Risky business: How to effectively manage risk in your NFP

We are in control of all the risks, we know them all and we have strategies in place if they occur. There’s nothing we can’t handle. We have a risk minimisation/risk aversion position amongst our decision makers and the organisation has comprehensive policies and procedures in place that ensure we mitigate all risks. We have insurances in place as well as having developed and put in place an extensive number of control points to ensure very little can go wrong.

Sound familiar? Whilst all of the above makes it sound as though the organisation is in control, it can also be the organisation’s Achilles Heel…

Why overthinking risk can be dangerous

Over-specifying, over-compensating and over-thinking risks can lead to the polarised position of being overly controlled, leading to organisational paralysis.

All organisations that are seeking sustainability are also making a statement about their risk profile. To be sustainable there has to be a natural appetite for risk, otherwise the decision making process will be tortuously long and may never actually produce an effective decision.

Recognising effective risk management

Does your organisation have good governance practices and processes? Is there a recognition of the key risks affecting the board and/or the organisation? If these are well managed, then effective risk management is often in place.

However, risk is often not well understood. Some of the specific areas of risk that a not for profit should have in focus include:

  • Financial risk – loss of income, unauthorised expenditure, fraud, waste of resources
  • Operating risk – political/policy redirection, loss of reputation, loss of donor support, poor servicing, loss of tenders
  • Management risk – lack of strategic planning, poor management information systems, poor human resource management practices, marketing debacles and poor financial management

Strategies for controlling such risks include; terminating the activity, transferring the risk to another party, reducing the risk through relevant controls; or simply accepting the risk. An appetite for risk becomes apparent where the organisation is focused on reducing the risk or accepting the risk. To do either of these requires an understanding within the organisation of the possible levels of risk exposure, or the potential adverse impact from an event that the organisation is willing to accept/retain. Broadly, once an organisation’s risk threshold has been breached, risk management strategies, risk treatments and risk controls are implemented to bring the degree of exposure back to an acceptable level.

What is your appetite for risk?

To define your organisation’s risk appetite and determine the acceptable level of risk, consider:

  • How and where does the organisation allocate its limited time and resources to minimise risk exposures? Why?
  • Based on an understanding of risk exposure, what is the level of risk exposure that causes immediate action? Why?
  • What level of risk requires a formal risk management strategy to mitigate the potential impacts? Why?
  • What events have occurred in the past, and how were they managed? Why?

It is important that organisations understand their risks, and as a result develop an appropriate risk management strategy, but it is just as important not to be paralysed by risk aversion. You can’t grow without taking some risks.

Are you looking to explore your organisation’s appetite for risk, or to seek more effective risk management strategies? Get in touch with our team via:

Email: consulting@cbb.com.au
Phone: 1300 284 364

Subscribe to receive the latest Foreword articles delivered to your inbox on the first Thursday of each month.