Risk management is a hot topic in the commercial sector, especially in light of the recent losses of some multi-national corporations. Some significant lessons can be learned from these incidents and can be applied towards improving risk management in not-for-profit organizations. This article defines risk as it relates to the not-for-profit community and discusses how a board of directors might assess and manage risk within their organization.

Defining Risk
The Canadian Institute of Chartered Accountants’ publication Learning About Risk: Choices, Connections, and Competencies defines risk as “the possibility that one or more individuals or organizations will experience adverse consequences from an event or circumstance”. This definition is flexible enough to be useful in commercial and not-for-profit organizations alike.

The Board of Directors of a not-for-profit organization is responsible for establishing the objectives for the organization and then making sure that these objectives are met by management. Risk, then, is the possibility that an event or circumstance will cause an organization not to meet the objectives established by the Board of Directors.

The greater the probability that an event or circumstance will result in an organization’s objectives not being met, the greater the risk of the situation. Note that high risk does not relate to the magnitude of the consequence but rather to the probability that the event or circumstance will occur.

Risk suggests a negative or adverse consequence. The opposite of risk is opportunity. Opportunity is the possibility that an organization will benefit from an event or circumstance. Inability to identify and exploit opportunities would be considered a risk where that inability could prevent the organization from reaching its objectives.

The risks an organization must deal with can be internal or external. It is often easier for an organization to manage the internal risks. For example, an organization might identify as a risk the possibility of losing government funding. If poor internal policies such as inefficient program delivery or poor monitoring of results could result in the loss of funding then strengthening internal processes could mitigate this risk. However, an organization may be helpless when faced with a loss of government funding caused by a shift in political thought.

Managing Risk
For most not-for-profit organizations it is the Board’s responsibility to ensure that a framework is in place to manage risk. The four processes involved are:

    1. Identifying conditions that must exist for an organization to achieve its objectives
    2. Identifying factors that could interfere with these conditions
    3. Assessing the probability of these factors occurring (i.e. determining risk)
    4. Taking action by either accepting the risks (and perhaps putting in place systems for damage control should the adverse consequences occur) or reducing risk to an appropriate level.

A. Identification of Conditions Needed to Meet Objectives
The first step in the process of risk management is identifying the conditions that must exist for an organization to meet its objectives. We assume for purposes of this article that an organization has already clearly stated its objectives through a strategic planning or other similar process. The conditions that must exist in order for an organization to meet its objectives could include:

  • provision of a quality of service to clients consistent with standards established by the Board of Directors
  • provision of services that continue to be relevant to clients (i.e. adapting services to meet the changing needs of the organization’s clients)
  • continued access to sufficient funding to provide the necessary resources, financial, personnel and otherwise, to meet established objectives
  • management of resources including volunteers, cash, other financial assets and networking resources

B. Factors That Could Interfere With Meeting Objectives
Once your organization has determined the conditions that are critical to meeting its objectives, you need to determine the events or circumstances (“factors”) that could interfere with these conditions. Using the four conditions in the previous section, the following factors might be identified.

Factors that could result in failure to provide high quality services:

  • Inadequate financial resources, which could limit the organization’s ability to recruit sufficiently experienced and capable staff
  • Insufficient monitoring of the quality of service provided (e.g., failure to keep track of outcomes, measure complaints and/or undertake periodic internal evaluations.

Factors that could result in failure to offer services relevant to clients:

  • No system in place to regularly monitor clients’ needs
  • No system in place to regularly monitor the needs of principal or potential funders

Factors that could result in inadequate sources of funding:

  • Lack of attention to the political climate and how it might affect government funding and/or private donations
  • Inadequate management and/or volunteer skills with respect to grant writing
  • Insufficient attention to the organization’s image and reputation within its fundraising community

Factors that could result in the organization’s failure to manage resources:

  • Failure to set efficiency benchmarks (e.g., number of cases handled per caseworker, cost of meals per day per child) and to monitor actual results
  • Failure to set annual/monthly budgets and regularly follow-up with a comparison of actual to budgeted results
  • Failure to assess the degree of satisfaction experienced by volunteers as a result of their role in the organization
  • Ability to obtain resources external to the organization through networking (i.e., ability to get resources at a nominal cost).

C. Assessing the Probability that Adverse Factors Will Occur
So far you have identified your organization’s objectives, the conditions that must exist in order for your organization to achieve its objectives and the factors that could interfere with these conditions. The next step is to assess the likelihood that these factors will occur.

Take as an example the ability of an organization to receive sufficient funds where the majority of funding comes from government sources, which in turn is contingent on the organization’s ability to write grant proposals. If the organization relies on one key staff person with the ability to write grant proposals it would be critical to assess the likelihood of that person leaving. Similarly, if your organization is dependent on a single source for the majority of its funding (e.g. receiving money from the Ministry of Health for provision of a mental health program) then what is the likelihood that the political climate will change and your organization will be faced with cutbacks in funding?

Assign a risk factor of, for example, 0 to 10, to each of the critical factors that could interfere with achievement of an objective (0 representing the least likely factors and 10 the most likely factors). This will help you to determine which risks are most critical to your organization and will prepare you for the fourth step.

D. Taking Action to Mitigate Risks
At this point adverse factors that could prevent an organization from meeting its objectives have been identified and the likelihood that each of these events will occur has been estimated. It is now up to the Board of Directors to determine if it is able to live with the risks or if it must take action to decrease the likelihood of the factors occurring. The decision of whether or not to take action will depend on the cost associated with the action weighed against the likelihood of the adverse factor occurring coupled with the severity of the consequences.

For example, if one of the risks identified is that of an insecure political environment resulting in possible cancellation of an entire grant program, the organization needs to determine whether it wants to spend the resources required to influence the political environment or, instead, to try to diversify its funding sources. In all likelihood an organization would attempt to do the latter as the length of time required to affect a political solution to a funding problem is often too great and the outcome too uncertain.

As another example, if the consequences associated with failing to provide high quality service are considered critical, then the organization may want to develop benchmark performance measures against which quality of service can be compared. Reporting of results to management/the Board of Directors on a regular basis would hopefully flag whether the quality of service offered meets the established criteria or falls short. In this case the cost of developing benchmark performance measures must be weighed against the cost of losing clients and/or related funding from the poor quality of services.

Risk management by not-for-profit organizations is a part of continuing to be able to provide service to clients over the long term. Establishing a framework whereby your organization clearly:

  • articulates its objectives
  • identifies the conditions that must exist to achieve those objectives
  • identifies adverse factors that could prevent your organization from meeting its objectives
  • assesses the likelihood of these adverse factors occurring
  • takes action to either accept the risks or implement standards to mitigate the adverse consequences

will go a long way to enabling your organization to efficiently and effectively carry out its mandate.

Comments are closed.