keep the process simple and keep your eye on the benefits, not just the science behind it.
Sponsorship
Any significant organisational initiative needs sponsorship from the top. Risk management is no different; it needs the commitment of the CEO, Board and Senior Management.
Structure
Gut feel and experience do have a valuable role in helping us identify and deal with the challenges of the future. The trick is to test your instinct against certain benchmarks or truths. In the case of risk management, the benchmark for gut feel is a documented risk management framework that is approved by the Board. The risk management framework consistently aligns gut feel with a dose of reality and the Board’s appetite for risk.
Strategy
Your risks need to be aligned to your strategy, as risk is the effect of uncertainty on strategic objectives. Risk identification and assessment start in your Strategic Planning process, threats identified in strategic planning should manifest as strategic risks in your risk register.
Stories
Stories work both to identify risks that the organisation faces as well as an effective training tool.
It is important for the Risk Manager to listen to the front lines, the risks the organisation faces are often within the stories they tell. For e.g. You may hear a coffee break anecdote about the absence of any quality incident reporting, when one of your primary funding bodies requires the reporting of all incidents rated High to them. This might expose a potentially serious contract compliance risk that can be managed and mitigated early before it becomes a serious issue.
Stories are also a great way to train staff in risk management; they engage staff and make risk management real to them.
In summary, for risk management to really add value to a business the tone should be set at the top and then it needs the involvement of staff from across the enterprise. Good risk management also needs a simple yet robust framework to benchmark gut feel and ensure that risks are measured using a consistent yardstick.